As part of the critical infrastructure of any country, the power grid is a prime cybersecurity target for hackers working for nation states or other bad actors. Bringing down the grid — even for a brief period — could be devastating for a country or a region.
The electric grid includes components such as power generation facilities, electrical transmission systems, distribution mechanisms, and substations—plus the consumers of power—and each of these represents potential targets for attack.
Given the size and scope of many power grids, attacks are most likely coming from sophisticated attackers who have plenty of time and resources to carry out their plans. Regardless of who launches the attack, or their methods or motives, the utility companies that provide power to customers need to be well prepared for such incidents.
Here are some steps organizations can take to help ensure that power resources are protected against intrusions and the damage they might cause.
Take inventory. It’s vital for utilities to know what operational technology (OT) assets they have in their power grid — such as control units, IEDs, switches, RTUs, engineering stations and operator stations — so they can effectively protect them. Utilities also need to protect on-premises data center components such as servers, storage systems, networks, etc.
A modern enterprise infrastructure also typically includes cloud services, mobile devices, edge computing systems, Internet of Things (IoT) devices such as smart meters, and all enterprise software applications and operating systems. This type of assessment can be a massive undertaking. But if cybersecurity executives and IT and OT teams don’t have knowledge of what needs to be protected. how can they safeguard systems and data?
Conduct a vulnerability assessment. Once you understand what’s in your network, it’s important to know where you have “weak spots” that might be vulnerable to an attack. You can do this by deploying tools that enable managers to stay on top of the latest device vulnerabilities, updates, and patch requirements.
By continually analyzing industrial network assets against a repository of ICS vulnerabilities, companies can significantly improve cybersecurity. By having a comprehensive view of all vulnerabilities and an understanding of the potential damage, utilities can better prioritize response efforts and more quickly mitigate risks.
Integrate security tools. If the tools in your security stack don’t talk to each other, their value to the organization might be severely limited.
For example, integrating tools with security information and event management (SIEM) platforms can provide greater visibility for cybersecurity leaders and security operation centers. As IT and OT environments become more interconnected with IoT, the attack surface for threats expands. Having greater visibility that spans across both environments is more important than ever.
Begin monitoring. Establish real-time monitoring of your industrial control system (ICS). Some solutions can be set up in just a few hours, and help protect control networks from cyber attacks and operational disruptions by providing complete ICS visibility and security.
Advanced technology available today automatically maps and visualizes an entire industrial network, including assets, connections, and protocols. It also monitors network communications and behavior for risks that can threaten the reliability of systems.
Identify known threats. Utilities can leverage tools to automatically identify known network and ICS risks using signature-based threat detection. These tools automatically detect threats by looking for specific patterns of behavior and indicators of compromise, such as byte sequences in network traffic or known malicious instructions used by malware.
Given today’s threat environment, utilities need this kind of comprehensive threat detection capability to protect their assets.
Look for unusual behavior. New cybersecurity threats are constantly emerging or evolving, and utilities need to be able to protect against these. They can do this by leveraging security features such as anomaly detection for their industrial processes.
Anomaly detection tools that utilize artificial intelligence and machine learning have the ability to create a baseline of normal network and process behavior and then issue alerts on changes that deviate from the norm. For example, an anomaly detection tool could determine that a new asset is attempting to connect to a public IP address, which is a common action performed when malware is attempting to connect to a Command and Control. Anomaly detection tools can also be used to quickly identify any changes in standard communication behavior that would indicate that someone is scanning devices on the network.
Look for proven technology. Utilities need to keep in mind that not all security solutions are created equal. What works fine for some sectors might not be sufficient for others.
Companies such as utilities, which have diverse facilities that encompass all kinds of operating environments, need to deploy solutions that are designed to protect industrial systems. Look for vendors that specialize in industrial cybersecurity and operational visibility.
Aim for speed and simplicity. No one wants to have to wait a long time to implement cybersecurity tools that should have been deployed yesterday. It’s vital to select technology that gets up and running quickly and easily for centralized oversight of remote sites.
Solutions should be straightforward and begin providing a return on investment quickly. Some criteria to look for in a solution:
- completely safe for industrial networks and processes
- has a level of maturity that ensures viability
- is industry certified and quick to deploy
- immediately delivers benefits by identifying existing threats in the industrial network and improving the productivity of operations and IT staff.
Have incident response plans in place. Last and certainly not least, be prepared to respond to identified threats quickly and safely. Even the best monitoring and detection technology available and all the visibility possible will not be of much value if companies don’t know how to respond when an actual incident occurs. It’s important to have the right people and policies in place before the incident occurs.
Every part of the electric grid, including the utilities that provide such vital services to consumers and business, should be prepared for an attack at any time. By taking proper precautions and following best practices, utilities can put themselves in the best possible position to safeguard their systems and data.
Cybersecurity and Incident Response is an educational track at DISTRIBUTECH International (January 28-30, 2020 in San Antonio). Register today.