The electric energy sector is the backbone of the United States and the engine that drives all other critical infrastructure sectors. Every aspect of life is completely dependent on reliable delivery of electricity. The United States ceases to function without electricity. The cornerstone of reliable, electric service are the ICS’ (Industrial Control Systems) that operate the generators and the substations that produce and transmit that power to where it is needed.
Hostile nation states are actively attempting to break into the electric grid and to develop weapons to disrupt or disable those systems. At least one large Asian country has a national goal to develop just such a weapon for both the electric and gas sectors. The war in cyberspace for access to, and the defense of, the grid is underway and has been for many years.
While there are many passionate and hardworking personnel in the U.S. government seeking to protect us, the actual front lines of the ongoing cyber war are the utilities themselves. The cybersecurity, IT and ICS engineering teams are, in effect, the protectors of the way of life we have all grown accustomed to. They are the ones with the data, the tools and the ability defend the U.S. from hostile adversaries. It is in those ICS systems that robust and ever-evolving cyber defense must be a priority.
The Threat Is Real … The cyber war is underway. While each of the hostile nations has its own way of prosecuting the war, “shots” are fired at the speed of light and on an almost continual basis. They are aimed directly at utilities. Most utilities, especially those in geographically important areas of the country, are attacked billions of times every month; receive hundreds of thousands of phishing attempts and tens of thousands of targeted, methodical attempts to exploit vulnerabilities.
The Threat Is Growing … Computers have become more powerful and cheaper. An increasing number of personnel are trained in cyber skills. Tensions among nations are rising. All of that has led to a proliferation of attacks. The pandemic has added to it, with most workforces being remote. The infrastructure that controls remote access is a tempting target.
Compliance Is Not Sufficient … One of the tools the utility industry has are regulations such as NERC CIP. While they do provide a baseline set of security controls, they are not sufficient in and of themselves. For one, hostile nation states know those requirements and the limits of them. Thus, they can and will work around those limits to launch attacks. Additionally, regulations are slowly changing in a world where attack methods can literally change overnight. Third, compliance is paperwork-heavy. That paperwork pulls people away from the act of defending the grid and places them in the role of collecting paper to show compliance.
Cybersecurity In ICS Systems Can Be A Tough Sell … One of the hallmarks of the utility industry are the incredibly smart, passionate engineers who manage the ICS systems. They often are the smartest people in the room and often have a horror story of an attempt to “help” them that caused an issue for their system. That can breed a culture of “not in my backyard” and limit the willingness to allow the true cybersecurity experts to partner with them to add layers of defense.
The most common statement I hear is “but I have a firewall.” Every want-to-be-king who ever built a castle said the same thing, until someone came along and went over, under or through their wall and took over their castle. Walls are necessary. Walls are insufficient.
The Challenge of Security Can Be Conquered … Solutions take time and money, but there are many positive steps that can be taken to improve security in the ICS space. Some recommendations include:
- Top-down support and leadership from the board and CEOs that sets companywide expectations.
- Empowering an executive and their team to own the governance and oversight of all things cyber and physical.
- Combining security into that single organization with joint incident response and practiced command and control in those situations.
- Implementing a set of minimum cyber and physical standards for all of your ICS environments.
- Employ ICS cybersecurity experts to interface between IT and ICS personnel. Maintaining good working relationships is key to the success of the ICS cyber security program.
- Building an insider threat program that monitors critical roles and critical systems for abnormal behavior. Humans are your weakest link.
- Having a threat intelligence function that is seeking classified and unclassified sources of intel to guide your program. Public bulletins are weeks or even months behind the threat.
- Actively try to break into your system using qualified penetration testers. If they can think of it, hostile nation states have already tried it.
- Ensure remote access to ICS environments require multi-factor authentication: something you know (username and password) plus something you have (token or mobile device).
- Conduct phishing simulations and hold personnel accountable for the results. Nearly every major attack you can think of started with a phishing email.
There is a cyber war underway. Utilities are on the front lines of that war. The old-school mentality that a wall will protect you is obsolete. ICS systems need to be vigorously defended. Engage with your cybersecurity and IT departments, as well as your trusted vendors, and explore evolving layers of defense. As strong as you believe your current controls are, you ARE vulnerable.
Sean Stalzer is director of Cybersecurity for Dominion Energy.