Would you believe me if I told you that grid providers are being hacked every day? It’s true, but most of these hacks are unsuccessful because a large number of major electric systems are either off-line or accessible only by private networks (i.e. not run over the internet). That is changing; the shift toward a better connected and digitized electrical grid has brought with it new security vulnerabilities.
For example, Apple recently said weakening iPhone security could make the power grid more hackable. A few months ago there was the outage in the Ukraine, believed to be the first-known instance of power stations being disabled by hackers. And closer to home, an AP investigation report revealed cyber attackers opened a pathway into networks running the US power grid.
So, what can the electric sector do to increase cybersecurity to avoid an attack and the associated financial clean-up costs, tarnished reputations, loss of IP and all other consequences that come with it? Here I’d like to offer a list of 10 tips on just how to do that.
Unfortunately, for many organizations including grid providers, CISOs often don’t have a good sense of their cybersecurity maturity. Baselining one’s cybersecurity posture is essential to determining the gap between where you are and where you need to be. Fortunately, the Department of Energy Office of Electricity Delivery and Energy Reliability has made available the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) to help organizations evaluate, prioritize and improve cybersecurity capabilities. ES-C2M2 can serve as an excellent self-evaluation tool for any electrical grid provider looking to measure their current cybersecurity capabilities.
2. Set (Realistic) Cybersecurity Goals
The reality is that every aspect of a grid provider’s operation cannot be safe-guarded against cyber threat at the same time and assurance level. Therefore, using a risk-based model that examines the impact of a cyber-breach, organizations can quickly identify their biggest gaps. NISTs Cybersecurity framework is a compilation of existing standards and guidelines for critical infrastructure to reduce their cyber risks. Using the concept of Target profiles, priority decisions are made based on safety and business needs, risk tolerance levels and resource availability. Assuring your limited IT resources are plugging the most vulnerable holes will increase security and resiliency in a much more effective manner.
3. Consider Cloud Options
Small and medium grid participants must face the common reality that little to no cybersecurity expertise resides among your internal rank. It’s most likely that cybersecurity is not one of your core competencies and budget allocated to outside security providers is money well spent. Given the need for strong authentication methods based on second factors such as Digital Certificates, using Cloud Certificate Authorities is a great way to increase security while not imposing heavy maintenance requirements on already stressed out IT departments, that don’t necessarily know or keep up with best practices around PKI. Additionally, Cloud PKI services can lead to quicker implementations given the heavy infrastructure already exists for grid providers to easily plug into, often using just a browser.
4. With Security, Compliance will Follow
Yes, the price of non-compliance can be steep, however organizations caught up in compliance driven programs that focus on pleasing auditors can end up investing heavily, while still operating with a lower than desired cybersecurity posture. Investing in cybersecurity programs that prevent breaches will be sure to stop many attacks in their tracks. The cost of a security breach clean-up can be devastating in terms of financial loss, damaged reputation and safety. The stakes are very high for critical infrastructure industries such as the electric grid and grid owners and operators should constantly review their cybersecurity program for new and increasingly sophisticated threats.
5. Expect a Breach
Although preventative measures are important, equally critical is how your organization will respond to a breach. In this day in age, one must expect a breach either from internal (malicious or operator error), or external (state sponsored, hackers, or terrorists) sources. And the name of the game is how fast you will respond and how quickly you can contain the damage and minimize outages. The best documented business resumption plan won’t provide much value if it’s not been dry-run and updated on a regular basis. Don’t invest heavily in a Business Recovery Plan (BRP) just to have it go stale.
6. Think IAM for New Use Cases
Managing who has access to what and when isn’t as simple as managing access control list and Active Directory group membership. IT managers must incorporate more sophisticated methods of detecting unauthorized access attempts. Ever increasing use cases that involve external users such as contractors, regulators, market participants and even customers, should be addressed by Identity and Access Management (IAM) technology in a way that is secure, agile and automated. Additionally, with mobile and IoT devices, IAM products must be able to handle multiple authentication methods.
7. Factor in User Experience
User experience is no longer limited to consumer oriented use cases. Enterprises are now catching on to how good user experience can translate to better security, lower costs and increased productivity. Start with replacing cumbersome and easily forgotten password authentication schemes, that often result in costly password resets with authentications methods such as PKI, biometrics, mobile device and other approaches that don’t require large, complex and frequently changed passwords.
8. Don’t go it Alone
Leverage government-industry partnerships, such as NIST’s National Cyber Security Center of Excellence (NCCoE) to help jump start your IAM and Situational Awareness implementations. NCCoE has a plethora of cybersecurity implementation examples that can help all size energy organizations leverage proven third party products to address Cybersecurity framework, NERC CIP and other standards and best practices.
9. Build PKI-based Security into IoT Project at the Ground-level
With billions of interconnected devices expected to come online supporting both smart grid and smart cities, look at PKI as a viable technology that provides strong authentication, data integrity and encryption at scale.
10. Create User Buy-in
Finally, never underestimate how end users can support or sabotage your network security. Get end user buy-in to why security matters. Create IT-user partnerships that users can feel a part of the security culture. Overly restrictive and burdensome IT security without explanation or stakeholder feedback, will most likely back-fire in end users “beating the system.”
If you would like to find out more about how GlobalSign can help secure your critical infrastructure, contact us.