Emerging technologies, particularly those required for distributed asset management, are enabling and demanding greater grid connectivity to leverage new advancements in data analytics, grid asset management and customer applications. But with heightened connectivity comes heightened risk, as these same devices that offer so much promise can also serve as vulnerable entry points into sensitive enterprise networks.
To address this, utilities have been heavily focused on IT cybersecurity and have matured and advanced the technology to protect against threats posed by malicious actors. However, Operational Technology (OT) security has lagged, stymied by legacy systems that have often been patchworked together, reflecting disparate technologies, parceled installation and lack of fully developed controls architecture, risk assessments, governance protocols and technologies.
These new digital solutions that promise greater efficiencies, advanced asset management and improved reliability and resilience, continue to present challenges in defining and managing OT technology risks. To enable a full suite of cybersecurity protections, utilities need to embrace a comprehensive approach to assessing energy asset-based OT performance objectives and associated cybersecurity risk, and they must do so within the context of a broader integrated IT/OT risk management program.
Emerging Best Practices
The emergence of the digital economy and applications across the utility space has substantially increased the value of OT along with its cybersecurity exposure risk. As a result, utilities must establish a disciplined and structured approach to managing OT, IT/OT “edge” computing and internet connectivity (IP and Internet of Things (IoT)) across the full supply and value chain. As the value proposition of IT, OT and linked IoT services increases, so does the need to proactively monitor, measure and inform cybersecurity investment decisions.
Energy infrastructure is a top target for cyber attackers seeking to compromise the grid and disrupt generation, transmission, distribution and fuels infrastructure, as well as downstream, customer and smart grid-based digital asset management tools. These risks include:
- Loss of service to suppliers, consumers and the economy
- Remediation costs with regards to both technology and labor
- Regulatory impacts, including compliance penalties and cost recovery
- Environmental, health and safety impact costs
- Insurance costs, along with other direct and indirect costs
To mitigate this risk, utilities should fully assess new OT applications, specifically their network linkage through IT and IoT linked paths. An emerging best practice representation appears in Figure 1.
For example, the MS Threat Modeling Tool uses IT/OT network diagrams to define and visualize system components, data flows and security boundaries within IT/OT infrastructure.
The architecture and process framed in this approach include, sequentially:
- Representative site and application walkdowns, including review of network configurations highlighting IT/OT, serial and IP communications connectivity, external direct and IoT interfaces
- An assessment of cybersecurity practices focused on comparable industrial control systems using the NIST Cyber Security Framework and Evaluation Tool and other applicable industry standards
- An OT asset inventory, governance documentation and network diagram review
- A resulting capability maturity model to identify points of vulnerability across hardware, software, firmware, information security architecture, internal controls, security procedures and other NIST categories
- A technical threat vector analysis including external threat actor capability, path and internal vulnerability assessment converted to specific mitigation strategies
Mapping specific threat vectors to mitigation strategies, as shown in Figure 2, provides the foundation for OT cybersecurity. The OT Risk Assessment Program relies on vulnerability risk assessments, established risk exposure categories (as mentioned above), associated avoided cost metrics, and industry-based sector attack incidence records from established industry sources such as the Verizon 2019 Data Breach Investigations Report, The Cybersecurity Threat Landscape, and the latest NERC State of Reliability Report, among others.
The resulting “Cost of Occurrence x Probability of Occurrence” net cost exposure is then compared with mitigation costs evaluate returns on an effective preventative cost mitigation investment. These resource investments are categorized as people, processes and technologies, and are linked and sequenced in prioritized payback and investment horizon.
For example, patch management and access control mitigation strategies apply to a number of threats as shown in Figure 2. Best practices dictate that these metrics, associated risk exposure levels and probabilities are updated on a daily or real-time basis. The resulting AI-backed system can then serve as an OT cybersecurity asset management system with a consistent design and backed by dynamic metrics.
Managing OT cybersecurity risk management and best practices can be extra challenging due to the intersection of digital technologies and distributed use. For example, digital devices spread across multiple customers and IP connectivity points create both internal and external network edge exposures. These emerging downstream (IP-based and customer-focused) and upstream (IT-backed and centralized) exposures require specific OT cybersecurity structuring and evaluation.
When discussing upstream applications, it is vital to establish active cybersecurity operations centers (“CSOCs”) to manage these multiple OT boundaries and gateways. CSOCs should establish clear line-of-sight and automated threat monitoring programs and have reported Mean Time to Resolution (“MTTR”) of months, rather than hours or days, according to the Ponemon Institute’s “Improving the Effectiveness of Cyber Security Operating Centers.” Improving the Effectiveness of the Security Operations Center Improving the Effectiveness of the Security Operations CenterThe resulting efforts to automate and apply artificial intelligence to these capabilities are likely to yield positive risk mitigation paybacks, particularly in reducing response time.
Integrating digital technologies at the grid-level and behind-the-meter begins by effectively integrating those assets into protected systems, whether they are islanded or connected to the cybersecurity, cloud or internal IT networks. With field devices connected through IP, security systems must be designed to establish, identify and protect access from specific devices and asset management applications. With grid applications moving from electron-mechanical device signals to microprocessors, these systems linked by IP communications and supported by IT interface require network boundary management at a much larger scale.
To address this and to be properly managed, OT cybersecurity focused on emerging digital requirements must rely on the cloud and internal IT solutions; segmented OT solutions; and an additional IoT security “envelope” where applicable.
For downstream applications, customer and service contractor data applications and IoT linkages are demanding a higher level of detection and response capabilities. This is where automated field detection and response management protocols can play a key role in rapidly detecting, isolating and responding to system breaches.
When it comes to serial vs. IP connectivity, utilities must revisit IP connectivity exposures, which can create both intentional and unintentional breaches. To mitigate these exposures, utilities can employ redundancy, stringent internal process controls, air-gapping and multi-staging clearance paths. Systems-based monitoring, from detection to remediation, would help reduce incidents and minimize possible breaches. Training and desktop attack simulations are also a critical part of the solution.
A well-designed OT cybersecurity strategy designed to mitigate risk should be built on a clearly documented and dynamic risk-based cost-benefit analysis. As the value and promise of these digital applications grow, so does the potential for a malicious cyber-attack. Balancing risk and reward require the application of best practice under a program that integrates and protects emerging digital services. This ability to measure and apply OT cybersecurity risk exposure in a real-time, updated framework that combines threat vector analysis updates, cost exposure and dynamic response capability constitute next steps to a secure OT environment.
Contact Us to Learn More:
Rutherford S. Poats, Managing Director, Enterprise Risk Management
Abhijeet Naik, Managing Director, Energy Asset Management
Kayleigh Moss, Senior Analyst, B&V Management Consulting