Michael Assante, NexDefense
Across every business and in every home, modern technology is being deployed to streamline processes, improve productivity, increase return on investment (ROI) and simply make lives easier. Everything from washing machines to HVAC systems are turning “smart” by connecting to the Internet to share data, perform offsite analytics and be remotely monitored.
As a result, the systems that monitor and control infrastructure, such as the electric grid, have evolved tremendously, with investment in new technology prompting greater operational efficiency and enhanced productivity. In fact, the power industry has some of the largest and most connected markets in the world.
Although many are privately owned, all U.S. power and utility companies are now deemed as critical infrastructure by the government. Many facilities, however, have yet to completely modernize all of their physical and cyber assets, with no legally enforceable reasons to do so. The lack of a holistically modernized environments, combined with the elevated threat landscape, results in a harsh proliferation of risk to facilities and the organizations that own them.
Those that are taking full advantage of modern technology, however, are not immune to the millions of attack vectors made accessible by a connected infrastructure. Some smart grid deployments, for example, optimize wide-area connectivity to allow two-way communication and automation across control systems and assets. With this technology, owners and operators can automatically collect data from all of the interconnected systems and remotely access and manage each one from a central location.
Connected infrastructure like the smart grid are certainly beneficial to both power companies and their customers. Introducing connectivity into environments that were not built for interoperability, however, has empowered adversaries to seek pathways into power grid networks and systems. As such, the cyber and physical assets of power and utility companies are becoming more susceptible.
The Evolution of Industrial Control Systems
Industrial control systems (ICS) are critical infrastructures’ version of both NASA’s Mission Control and onboard flight systems; essentially serving as the epicenter for the transmission of information and commands to spacecraft, remote machinery and onboard control decisions.
The problem with ICS, however, is that availability and reliability have always been the top priorities among operators; and it’s easy to understand why. With the population’s inherent dependability on power, even just a few minutes of downtime from an outage could result in financial loss, disrupt daily routines and even threaten public safety. The challenge is that, with availability and reliability being the top two concerns, cybersecurity is often under prioritized.
Because of the nature and objectives of traditional control systems, the lack of cybersecurity is historically not an issue. Legacy ICS were built to be standalone and possessed a number of analog components, with a mix of human intervention, while operating in isolated environments. Prior to the advent of the connected system, a person with malicious intent would need to be physically present within a facility or have a witting or unwitting insider deliver their code in order to access a system. Because of this, most incidents were either accidental or the brainchild of a disgruntled employee and damage was limited to the infected system.
Modern ICS, however, are interconnected with remote access capabilities, which means an adversary can now more directly penetrate a system’s network and everything connected to it from almost anywhere in the world. There is no longer a need to be physically on site, and the level of expertise necessary to break into a control system has lessened given the proliferation of attack vectors. As such, cyber attacks on the U.S. power grid are no longer a problem for the future, rather they are a reality of the present.
Cybersecurity Risks to the Power Grid
Evidence exists to prove that attacks by threat actors attempting to penetrate ICS networks are becoming more targeted and are intensifying in duration and complexity. This is a direct result of the increase in perceived importance, and available attack vectors and pathways, which one might argue are the primary unintended consequences of mass connectivity. With existentially more access points into the networks of critical infrastructure, adversaries have more opportunities to compromise operationally significant systems and functions. They could unsettle the daily lives of millions of people at any one time.
While this hasn’t yet resulted in any publicly citable incidents that include significant damages to U.S. critical infrastructure, real-world examples from countries such as South Korea and Germany have recently emerged with reports citing the power industry as a prime target. A 2015 survey conducted by TrendMicro found that 47 percent of energy organizations reported cyber attacks, which was the highest finding across all corporate sectors.
The financial damages resulting from a coordinated cyber attack on the U.S. power grid would be substantial. Unlike a cyber attack on a Fortune 500 wholesaler, however, a successful attack in the energy sector affects more than the bottom line. An adversary, for example, that gains access to the internal operations of a power company could potentially gather proprietary and protected information and/or cause physical damage to equipment or disrupt operations.
There is a stigma about U.S. organizations in that most are very good at reacting to events, but are poor at proactively preventing one. The energy industry, with assistance from the government, however, has come together to create continent-wide cybersecurity standards that are favorable to reliability and thus public safety.
The Protection of Power
The Energy Policy Act of 2005 resulted in the creation of an electric reliability organization (ERO) in order to develop and enforce reliability standards in the United States. In 2007, the Federal Energy Regulatory Commission (FERC) designated NERC the ERO, in accordance with Section 215 of the Federal Power Act. NERC created reliability standards to address the security of assets composing the electric grid and was the first organization to impose America’s only mandatory cybersecurity standards for critical infrastructure.
NERC has evolved its responsibilities to help mitigate cyber risks to the electric grid. Today, one of the organization’s primary responsibilities is to develop requirements and standards that are best suited to ensure the reliability and integrity of our nation’s bulk power system.
In November 2013, FERC approved Version 5 of NERC CIP and the requirements to which owners and operators must conform will become enforceable beginning in April 2016. Version 5 represents the most material change in requirements in more than 10 years, which is representative of both the threat landscape and the progress achieved in mitigating cyber risks to the electric grid. In fact, FERC has already proposed to accept Version 6 of the NERC CIP standards, further emphasizing the need for cybersecurity.
Although nearly every BES (bulk electric system) entity now must comply with NERC CIP, the standards do not incorporate every area of a facility, leaving the systems and assets vulnerable if simply meeting minimum compliance standards is the objective.
Cybersecurity as Part of Larger Risk Mitigation Strategy
While certainly a step in the right direction, it is in the best interest of power companies to embrace NERC CIP standards as a baseline of its overall cybersecurity strategy. Threats to power systems and utilities are evolving in sophistication and regulations will not be able to immediately keep up, nor are they likely to be the sole answer. Organizations, therefore, should prioritize overall security objectives instead of simply complying with standards. Employees from engineers to technology specialists should be thoroughly trained on control systems security and understand the risks associated with a cyber attack.
In addition to preventative measures, a functional and well-exercised response plan should be a part of the cybersecurity strategy. Power companies are already experiencing cyber incidents, and it is only a matter of time before an attack occurs with the potential to cause planned or accidental disruption or damage.
If an organization cannot monitor ICS and have a response plan ready, the damage only escalates. Employees who are not aware of the proper reactionary measures could allow the threat actor to continue moving throughout the compromised systems. Time is of the essence during a cyber attack, and everyone must know how to respond properly to best reduce the potential for negative outcomes.
As threats become more targeted and persistent, the power industry must stay informed and aware of the technologies available to detect and mitigate them. While NERC CIP standards mandate important security compliance, utility and power companies should stay informed on the latest incidents as well as best practices for industrial control systems security.
With appropriate training, compliance and a proactive and comprehensive security strategy, energy organizations will be better prepared to detect, mitigate and respond.
Michael Assante is co-founder and chief security strategist at NexDefense. Atlanta-based NexDefense provides cybersecurity expertise for automation and control systems.