Securing Critical Infrastructure: Utilities Must Assess The Risks of Their Business Operations and Harden all Devices Attached to the Network
Sixty or seventy years ago when utility infrastructures were first built, they were not interconnected or accessed by third parties. The systems were so isolated, no one outside the organization—including potential attackers—knew what vulnerabilities existed.
Now, however, the shift from proprietary control systems to distributed systems built with commercial, off-the-shelf software has changed the name of the game and the “security by obscurity” approach no longer works. The probability of being able to penetrate or attack systems is far greater than ever before.
With utility companies powering so much of the critical infrastructure – from transportation, water and telecommunications to financial services – a disruption to the supply and distribution of electricity would affect virtually everything.
Only recently is the industry beginning to wake up to the potential consequences of a cyber attack. Regulators in the UK, Australia and, particularly, in the United States – where the U.S. Senate Committee on Energy and Natural Resources last spring unanimously passed the Grid Cyber Security Act – have revised security standards. They have ramped up the pressure, telling utilities in no uncertain terms that they need to raise their game.
Unfortunately, for the most part, these security regulations fall short, as they focus on individual functions (e.g., NERC CIP and Transmission) of the utilities’ overall supply chain, versus the organization’s end-to-end security posture. The consequence as a result is that companies will focus on regulatory compliance, rather than comprehensive security.
Other key factors that contribute to this lack of security include:
• Open protocols: The use of open IP-based protocol known to everyone and easy to exploit instead of engineering driven protocols (designed by engineers using security and safety as significant considerations.)
• Third party access: Many of the previously isolated networks are now connected with a number of third parties up and down the supply chain, including utility administrators, power-grid control networks, energy trading networks, energy brokers and various other companies that analyze data related to consumption, pollution and quality. In this interconnected ecosystem, the utility is only as secure as the weakest link.
• Public access: In the U.S., regulatory agencies insist on transparency that requires energy companies to provide public access to how energy is transmitted, including the locations of control centers, thereby exposing the detailed topology of the national energy infrastructure.
• Open market pressures: Utility companies are under immense pressure to enhance efficiency, automate, and cut costs, meaning overhauling the security capabilities isn’t a top priority.
For these factors and the growing sophistication of potential attackers – whether they are people with a grudge against a company or individuals, random hackers, or terrorists – the security risk and the need to do something to protect the vulnerability of their systems has never been greater.
What Can Be Done
Systems that are dated, interconnected, and no longer designed to work in this new world raise a big question mark around security. And while there may not be an easy or ready-made recipe for resolution, there are very fundamental security best practices that organizations can follow that will put them in a better position to address their security risks.
For starters, utilities need to assess the risks of their end-to-end business operation and harden all devices attached to the network. Networks must be architected and designed with defense-in-depth in mind. They need to centralize real time monitoring, which involves putting in place the capabilities that will allow them to make intelligent and informed decisions on how well their security mechanisms are working and what they should do about their security risks and investments to address them.
To secure the multiple layers of any electric power system, utilities should deploy a security model called defense in depth, which uses different layers of security to provide a reasonable assurance of protection against threats. Defense in depth focuses on C-I-A: confidentiality, integrity and availability. Other considerations include authentication, authorization, auditing & logging, privacy and non-repudiation of services. Based on the fact that all technologies have certain weaknesses, the defense-in-depth strategy requires multiple levels of security. This may include firewalls, intrusion detection, cryptography, and so forth to secure and identify each component, from servers and routers to anything on the network.
Organizations also must begin to address the changing business circumstances that accompany with the advent of smart meter smart grid capabilities. Many utilities have allowed these changes to creep up on them, failing to conduct a proactive risk assessment or threat scenario modeling of what can go wrong. What many organizations have failed to consider is that they are creating a system that is inherently more vulnerable, without raising the bar when it comes to their security model.
While they may be few and far between, some companies do get this right. For example, in China we have been working with a half dozen regional utilities to implement new technologies so they can introduce smart meter smart grid capabilities. Many of these organizations have given serious thought to the interdependent vulnerabilities between each of the utilities and are building security in two different dimensions: one in C-I-A mechanisms that include authentication, authorization, auditing & logging, privacy and non-repudiation, and the second in terms of people/organization, process/operations and technology. These utilities, however, don’t have the burden of contending with legacy infrastructures and, as such, have been able to start largely from scratch in employing new technology.
It’s clear that “security by obscurity” is a thing of the past. While there are no easy answers, companies need to put themselves in a better position to reduce the risk of a successful cyber attack and minimize its potential impacts.