Do COTS technologies make you less secure and more vulnerable?

By Evgeny Lebanidze

Though the headline to this article reflects legitimate concerns among power utilities about the cybersecurity capabilities of commercial, off-the-shelf (COTS) technology and COTS’ potential for introducing security vulnerabilities, in my view, the question needs to be restated.

Because power utilities typically do not invent or manufacture their own software, firmware or hardware, most gear they purchase can be defined as COTS. So perhaps a more pertinent question should be: How can power utilities ensure that the COTS technology they're purchasing from a third party will meet their cybersecurity requirements? 

The reality is that power utilities rely on a supply chain inhabited almost exclusively by third-party products. And those vendors have their own supply chains. In spite of this, the ultimate responsibility for the cybersecurity capabilities and vulnerabilities of third-party products—COTS, in most cases—will always rest with the utilities that purchase and implement them. No matter how trusted a vendor or integrator is, a utility itself is ultimately responsible for the reliable, safe and secure operation of its systems since it carries the responsibility to its customers to keep the lights on. 

Therefore, for every piece of software, firmware and hardware the utility must ask specific, probing questions about the product’s cybersecurity-related properties as part of the request for proposal (RFP) process. The chosen products must then be tested prior to implementation to assess their security postures, both individually and within the utility’s overall environment. Further, purchase contracts must specify the utility’s and the vendor’s respective responsibilities post-implementation, such as service level agreements (SLAs) for fixing any identified security weaknesses in third-party products.

But what can power utilities do to increase the chances that third-party products do not undermine the cybersecurity postures of their environments?

Utilities own their cybersecurity

Meeting the cybersecurity challenge starts with an acknowledgement that the utility is responsible for its cybersecurity. Each utility is unique in terms of its security profile, its approach to risk management, its legacy equipment, its financial and customer service priorities, and so forth. Further, there is no such thing as 100 percent security because functionality in many smart grid devices or systems invariably introduces some degree of risk. Thus every utility must determine its own appetite for risk and the level of resources in staff time and money it can expend to balance cybersecurity risk and functionality. This process starts with conducting a comprehensive cybersecurity gap analysis and developing a systematic cybersecurity risk management plan for the utility.

That’s one reason I’ve been involved in U.S. Department of Energy (U.S. DOE) demonstration projects with the National Rural Electric Cooperative Association (NRECA) and its Cooperative Research Network (CRN) and co-authored the “Guide to Developing a Cyber Security and Risk Mitigation Plan,” as well as contributed to the U.S. DOE’s electric subsector cybersecurity capability maturity model (ES-C2M2). 

People, processes and technology

Utilities are well advised to adopt a deliberate, proactive strategy for determining a cybersecurity risk management approach rooted in people, processes and technologies. Though I won’t delve into the topic here, people are usually the weakest link in the security chain. Manipulating people’s behavior may be the easiest and least-expensive vector for adversaries to exploit, thus the importance of appropriate hiring and training practices to prevent avoidable mistakes. 

In terms of technology, a utility must determine what cyber and physical assets it needs to protect, the likely impact(s) that could result from compromised security, and the measures and costs involved in securing those assets and recovering from cybersecurity incidents. Some questions to ask: What are the organization’s real assets in need of protection? What are the impacts to those assets, to customers, to operations and the business if a successful attack occurs? What will it take to protect those assets from a people, processes and technology perspective?

Templates developed for NRECA’s guide provide best practices to help utilities develop a useful approach to answer these questions and develop their own cybersecurity plan. (See box for a description of the guide’s contents.) 

Asking the right questions

In taking responsibility for its own cybersecurity, a utility should determine how COTS technology impacts its cybersecurity posture. This means making cybersecurity concerns part of every step in the procurement process that begins with RFPs for COTS technology and extends to asking the right questions of prospective vendors, evaluating the answers, testing to confirm the cybersecurity properties and performance of COTS products, and continuously reviewing systemwide cybersecurity plans, capabilities and vulnerabilities. 

Take a smart meter, for instance. What makes it “smart” is the software/firmware on the device. The utility should ask questions, such as: When that software was being built, did the vendor have secure software development lifecycle (SDLC) touch points within their development lifecycle? Did the vendor think about security requirements? Did the vendor think about the threat model? Did the vendor have the right controls as part of their software design? When the vendor wrote code for that specific application, did it follow secure coding best practices? Did the vendor conduct code secure reviews or security testing? Secure software is a result of a secure SDLC and, as such, these types of questions are illuminating.

These questions are just an example of the granular, methodical questioning incumbent on utilities to ask well in advance of testing and, certainly, a purchase. Different COTS technologies require a different set of questions, but you get the idea.

Interoperability and plug-and-play

While any utility can follow the NRECA guide as a step-by-step means to achieve cybersecurity for COTS as well as across the entire OT and IT environments, it’s useful to consider certain concepts and their relationships. 

For instance, interoperability and cybersecurity may be viewed as two sides of the same coin. On one side, devices and systems must interoperate for full functionality and value creation. That means that utilities may be more inclined to choose products for their interoperability rather than security qualities. This may be problematic since systems are only as secure as their weakest link. So there’s a tension inherent between cybersecurity and interoperability. The tendency of humans faced with decisions on complex systems is to go with interoperability; sometimes it’s a simple business case decision. That’s not necessarily wrong, as long as a conscious decision is made, well-informed by consideration of the balance between cost and risk. 

In a similar vein, COTS technology and plug-and-play capabilities are not synonymous. While utilities use COTS, they require deployment services, which often involve substantial integration work. Especially on the OT side of the grid, utilities must acquire COTS devices and systems, but very little is plug-and-play.

Cyber and physical security, hand-in-hand

It’s important to remember that the electric grid is a cyber-physical system. This needs to be taken into account in any cybersecurity approach. The basic premise is that once an adversary has physical access to a system, the game is over for cybersecurity. The good news is that utilities have long experience with physically securing their field assets and the dropping cost of sensors and surveillance technologies has potentially increased their monitoring and detection capabilities. That said, the remote access enabled via various smart grid technologies that are part of the modern grid may enable adversaries to exert control over the grid’s physical assets without ever getting physically close to them. 

The post-deployment environment

Cybersecurity is a process that never ends. As the NRECA guide states, it is “a commitment to a process of continuous improvement.” That includes review and revision of policies and practices that apply to people, processes and, yes, COTS technology. A utility must constantly re-evaluate and improve its cybersecurity controls and practices in order to keep pace with internal utility changes and external threat landscape changes. 

Utilities must accept that cybersecurity is like everything else they do: The work never stops. The digital era and the smart grid have brought many new capabilities, technologies and benefits to the power industry and its customers, and part of the bargain is the increased importance of cybersecurity. Ultimately, the utility must maximize the benefits and minimize the risks of any COTS technologies that it implements. 

Evgeny Lebanidze currently serves as the development team lead on a U.S. DOE/NRECA project aimed at developing solutions for improving electric coop’s security capabilities to manage and monitor their operational networks. He is a managing consultant at Cigital, a member company of the IEEE Computer Society Center for Secure Design, where he leads the firm’s energy sector security practice.

NRECA’s “Guide to Developing a Cyber Security and Risk Mitigation Plan” can be accessed at www.smartgrid.gov. Written for cooperative power utilities, it can be used by any utility. As the guide states, “The basic concept is not ‘do this and you are secure,’ but a commitment to a process of continuous improvement.” The guide provides insights on:
* Building a risk management program
* Addressing people and policy risks
* Addressing process risks
* Addressing technology risks
* Unique security requirements and controls for each smart grid activity type