GlobalSign Blog

13 Mar 2018

Securing Energy IT Networks for a More Reliable Grid

Much of the talk around energy grid security tends to focus on protecting power generators, sub stations, and utility control panels, given the stakes around an Operational Technology (OT) breach, which could be devastatingly high in terms of grid reliability, resiliency and safety. However, the reality for most conventional energy industrial control systems is the majority of power generation and transmission systems are segregated from IT networks and offline in nature, resulting in a pretty healthy track record in terms of warding off hacks.

What doesn’t share the same limelight is how IT network breaches impact grid provider Service Level Agreements (SLAs), workforce productivity and possible loss of enterprise and customer data.

This point was recently illuminated when US Fortune 500 energy provider Entergy discovered malware on its corporate network. Like many energy companies, Entergy is bombarded with network threats from a variety of sources. As cited in The Idaho National Laboratory August 2016 report, ‘Cyber Threat and Vulnerability Analysis of the US Electric Sector’ “there have been no reported targeted cyber-attacks carried out against utilities in the US that have resulted in permanent or long term damage to power system operations thus far, yet electric utilities throughout the US have seen a steady rise in cyber and physical security-related events that continue to raise concern.”

The malware detection within the Entergy network resulted in a heightened threat level by a Mid-West Independent System Operator (ISO) that limited Entergy’s access to the ISO’s network for a short period while systems were scanned, malware removed and networks deemed clean. Although according to Entergy the hack did not result in loss of customer, employee or operational data, it serves as a reminder to all energy IT and CISO personnel that the impact of IT breaches can have very real consequences to service levels and compliance around data protection.

Phishing Is a Leading Attack Vector

Often, most corporate network attacks start as a phishing email luring some unsuspecting staff member to either click on a link that triggers malware or provide confidential or access credentials used later to continue the network infiltration.

Yes, we’ve come a long way in recognizing a phony email, but attackers in many states-sponsored events are also making significant headway crafting very legitimate looking messages often targeted at unsuspecting control engineers with familiar emails masquerading as payroll, IT or HR department personnel.

Of course, cybersecurity training for staff must continue, however energy owners and operators must also equip staff with tools to assist with the easy recognition of phony emails and malicious sites that serve as initial threat vectors for the spread of malware loss of confidential data.

One such method is to use the tried and true method of digitally signing email from and to both internal and external grid participants – employees, contractors, regulators etc. Digitally signing email messages can be an easy and scalable solution for recipients to quickly ascertain if a message is originating from a trusted source.

Example digitally signed email showing the sender’s verified identity

Having certificates (which are necessary to digitally sign) issued from a trusted source provides the foundation for a trustworthy user experience. So what exactly is a trusted source? Well, there’s distinct and effective approaches:

  1. Rely on a trusted 3rd party Certificate Authority, as no distribution of trust anchors are needed, and mature audits are in place to comply with strict root program requirements
  2. Rely on your own private root of trust by issuing email signing certificates to staff, contractors, and members of your closed community from a certificate hierarchy dedicated to your organization..

As with most IT implementations, there are trade-offs with both approaches. Namely, on how certificates are provisioned and trust established. Here are some guidelines:

Publically Trusted

Privately Trusted

Ideal for secure messages among:

  • Energy Market Participants
  • Regulators
  • Supply chain members
  • Energy industry consortium members
  • Intercompany staff members
  • Contractors with company email
  • Intercompany staff members
  • Contractors with company email

How to provision and manage

  • External members “Bring your own cert”
  • Internal staff through pre-verified Organization profile
  • Automate through Active Directory Policy
  • Automate through Active Directory Policy

Considerations

  • No trust anchor pre-configuration required
  • Private trust anchor provisioned through AD as policy
  • Private trust anchor provisioned through AD as policy

Either way, GlobalSign can help with cloud services that remove the complexities of managing PKI while being configured in a manner that meets grid-specific policy preferences.

Have questions about digitally signing emails? Learn more about digitally signing and encrypting with S/MIME in our white paper or contact us with specific questions.

Share this Post