By Joe Zhou
As advanced technologies and new opportunities continue to improve our operational efficiency, productivity and resiliency across the electric utility sector, electric utility leaders are growing increasingly aware that with heightened opportunities comes heightened risk, particularly when increased connectivity through digitization of operational devices brings new vulnerabilities into play.
As we are continually enabled and spurred by new levels of digitalization and the Internet of Things (IoT), utility cybersecurity postures are coming under intense scrutiny by security professionals, regulators, the federal government and utilities themselves, who have seen firsthand how pervasive — and crippling — a power grid hack can be. To this point, the memory of the Ukrainian 2015 power grid hack still is fresh in the minds of utility cybersecurity professionals, who remember when hackers managed to shut down the Ukrainian power grid, causing outages to roll across the country. A U.S. power grid attack scenario no longer seems far-fetched.
Considering observable threat-analysis trends, U.S. industry professionals expect that cyberattacks will increase in numbers, frequency and sophistication. We know that illicit individuals and maligned anonymous groups will continue to develop cyberweapons that are capable of disrupting operations, damaging equipment and compromising sensitive data. In fact, a 2018 study by financial services group KPMG found that nearly half of power and utility executives (48 percent) expect a U.S. power grid attack to be inevitable.
It’s no surprise that utility leaders view cybersecurity processes, procedures, governance, technology and overall threat management as an industry top concern. When polled on the most challenging issues facing electric utilities today, cybersecurity ranked number three, behind aging infrastructure and an aging workforce, according to Black & Veatch’s 2019 Strategic Directions: Electric Report survey of the North American power industry.
Utility leaders understand they are at a crossroads as they work to balance technological opportunity with safety and security and are willing to put capital behind their investments. As utilities become more consumer-centric and the IoT becomes the norm for customer engagement and interaction, 92 percent of survey respondents said they plan to invest in beefing up the security of their data and internal systems to prevent a power grid hack.
Utility Cybersecurity’s Weakest Link
With most electricity providers managing their security needs in-house, it’s no surprise that respondents identified security education and training as the number one need when it comes to managing organizational cybersecurity for energy and utilities as well as physical security.
Implementing security education and training will help bring utilities into compliance with North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) training requirements, which mandates that electric utilities have cybersecurity training programs in place to help mitigate human error and prevent a power grid hack.
Education and training mitigate human error, which is the weakest link in the utility cybersecurity chain. Taking steps to prevent employee mistakes is a critical element in preventing a U.S. power grid attack. For example, phishing emails — a type of online scam in which malicious actors use what appears to be an email from a legitimate company to steal sensitive information — remain a scourge to cybersecurity teams everywhere. The solution is easy enough: ensure all employees do not open untrusted emails and do not click on untrusted email links.
This point remains a significant challenge, however: even when people are educated on the risks of phishing, they continue to click unsafe links. Our most advanced threat models for cybersecurity for energy and utilities include the fact that some (a very small portion of the population) will always click unsafe links. Therefore, IT professionals must install back-end email protection systems (that can disable or remove unsafe links) to mitigate the inevitable human error.
Managing security products and platforms was identified as the second most important critical infrastructure protection need from our survey of cybersecurity for energy and utilities. From there, survey respondents prioritized endpoint management (mobile devices, PCs, laptops, etc.); vulnerabilities management; retaining cybersecurity talent; maintaining compliance with NERC-CIP requirements; defining and implementing cybersecurity policies, guidelines and procedures; identity management; and access management. Justifying budgets and investments was the final priority identified by respondents.
Access Control Remains a Major Vulnerability
According to survey data, nearly one-third of respondents named access control as the largest vulnerability when it comes to ensuring cybersecurity for energy and utilities and physical security of utility premises.
There are two types of access control:
1) Physical access, or the act of physically letting someone into the facility, which is typically governed by background checks, risk assessments and permissions-based badging; and
2) Logical access, which allows permissions-based access to remote and networked systems, and is controlled through user-level authentication controls, two-factor authentication and even advanced technologies such as biometrics.
From there, respondents prioritize risk assessment, identification and authorization, incident response/ contingency planning, asset management and configuration management. Surprisingly, respondents ranked asset management fifth on the list, yet it is actually one of the most critical infrastructure protection points because organizations cannot protect what they don’t know they have. Asset management is a prerequisite for a good, holistic utility cybersecurity program, and organizations cannot employ effective cybersecurity without effective asset management. We see utilities starting to build comprehensive operational technology (OT) cybersecurity enhancement programs that complement and further enhance the security and defense capabilities of OT systems, and asset management is foundational to ensuring 100 percent coverage and compliance.
Managing Supply Chain Risk
So where does this leave the industry going forward with regard to critical infrastructure protection? CIP 013-1 will become enforceable in July 2020, which means that energy companies will be required to implement security controls that mitigate supply chain risks. Security controls must mitigate supply chain attacks that can put malware and backdoor accesses directly onto our sensitive networks.
Incidents such as these introduce serious concerns over devices and equipment and overall supply chain risk management when it comes to cybersecurity for energy and utilities. Supply chain cybersecurity requirements, mature supply management and patch management are recommended steps that can mitigate threats to critical infrastructure protection inherent in manufactured systems and prevent a widespread U.S. power grid attack.
But when it comes to ensuring supply chain risk management, security-in-depth is the best practice that should be applied. Know your manufacturer. Know the manufacturing process and ensure that security is a part of it. On the spectrum of supply chain security, the safest manufacturing practices leverage trusted foundries with complete control over the manufacturing process and chain-of-custody controls. On the opposite (and most dangerous) end of the spectrum, equipment is manufactured overseas in unknown factories, using unknown chipsets and unknown firmware. This untrusted equipment often is assembled piecemeal, with parts coming from everywhere, using software that has no visibility or control.
This is frequently the case when OT equipment is bought off a department store shelf, or worse, a foreign super-discount internet site that may sell counterfeit OT devices. Such untrusted devices introduce risks of malware when connected to sensitive networks. The middle of the spectrum (and most practical approach) is to use well-known and trusted suppliers who abide by published and auditable supply chain security programs. Best-of-brand OT suppliers have established physical security at all facilities, logical security for production systems, production certifications, a strict scrap handling process that prevents counterfeiting protection labels, and security technology such as smart chips and security labels that prevent unauthorized tampering.
Joe Zhou is senior managing director at Black & Veatch management consulting, where he leads the Business, Technology and Architecture Offering group that includes security and resiliency, asset management and analytics to provide innovative and insightful consulting services to asset-intensive industries, such as power, oil and gas, and water. Zhou has more than 25 years of experience enabling business transformations through the use of digital technologies and leading business practices.