By Ed Abbo, C3 Energy
Will the first major cyberattack on the U.S. energy infrastructure come as a big bang of coordinated events, or as a series of barely noticed intrusions that gradually cripple and isolate electric or gas networks?
Whatever the plausible combination of these scenarios, preparing for a cybersecure future is proving to be one of the most difficult operational and organizational challenges to U.S. infrastructure in decades. With the responsibility of keeping the lights on while confronting new cybersecurity requirements, utilities are juggling multiple priorities: managing aging operational technology (OT) and information technology (IT) systems, dealing with growing data volume and complexity from an increasingly sensored smart grid, and monitoring new physical and cyberthreats to these networks.
The level of cyberreadiness among utility operators varies widely because of the complexity of these responsibilities, but there is broad consensus that more coordinated policies, funding and actions on cybersecurity are required to safeguard utilities’ operational and information technology networks. Operators are realizing that new technologies and business practices are needed, and have started to incorporate advancements such as big data analytics, cloud computing and machine learning into their toolsets. These technologies, including approaches that merge the cyberprotection of traditionally separate OT and IT networks, are becoming essential competencies for any utility’s cybersecurity strategy.
A Cybersecurity Landscape Evolving Faster-Than-Grid Operators
Two converging factors are creating a perfect storm for grid and infrastructure operators as they strive to securely administer their OT and IT networks.
1. Rapidly growing numbers of interconnected sensors and control components-ranging from 10 to 100 million for a typical utility-that are remotely machine addressable and vulnerable to cyberattack; and,
2. Proliferating cyber actors and threats that outpace the traditional regulatory processes and standards designed for a hardware-centric world.
With the day-to-day pressure of maintaining “normal” operations, it is little surprise that many utilities and their regulators are inclined to adopt a reactive wait-and-see approach in addressing these factors. Yet the emerging landscape of cyberthreats has demonstrated that monitoring and securing both OT and IT networks with coherent policies and tools is a critical concern. As the diversity and number of OT and IT systems has increased-along with observed threat types-the operational separation of these networks has become less assured than historically assumed.
Headline-making examples of incidents and attacks have exposed the fragile nature of our operational grids: the compromised control room network at the Davis-Besse nuclear plant (2003), StuxNet (2010), the Maroochy SCADA attacks (2000), the Saudi Aramco network services blackout (2012) and the Japan Monju nuclear plant data breach (2014). BlackEnergy, HAVEX, and Sandworm are other examples of threats targeting industrial control systems, and there are undoubtedly many more unreported or unpublished incidents. Significantly, many of these incidents began through enterprise IT systems and migrated horizontally to OT systems, exploiting attack pathways not considered or protected.
How ready are electricity and gas operators to face live cyberattacks? A utility’s level of preparedness can be diagnosed by the specificity of its answers to questions such as:
- Which of our IT and OT network assets are the most vulnerable to attack and require protection or updates?
- Which IT and OT network components are most important to address as cybersecurity risks, due to their potential impact on our physical grid, customers, operations and public safety infrastructure?
- What is the expected state of our network and its traffic at a given moment, and is the risk profile of our network assets increasing or decreasing?
- What financial investments are required to achieve a necessary level of cybersecurity readiness?
- What advances in software and hardware are required? Are they available now or do they need to be developed?
- How much progress and return on investment is being achieved with our network cybersecurity efforts?
Beyond any one technical issue or software patch, these questions reveal the process and organizational capability to implement strong cybersecurity measures. Even sophisticated organizations struggle to answer these questions.
The Current Industry
State of Affairs and Cybersecurity Activities
Today’s 3,200 U.S. utilities vary widely in the readiness of their cybersecurity operations. Their OT and IT operations and organizations can range from tightly coordinated to completely independent and, often, non-communicative-with IT and cybersecurity teams that range from a few people to dozens. At many companies, the same staff are responsible for both daily monitoring and “live” response to cybersecurity threats, as well as the policy, compliance and audit efforts to meet regulatory requirements such as NERC CIP V5 in the United States. In many instances, insufficient levels of IT or cybersecurity personnel are involved in OT maintenance or operational decisions regarding the underlying grid equipment potentially affected by the most critical cybersecurity issues.
In addition, cybersecurity teams are further taxed by having broad responsibility for documenting, assessing and maintaining knowledge-recordkeeping of network assets for regulatory purposes. This work is heavily manual and resource-intensive and is only required to be audited once every several years.
One major hindrance to comprehensive cybersecurity readiness is the broad and incompatible combination of software and hardware tools used to conduct ongoing traffic monitoring and intelligence as well as cybersecurity audit functions. Yet another challenge is the separation of ownership between the many software and hardware products built for enterprise networks vs. operational networks.
These tools typically encompass dedicated point solutions across functions, such as:
- Configuration management;
- Authentication and communications security;
- Firewall, SIEM, endpoint protection;
- Hardware security auditing; and
- Built-in security firmware and isolation within and between hardware components.
|Comprehensive cyber protection merges IT and OT information about system assets, network traffic and physical operations across energy grid operations.|
As cyberthreats increasingly jump horizontally between systems or use multiple compartments of a utility’s enterprise and operational networks, simple visibility-not to mention diagnosis and preparation-against emerging threats is proving to be increasingly difficult given the “pieced-together” nature of these systems.
Utilities are trying their best to secure their OT and IT networks, but are constrained by minimal budgets and a patchwork collection of tools to monitor their assets and operations. Increasingly, they are discovering that traditional “air gap” security, which in principle isolates a secure computer network from unsecured networks such as the public Internet, is no guarantee against cyber vulnerabilities. More comprehensive live vulnerability assessment and risk management software tools are needed.
Unified OT-IT Risk Management
For the New Cybersecurity Landscape
Faced with the issues outlined above, energy infrastructure operators today are looking for effective tools and processes that provide two critical capabilities: 1) identification and diagnosis of vulnerabilities of operational grid equipment in addition to enterprise systems, and 2) prioritization of responses to those vulnerabilities based on comprehensive knowledge of their operational impacts and tradeoffs.
To date, their search for tools and processes to enable these capabilities has been limited to point solution approaches to network infrastructure management, which are inherently unable to provide the necessary enterprise-wide view across all system assets, network traffic and physical operations in real and near-real time. Advances in machine learning-based computing software and infrastructure, however, have dramatically improved these capabilities.
Working with experienced technology and service provider partners, utility operators can now comprehensively leverage all data flowing from their disparate OT and IT networks in order to enable systems that combine cybersecurity monitoring and energy delivery decision making. Emerging data and analytics platform solutions by providers such as C3 Energy have substantially lowered the cost and shortened the time needed to unify multiple systems, with strong cyberprotection as the worthwhile payoff for utilities.
As the magnitude of endpoints, network traffic, users and applications increases, much of the currently manual diagnostic work and human-based intelligence will be enhanced and automated with new technologies that can keep pace and scale with the growing volume of risks. Machine learning-the ability of computers to learn without being explicitly programmed-built on comprehensive data integration is already proving to effectively automate the monitoring of network traffic and identification of anomalies.
Over time, as feedback is used to continually refine algorithms, the machine learning closed-loop system generates increasingly targeted and accurate predictions to reflect real-world conditions affecting OT and IT networks. This automation and continual improvement frees cybersecurity staff and resources from routine minute-by-minute responses in order to address cybersecurity strategy and prepare for previously unseen and unique threats.
While the rapidly evolving cybersecurity environment is putting strong pressure on utility operators, recent technological innovation is providing an increasingly capable defense against the growing threat landscape. As they put the next generation of cyber detection and diagnostic capabilities into place, utilities will find that a comprehensive strategy for risk management merges protection of the traditionally separate OT and IT networks, enabling a more coherent approach to the core business itself-financially, operationally and strategically.
Ed Abbo is president and chief technology officer at C3 Energy, which offers analytic software solutions for the global energy industry. He was formerly senior vice president at Oracle Corp., where he was responsible for application products. Abbo earned a M.S. degree in mechanical engineering from Massachusetts Institute of Technology and a bachelor of science degree in mechanical and aerospace engineering from Princeton University.