Ask any security expert about industrial control systems (ICS) and you’ll hear concerns about how the adoption of smart devices is developing more quickly than the ability to secure these devices — and that this gap poses significant risks for utilities and their end users. In fact, one researcher recently reported that hackers have successfully gained a foothold in the networks of over 20 utilities.
As the utility sector continues to modernize networking infrastructure, many companies have embraced increased interconnectivity of their industrial devices and deeper integration with business systems. While this brings many operational and business benefits, the convergence of information technology (IT) and operations technology (OT) systems has also revealed new risks that can lead to network downtime or information breaches, making cyber and physical systems more vulnerable.
How can I secure my physical and cyber assets in this connected world?
The internet provides attackers an easier way to access information. As such, utilities have had to consider how to keep their control systems free from intentional and accidental attacks from both inside and outside threats. Of all the critical infrastructures, electric utilities have been one of the most regulated for security compliance (as a means of assuring reliability) than any other.
To avoid and respond to critical cyber security concerns brought on by IT and OT convergence, utility teams can follow these three foundational steps:
1. Familiarize yourself with the cyber security landscape. Cyber attacks present real threats to all industrial sectors, including power generation, transmission and distribution. Whether you’re on the IT or OT side, , security breaches can be hard to spot. U.S. NERC CIP requirements, while painful, have led the way toward building increased cyber security requirements into our electric utilities. Many power transmission and distribution plants globally have been examining NERC CIP requirements for developing their own stronger security policies and regulatory compliance.
2. Know how to identify an industrial cyber attack. When an ICS is vulnerable to a cyber threat, the breach will usually come in three phases: discovery, attack and intrusion. The attacker will first search a system to discover weaknesses and will then exploit those software vulnerabilities through a variety of methods, including using stolen credentials, infecting media or attaching malware to an email. Once the hacker has captured the data, he or she can choose to deactivate a system or keep it live. If a threat is left undetected and undeterred, the attacker will have access to critical utility control systems and networks.
3. Apply defensive strategies to secure the ICS. When considering the security of your utility infrastructure, there is a world of frameworks, regulatory requirements, technology and disciplines to examine. It’s best to start by conducting a cyber security assessment and analysis of vulnerabilities in the system. Teams can then apply a common military strategy, known as Defense in Depth, and integrate it into their control systems. The strategy uses multiple layers of defense tactics to identify and impede targeted threats. With this approach, your security system can identify and respond to potentially harmful intrusions. Implementing critical security controls can reduce your risk of cyber attacks by an estimated 85 to 95 percent, according to the Center for Internet Security.
By following these steps, you’ll be better prepared to equip your team with critical security strategies. These can aid in preventing asset failure by detecting, responding to and avoiding breaches harmful to your control rooms and transmission and distribution centers.
But it doesn’t stop there — the best security measures rely on the continuous monitoring of all network components — from endpoints to control-level systems. With 24/7 network security coverage, teams can rest easy knowing their information and operations technologies can safely function with minimal risk of network interference or unnecessary downtime.
About the authors: Jeff Lund, Senior Director of Product Line Management, Industrial IT, Belden Inc.
Jeff Lund is responsible for Belden’s vision and product initiatives related to the Industrial Internet of Things (IIoT). He also drives and coordinates cyber security and wireless product direction across Belden industrial IT product groups. Jeff has over 20 years of IIoT experience working with manufacturers and integrators to add intelligence and networking to devices for industrial, building automation, transportation system and smart grid use. He also serves as Belden’s primary representative at the Industrial Internet Consortium, where he is co-chair of the marketing working group. Jeff has a MBA from the Wharton School of the University of Pennsylvania and a B.Sc. in Electrical and Computer Engineering from the University of California at Davis.
David Meltzer is chief technology officer of Tripwire. He began building commercial security products in 1996, in the middle of the eight years it took him to get a B.S. in Computer Science from Carnegie Mellon University. He has a strong entrepreneurial focus, having founded two venture-funded technology companies, and served as Founder, Chief Technology Officer and Chief Executive Officer at both those firms. This included Cambia Security, where he built the software that became Tripwire’s CCM. Cambia was acquired by nCircle, where he continued as Vice President of Engineering and CTO, and he has continued to hold senior leadership positions at Tripwire since its acquisition of nCircle in 2013.