There’s a good reason why utility executives have for several years rated cyber security as a top issue in polls geared to reveal where our business leaders see challenges. They probably receive routine updates regarding the 50 to 100 phishing emails and other hacking attacks their companies deal with day in and out. Another cause for angst came to the forefront last month when a major U.S. electric utility was fined US$10 million by the North American Electric Reliability Corporation (NERC) for cybersecurity violations over multiple years related to critical infrastructure assets. This action by NERC could be the battle cry needed by some segments of our industry to take defensive preparations to the next level.
NERC sets and enforces binding critical infrastructure protection (CIP) standards for the bulk power system, including generating stations and transmission and distribution systems. The standards cover physical and cyber security, personnel training, procedures, drills, reporting, system security management, response planning and restoration. The standards have been implemented over a period and continue to be added to. For example, last year we received revisions to NERC CIP-010-02 relating to Transient Cyber Assets such as laptops. The revisions required new action regarding software review, software patches, vulnerability assessments and compliance documentation.
Clear lessons learned from the utility fine include the need to document management engagement, support and accountability to CIP standards; requirements for clear communication regarding programs and procedures; the importance of conducting preparedness drills and consideration of organizational changes such as centralizing CIP compliance oversight. One company suggests that cyber drills, which simulate an attack and use an approved playbook to respond, are as important to a company’s wellbeing as fire drills. In an article drafted months before the fine was announced, WestMonroe Partners advised clients that drills are ineffective if senior executives are not involved (Cyber Drills are the New Fire Drill: Five Mistakes You’re Probably Making Right Now, October 31, 2018). Lack of knowledge and participation at every level of the organization may have contributed to the missteps that occurred within the fined utility.
Those of us not directly involved with cyber security may not appreciate how huge this task actually is and it’s growing rapidly. Manual resolution of hacking attempts may require 90 minutes or more of a trained specialist’s time. As noted, most companies see 50 or more invasive attempts per day. And then there are all the prevention, detection and response plans and procedures that companies must prepare and maintain. The tens to hundreds of digital and internet connected systems in each company can require different management protocols. So while fighting cyber-crime sounds exciting in some respects, and it is, a lot of the effort required to maintain protections and address incidents can be tedious and repetitive. Not surprisingly, it is difficult for management to stay tuned in to every aspect of a company’s cyber security program. Yet, it only takes one major breach or an incident handled or reported incorrectly to cause a NERC violation or worse, a major incident.
Now let’s make it more interesting. As utilities become accustomed to using smart grid devices to gather staggering amounts of data on system performance, better understand customer usage patterns and deliver grid-edge services, the challenges posed by the related introduction of tens of millions of new digital access points to the grid every year are mounting. It is not surprising that more and more companies are turning to automation and overarching system orchestration products to help unify legacy security operations. These systems can automatically triage low-level events, research threat intelligence preemptively, respond to attacks in seconds as compared with minutes or hours and consistently organize complex workflows needed for response and reporting. Leidos Cyber suggests that a zero-trust approach is needed to more effectively secure critical infrastructure. Such an approach relies on significantly more network segmentation with intermediate firewalls, access restrictions and gateway monitoring. The company warns that change management is required to effectively institute security systems sophisticated enough to detect and respond to today’s cyber criminals.
The growing threat that ironically shadows the modernization of our grid is not lost on the Federal Energy Regulatory Commission or the U.S. Department of Energy, which have joined forces to co-host a technical conference on ‘Security Investments for Energy Infrastructure’ on March 28 this year. The conference will explore the current threats against electric and gas infrastructure, best practices for mitigation, incentives for investing in physical and cyber security protections and existing cost-recovery practices at the state and federal level.
Every cyber incident experienced by utilities managing critical infrastructure has to be quickly and effectively addressed, knowing that it may represent anything from nuisance mischief to reconnaissance for industrial espionage, an attempt at business disruption or even an attempt to impact operations and cause safety and health damage. And it is sobering to recognize that attacks may be initiated from within, through connections with partners and vendors or from international sources. This is a new era. Everyone from utility technicians working with intelligent electronic devices in the field to members of utility boards of directors communicating over the internet from the board room must be forever diligent.