The seemingly endless headlines detailing the latest cyber-attacks are putting pressure on utility executives to act now. On the line - threats to consumer and shareholder confidence from prolonged service disruptions as well as poor financial performance from costly repairs to operations and reputation resulting from a cyber-attack.
Figure 1: Cyber Incidents Growing in Complexity and Severity
Deepening the malaise, the analysis of the second cyber-attack (dubbed Industroyer or CrashOverride) on the Ukraine Power System, confirms a shift to open market development of malware that will dramatically increase the variety and volume of cyberattacks. According to the Dragos MIMICS project, there are now a dozen active malware agents targeted at industrial control systems.
NERC CIP Regulations have perhaps yielded short-term success in keeping utilities safe from a major attack. However, most requirements have primarily driven compliance-orientated activities for the Bulk Electric System and will not keep pace with this new diversity of threats. New actors, exploiting new weaknesses, will require the creation of holistic security programs, not point solutions.
To illustrate this further, a hypothetical external threat diagram (below) provides quick insight into the myriad of paths where these malwares could be injected.
It’s clear - today’s real-time utility ecosystems are complex and hard to defend. Utilities must accept the premise that there will be impactful breaches of U.S. critical infrastructure, and that risk to the electric system may be unavoidable. However, mitigating the risk to any single utility is within the control of that utility’s leadership. Consumers, regulators and shareholder expect that their utility will demonstrate a security approach that is as effective as possible in protecting their respective interests against known threats. This is an exercise in classic risk management.
NIST guidelines define risk as ‘’A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.” An effective approach to utility security should therefore be grounded in its potential to programmatically reduce both impact and likelihood.
Operational security is about reducing the likelihood of an attack by keeping the utility’s environment clean through a series of protective measures targeted at stopping the introductions of known threats. The fundamental weakness in most organizations is that they are not practicing operational security (protective measures) well or broad enough. This weakness is now being compounded by the availability of sophisticated malware permitting attackers to use an array of penetration techniques previously thought safe or adequately guarded against.
Using a combination of NIST and CIP controls to provide a baseline is a good starting point. Typical protective measures include whitelists, network monitoring and analytics, patch management, frequent awareness exercises, and strong Identity and Access Management (IAM) governance and practices. However, checklist performance will not be sufficient. To gauge whether likelihood has been reduced, these controls need constant evaluation as to their effectiveness against the evolving and proliferating landscape of both internal and external threats.
Figure 2: Real-time System Threat Diagram
Once the malware is injected, although specialized malware hunting techniques may eventually be required to locate and neutralize the infection, program-based measures should be designed to reduce both the impact (and hence risk) and the spread of the infection. Two key measures are capabilities that detect the malwares’ signatures at the earliest juncture as well as the ability to then isolate the impacted elements.
Early detection is dependent on two concepts:
1) The ability to drive insight into potential mis-operation of control systems and programmable devices through the broadest possible collection and analysis of operations and security data.
2) Frequent assessment of the baseline of what the behavioral norms are for control systems, programmable devices, communications processors, and other connected elements.
Isolation requires the ability to remotely control most, if not all, of the utility’s current control systems and IEDs at all voltage levels to disconnect and reconnect them as needed. Documenting and then testing recovery controls such as isolation are key elements of a holistic security program.
Using the threat diagram as an illustration again, the effectiveness in reducing impact would be determined in two ways:
1) Evaluating the current or anticipated ability to detect known infections in the utility’s substation devices once a disgruntled employee has introduced them from their maintenance laptop
2) Evaluating capability, once the infection has been detected, to isolate that system component.
Malwares and other threats will continue to evolve and the eventual penetration may be unstoppable. Without also evolving their security approach, it is unlikely that utilities can afford to keep up with the pace of new attacks. Therefore, reduction of the effective risk of the success of one of these attacks must be accomplished programmatically. This can be summed up as:
1) Reduce the likelihood of an attack by protecting real-time operations with a program of evolving operational security measures regardless of regulatory imperative. These measures must be targeted at stopping the attack before it starts by focusing on controlling human behaviors.
2) Reduce the impact of an attack by understanding how the various ecosystems work, communicate, and respond in managing real-time operations. With the appropriate collage of data, utilities can determine the state of an imminent or actual attack, and can take measures to quarantine the threat.
3) Maintain a program of frequent threat scenario-based assessments, modelled on the organization’s unique profile of real-time operations.
Through these considerations, a utility can demonstrate that it is appropriately managing the level of cybersecurity risk in a timely fashion. This will provide utility executives, regulators, shareholders, and consumers a considerable degree of comfort in facing today’s cybersecurity threats, including the current malware problem.
About the author: Richard Jones, vice president of grid security at BRIDGE Energy Group, is a recognized thought leader in Cybersecurity, NERC CIP and general utility regulatory compliance and reporting with over 25 years of energy and utility industry experience providing business, technology and management consulting based services. Prior to joining BRIDGE, Richard held a number of security leadership positions with the Big 5 and industry focused consulting firms.