By Todd Waskelis, AT&T Consulting
The number of cyberattacks on the U.S. energy sector is growing rapidly. The interconnectivity of the nation’s power delivery and management systems have optimized efficiency and performance, but they also have introduced new risks to the physical, critical infrastructure. Every smart meter, energy box actuator and grid sensor added to the network introduces new threat vectors for cyberattackers to exploit.
Last year research tried to calculate the potential impact of a grid attack, using a hypothetical scenario of power failure in 15 U.S. states. The results showed that an estimated 93 million people could be left without power. Further, the outage could inflict between $243 billion and $1 trillion in economic damage, according to Lloyds and the University of Cambridge. Beyond the economic devastation, prolonged lapses in power delivery could have real safety and health implications as well.
These statistics, show that companies need to be prepared. Having the right protections in place can save billions of dollars, and keep power fully operational to meet customer needs. Unfortunately, according to AT&T’s latest Cybersecurity Insights Report, “The CEO’s Guide to Cyberbreach Response2,” more than half of businesses surveyed were breached last year, and 66 percent of businesses had no plan in place to deal with a possible cyber breach.
If a breach occurs, having a thorough and practiced plan already in place could mean the difference between an outage that lasts a few hours to one that lasts for days, or even weeks. That’s why companies should invest in creating an Incident Response Plan to quickly identify, contain and communicate a breach.
So where should energy companies start? To effectively respond to a breach, energy companies must actively assess their network and defenses well ahead of any issues. Once it’s clear where valuable information is stored, and how it is transmitted in and out of the company, it’s easier to assess where points of vulnerability might be, or areas that might need extra protection.
Once protections are in place, businesses should build a cross-functional team that includes not only IT leaders, but also executives, communicators, legal, and other key stakeholders. This team should stand ready, in case sensitive and confidential information is stolen or critical systems are compromised.
Should the worst happen, these team members will need to isolate and mitigate the attack:
“- IT/Security Leaders: To determine the cause and extent of damage and lead forensic evaluation.
“- Business Leaders: Will make decisions on budget, third party consultants, and overall strategy.
“- Communicators: To issue statements out to any affected customers or partners.
“- Legal and Regulatory Partners: Can help provide direction to see to it that business requirements and policies are followed.
Depending on the organizational structure of the company, it may also make sense to engage other groups or third parties for guidance. For example, if the energy grid is hacked via a Distributed Denial of Service attack, or an attack that infects one machine in the network and uses it to attack others and overwhelm the system, is executed using smart energy meters, you will want a representative from the smart energy meters company on your team to help resolve and communicate the issue.
As the cyber-threat landscape grows, hackers are organizing more and more attacks on critical infrastructure. Social engineering, counterfeit devices, authorized access and targeted zero-day attacks are just a handful of ways threats are penetrating the energy environment. These unique breach scenarios will each require a tailored response specific to those scenarios. The incident response playbook should include a step-by-step guide to outline the processes and individual roles for each possible scenario. A breach response for a situation resulting in damage to intellectual property will look different from one that impacts operations at the physical plant.
Ideally each section should provide a framework for when to engage each member of the response team, when and how to notify employees and stakeholders, and detailed procedures to help mitigate and remediate active breaches. Because assessing courses of action depends so heavily on varying circumstances, playbooks should reflect that. Companies should consider whether the business should continue operations, time to recovery and how easily they could adapt. The key for businesses is that they cannot totally eliminate cyber risk, but they can prepare to effectively manage a breach.
Forensic tools are also an important factor in effective breach response. Progressive organizations prioritize these tools since they can provide critical information regarding the source of a breach.
It’s especially important for power companies that are experiencing increased connectivity on their networks. As smart meters and grid sensors are added to the network, identifying and isolating issues is a challenge. Having the right tracking tools in place is a key factor in rapid analysis and determining the right playbook to follow.
Forensics can also collect evidence for suspected misuse and policy violations and potentially unlawful activities or actions. Following a breach, information can be difficult to come by if proper forensic tools aren’t in place. It is even more serious if critical systems are down because that information could also be vital in helping to get everything back online quickly.
For the response plan to work, it’s important that each team member fully understands their role and is equally committed to following the rules and procedures from the playbook. Conducting regular tabletop exercises can also help Incident Response Team members familiarize themselves with their responsibilities and simulate their response in any given scenario.
By testing the plan, if a hacker were to take control of plant equipment from a remote location or if a malicious email were to affect plant control systems and operations, Incident Response Teams can reveal any flaws or gaps in the incident response plan that could negatively impact and delay response performance.
As the nation’s power and energy systems become increasingly interconnected and dependent on network technology, it’s important for businesses to invest in a comprehensive incident response plan. And while it’s impossible for businesses -even those classified as Progressive-to entirely eliminate cyberrisk, businesses can prepare and practice responsible, effective breach management to help protect against the potentially devastating economic and physical effects of a cyberattack.
Todd Waskelis is responsible for the direction and business performance for AT&T Consulting’s Security service lines. Todd’s organization provides both strategic and tactical security consulting services to enterprises and government agencies covering a wide spectrum of offerings from compliance and risk management to technical services for emerging technologies such as cloud and mobility. Todd’s career focus has been on helping customers drive business benefit through the exploitation of technology and driving step change improvements in organizations at pace while sustaining security, managing compliance and mitigating risk.