by Torsten George, Agiliance
While media coverage of cyberattacks mostly focuses on data breaches at major brands such as LinkedIn or financial institutions, the nation’s critical infrastructure is equally if not more at risk from advanced persistent threats (APTs).
Energy providers that operate electric grids, gas pipelines and nuclear power plants are prime targets for APTs because a successful attack could have wide-reaching impacts on the economy and civic stability.
Several recent attacks on the computer networks of critical infrastructure providers have made the headlines. These include Saudi Arabia’s state-owned oil company Qatar, natural gas pumper RasGas, and Calgary-based Telvent Canada, an information technology service company that helps manage 60 percent of all oil and gas pipelines in North America and Latin America.
Instead of flying airplanes into buildings, perpetrators are using Trojans, viruses, worms and purpose-built malware to attack critical infrastructure providers via the Internet. Virtually every energy provider’s information technology network is connected to public networks to share production, capacity, other information and run the business.
Protecting the nation’s critical infrastructure from cyberthreats initiated by bad actors who are well-organized and funded is difficult because of system complexity in the energy sector. Some areas where organizations fall short include securing the interfaces between diverse systems and understanding how their security infrastructure functions.
In this context, integration is essential to managing complex security systems. This starts with developing an information security risk management (ISRM) program that connects systems, processes and people; helps provide greater visibility into threats and vulnerabilities; and enables more rapid, intelligent decision-making and response.
The Goal: Secure, Comply
Since the Sept. 11, 2001, terrorist attacks, the energy industry has taken measures to ensure the reliability of the North American bulk power system, especially as it relates to the threat of cyberattacks. For instance, the North American Electric Reliability Corp., certified by the Federal Energy Regulatory Commission, has developed standard guidelines to assist its members in implementing critical infrastructure protection (CIP) programs.
In addition, the U.S. Nuclear Regulatory Commission (NRC) has issued security rules that added cyberattacks to the adversary threat types nuclear plants must be able to defend against. According to the NRC Code of Federal Regulations “Protection of Digital Computer and Communications Systems and Networks” (10 CFR 73.54), each nuclear power plant licensee is mandated to submit a cybersecurity plan and remediation strategy. The U.S. nuclear industry’s trade group, the Nuclear Energy Institute (NEI), went even further, inviting more than 20 cybersecurity experts from the nuclear industry to build NEI 08-09, “Cyber Security Plan for Nuclear Power Reactors.” NEI 08-09 is similar to the NRC guidelines and focuses on ensuring that some 650 controls derived from the National Institute of Standards and Technology (NIST)-800-53 are used to verify the cybersecurity of critical digital assets in commercial nuclear plants.
Common Attack Surfaces
The primary concern in the energy industry is the protection of supervisory control and data acquisition (SCADA) systems used to control geographical dispersed assets (e.g., servers, computers, smart pumps) from a central command center. Historically, SCADA systems were isolated on internal networks and used to control processes for a single site. Advances in computer technology, however, as well as increased competition within the energy industry, have opened SCADA systems to the public Internet. As a result, SCADA systems are more vulnerable to malware-based cyberattacks. Successful malware attacks raise the threat of intruders’ taking control of SCADA systems, which could result in a direct or indirect threat to public health and safety.
Practical Steps to CIP
The energy industry has established standards for CIP against cyberattacks, but implementation of these guidelines remains a challenge primarily because current security mechanisms–including perimeter-intrusion detection, signature-based malware and anti-virus solutions, etc.–are unable to keep up with the evolving exploits. Often these security tools are used in a silo-based manner and are not integrated within a closed-loop process for continuous monitoring. In addition, most security products lack a risk-based scoring, whereby vulnerabilities and associated remediation actions are based on the threat level to the organization, infrastructure or both.
Besides close collaboration with the Department of Homeland Security, energy providers should consider revisiting their approaches to information security risk management (ISRM) and implementing an advanced program based on the following fundamental steps:
- Managing and performing risk assessments to understand which systems have sensitive data and, therefore, the highest business criticality.
- Based on the results of the risk assessments, rationalizing the locations where sensitive data is stored to only the most secure systems that are protected against direct Internet traffic.
- Tracking risks on these critical systems from a top-down perspective to understand the key threats a company faces and ensuring controls to counter these threats.
- Managing risk from a bottom-up perspective by consolidating and correlating data from scanners, vulnerability feeds, patch management systems, configuration management systems, etc., to get a holistic view of vulnerabilities that affect the most business-critical assets, including those with personally identifiable information.
- Creating and tracking tickets to put in place controls and remediation actions to address these threats and vulnerabilities in a timely fashion.
- Managing workflows associated with all of the aforementioned processes.
- Reporting on risks, vulnerabilities and effectiveness of remediation efforts.
- Managing emergency response processes and procedures in the event a data breach occurs to minimize damages from the data breach.
- Implementing an ISRM program can make threats and vulnerabilities visible and actionable, while enabling organizations to prioritize and address high risk security exposures before security breaches occur. It also reduces costs by unifying and streamlining information security processes through automation, which eliminates redundant, manual efforts.
Torsten George is vice president of worldwide marketing and products at integrated risk management vendor Agiliance.