By Joe Zhou
As advanced technologies and new opportunities continue to improve our operational efficiency, productivity and resiliency across the electric utility sector, electric utility leaders are growing increasingly aware that with heightened opportunities comes heightened risk, particularly when increased connectivity through digitization of operational devices brings new vulnerabilities into play.
As we are continually enabled and spurred by new levels of digitalization and the IoT, cybersecurity postures are coming under intense scrutiny by security professionals, regulators, the federal government and utilities themselves, who have seen firsthand how pervasive — and crippling — cyberattacks can be. To this point, the memory of the Ukrainian 2015 cyberattack still is fresh in the minds of cybersecurity professionals, who remember when hackers managed to shut down the Ukrainian power grid, causing outages to roll across the country. Such a scenario is intolerable in the United States.
Considering observable threat-analysis trends, U.S. industry professionals expect that cyberattacks will increase in numbers, frequency and sophistication. We know that illicit individuals and maligned anonymous groups will continue to develop cyberweapons that are capable of disrupting operations, damaging equipment and compromising sensitive data. In fact, a 2018 study by financial services group KPMG found that nearly half of power and utility executives (48 percent) expect a cyberattack to be inevitable.
It’s no surprise that utility leaders view cybersecurity processes, procedures, governance, technology and overall threat management as an industry top concern. When polled on the most challenging issues facing electric utilities today, cybersecurity ranked No. 3, behind aging infrastructure and an aging workforce, according to Black & Veatch’s 2019 Strategic Directions: Electric Report survey of the North American power industry.
Utility leaders understand they are at a crossroads as they work to balance technological opportunity with safety and security and are willing to put capital behind their investments. As utilities become more consumer-centric and the IoT becomes the norm for customer engagement and interaction, 92 percent of survey respondents said they plan to invest in beefing up the security of their data and internal systems.
Cybersecurity’s Weakest Link
With most electricity providers managing their security needs in-house, it’s no surprise that respondents identified security education and training as the No. 1 need when it comes to managing organizational cybersecurity and physical security.
Implementing security education and training will help bring utilities into compliance with North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) training requirements, which mandates that electric utilities have cybersecurity training programs in place to help mitigate human error.
Education and training mitigate human error, which is the weakest link in the cybersecurity chain. For example, phishing emails — a type of online scam in which malicious actors use what appears to be an email from a legitimate company to steal sensitive information — remain a scourge to cybersecurity
teams everywhere. The solution is easy enough: Do not open untrusted emails and do not click on untrusted email links.
But, we observe that even when people are educated on the risks of phishing, they continue to click unsafe links. Our most advanced threat models include the fact that some (a very small portion of the population) always will click unsafe links. Therefore, IT professionals must install back-end email protection systems (that can disable or remove unsafe links) to mitigate the inevitable human error.
Managing security products and platforms was identified as the second most important need from our survey. From there, our survey respondents prioritized endpoint management (mobile devices, PCs, laptops, etc.); vulnerabilities management; retaining cybersecurity talent; maintaining compliance with NERC-CIP requirements; defining and implementing cybersecurity policies, guidelines and procedures; identity management; and access management. Justifying budgets and investments was the final priority our respondents identified.
Access Control Remains a Major Vulnerability
According to survey data, nearly one-third of respondents named access control as the largest vulnerability when it comes to ensuring cybersecurity and physical security.
There are two types of access control:
- Physical access, or the act of physically letting someone into the facility, which is typically governed by background checks, risk assessments and permissions-based badging; and
- Logical access, which allows permission-based access to remote and networked systems, and is controlled through user-level authentication controls, two-factor authentication and even advanced technologies such as biometrics.
From there, respondents prioritize risk assessment, identification and authorization, incident response/ contingency planning, asset management and configuration management. Surprisingly, respondents ranked asset management fifth on the list, yet it is actually one of the most critical points because organizations cannot protect what they don’t know they have. Asset management is a prerequisite for a good, holistic cybersecurity program, and organizations cannot employ effective cybersecurity without effective asset management. We see utilities starting to build comprehensive operational technology cybersecurity enhancement programs that compliment and further enhance the security and defense capabilities of OT systems, and asset management is foundational to ensure 100 percent coverage and compliance.
Managing Supply Chain Risk
So where does this leave the industry going forward with regard to cybersecurity? CIP 013-1 will become enforceable in July 2020, which means that energy companies will be required to implement security controls that mitigate supply chain risks. Security controls must mitigate supply chain attacks that can put malware and backdoor accesses directly onto our sensitive networks.
Incidents such as these introduce serious concerns over devices and equipment and overall supply chain risk management. Supply chain cybersecurity requirements, mature supply management and patch management are recommended steps that can mitigate threats inherent in manufactured systems.
But when it comes to ensuring supply chain risk management, security-in-depth is the best practice that should be applied. Know your manufacturer. Know (and ensure security is part of) the manufacturing process. On the spectrum of supply chain security, the safest manufacturing practices leverage trusted foundries with complete control over the manufacturing process and chain-of-custody controls. On the opposite (and most dangerous) end of the spectrum, equipment is manufactured overseas in unknown factories, using unknown chipsets and unknown firmware. This untrusted equipment often is assembled piecemeal, with parts coming from everywhere, using software that has no visibility or control.
This frequently is the case when operations technology (OT) equipment is bought off a department store shelf, or worse, a foreign super-discount internet site that may sell counterfeit OT devices. Such untrusted devices introduce risks of malware when connected to sensitive networks. The middle of the spectrum (and most practical) is to use well-known and trusted suppliers who abide by published and auditable supply chain security programs. Best-of-brand OT suppliers have established physical security at all facilities, logical security for production systems, production certifications, a strict scrap handling process that prevents counterfeiting protection labels, and security technology such as smart chips and security labels that prevent unauthorized tampering.
Joe Zhou is senior managing director at Black & Veatch management consulting, where he leads the Business, Technology and Architecture Offering group that includes security and resiliency, asset management and analytics to provide innovative and insightful consulting services to asset-intensive industries, such as power, oil and gas, and water. Zhou has more than 25 years of experience enabling business transformations through the use of digital technologies and leading business practices.