Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Keeping the Lights On In The Face of Cyber Attacks

Securing Critical Infrastructure: Utilities Must Assess The Risks of Their Business Operations and Harden all Devices Attached to the Network

Sixty or seventy years ago when utility infrastructures were first built, they were not interconnected or accessed by third parties. The systems were so isolated, no one outside the organization—including potential attackers—knew what vulnerabilities existed.

Securing Critical Infrastructure: Utilities Must Assess The Risks of Their Business Operations and Harden all Devices Attached to the Network

Sixty or seventy years ago when utility infrastructures were first built, they were not interconnected or accessed by third parties. The systems were so isolated, no one outside the organization—including potential attackers—knew what vulnerabilities existed.

Now, however, the shift from proprietary control systems to distributed systems built with commercial, off-the-shelf software has changed the name of the game and the “security by obscurity” approach no longer works. The probability of being able to penetrate or attack systems is far greater than ever before.

Protecting Power Grid from Cyber AttacksWith utility companies powering so much of the critical infrastructure – from transportation, water and telecommunications to financial services – a disruption to the supply and distribution of electricity would affect virtually everything.

Only recently is the industry beginning to wake up to the potential consequences of a cyber attack. Regulators in the UK, Australia and, particularly, in the United States – where the U.S. Senate Committee on Energy and Natural Resources last spring unanimously passed the Grid Cyber Security Act – have revised security standards. They have ramped up the pressure, telling utilities in no uncertain terms that they need to raise their game.

Unfortunately, for the most part, these security regulations fall short, as they focus on individual functions (e.g., NERC CIP and Transmission) of the utilities’ overall supply chain, versus the organization’s end-to-end security posture. The consequence as a result is that companies will focus on regulatory compliance, rather than comprehensive security.

Other key factors that contribute to this lack of security include:

Open protocols: The use of open IP-based protocol known to everyone and easy to exploit instead of engineering driven protocols (designed by engineers using security and safety as significant considerations.)

Third party access: Many of the previously isolated networks are now connected with a number of third parties up and down the supply chain, including utility administrators, power-grid control networks, energy trading networks, energy brokers and various other companies that analyze data related to consumption, pollution and quality. In this interconnected ecosystem, the utility is only as secure as the weakest link.

Advertisement. Scroll to continue reading.

Public access: In the U.S., regulatory agencies insist on transparency that requires energy companies to provide public access to how energy is transmitted, including the locations of control centers, thereby exposing the detailed topology of the national energy infrastructure.

Open market pressures: Utility companies are under immense pressure to enhance efficiency, automate, and cut costs, meaning overhauling the security capabilities isn’t a top priority.

For these factors and the growing sophistication of potential attackers – whether they are people with a grudge against a company or individuals, random hackers, or terrorists – the security risk and the need to do something to protect the vulnerability of their systems has never been greater.

What Can Be Done

Systems that are dated, interconnected, and no longer designed to work in this new world raise a big question mark around security. And while there may not be an easy or ready-made recipe for resolution, there are very fundamental security best practices that organizations can follow that will put them in a better position to address their security risks.

For starters, utilities need to assess the risks of their end-to-end business operation and harden all devices attached to the network. Networks must be architected and designed with defense-in-depth in mind. They need to centralize real time monitoring, which involves putting in place the capabilities that will allow them to make intelligent and informed decisions on how well their security mechanisms are working and what they should do about their security risks and investments to address them.

To secure the multiple layers of any electric power system, utilities should deploy a security model called defense in depth, which uses different layers of security to provide a reasonable assurance of protection against threats. Defense in depth focuses on C-I-A: confidentiality, integrity and availability. Other considerations include authentication, authorization, auditing & logging, privacy and non-repudiation of services. Based on the fact that all technologies have certain weaknesses, the defense-in-depth strategy requires multiple levels of security. This may include firewalls, intrusion detection, cryptography, and so forth to secure and identify each component, from servers and routers to anything on the network.

Organizations also must begin to address the changing business circumstances that accompany with the advent of smart meter smart grid capabilities. Many utilities have allowed these changes to creep up on them, failing to conduct a proactive risk assessment or threat scenario modeling of what can go wrong. What many organizations have failed to consider is that they are creating a system that is inherently more vulnerable, without raising the bar when it comes to their security model.

While they may be few and far between, some companies do get this right. For example, in China we have been working with a half dozen regional utilities to implement new technologies so they can introduce smart meter smart grid capabilities. Many of these organizations have given serious thought to the interdependent vulnerabilities between each of the utilities and are building security in two different dimensions: one in C-I-A mechanisms that include authentication, authorization, auditing & logging, privacy and non-repudiation, and the second in terms of people/organization, process/operations and technology. These utilities, however, don’t have the burden of contending with legacy infrastructures and, as such, have been able to start largely from scratch in employing new technology.

It’s clear that “security by obscurity” is a thing of the past. While there are no easy answers, companies need to put themselves in a better position to reduce the risk of a successful cyber attack and minimize its potential impacts.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture