The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

WARNING: SIGN-IN

You need to be a member of Energy Central to access some features and content. Please or register to continue.

Post

Insider Threats and Zero Trust – Possibilities for Utility OT Cyber Security

Zero trust has been getting more attention in the past year, but that attention is almost entirely focused on IT cyber security.  But what about the mission-critical Operations Technology (OT) infrastructure in utilities?  Could zero trust concepts be successfully applied to industrial control system (ICS) environments?  EPRI offers a qualified yes, although research caveats apply. 

The zero trust approach may work well to reduce risks from insider threats, which are cited as a growing cyber security risk to utilities.  An insider threat originates from people inside an organization – current and former employees, contractors, and vendors who have or had access to security practices, data, and IT and/or OT systems.  Insider threats are not resolved in the traditional cyber perimeter defense concept.  At its essence, a perimeter defense is designed to keep intruders outside.  In cyber security, that means outside of utility networks. 

Zero trust is a defensive cyber security concept that focuses on data and asset security inside an organization.  It presumes that the perimeter is breached.  Zero trust can be summed up as never trust, always verify every user or device in a network.  The National Institute of Standards and Technology (NIST) special publication draft on zero trust offers this definition: … a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.

The EPRI definition of zero trust is tailored for utility OT environments.  Zero trust is a concept of continuous identity authentication and activity authorization based on identity of the entity (a user or device) and context of the activity.  In mission-critical OT environments, product and process data must be protected from alteration to avoid performance disruptions in OT assets and their data networks.  

EPRI posits that zero trust policies can improve detection of lateral movement by insiders within security perimeters because trust is reassigned to the data and entity levels. The Ukraine utility cyber attack in 2015 began as an external threat that managed to defeat perimeter defenses.  The forensic analyses determined that the attackers were actively embedded inside their utility OT networks for months without detection.  A zero trust architecture may be useful to lessen attacker dwell time within networks.

There’s another reason to consider the zero trust concept for utilities.  It’s challenging to model and manage a secure perimeter when cyber risk assessments may include DER aggregations managed by third parties in web- or cloud-based systems. Instead of attempting to continuously expand secure perimeters as grid edge attack surfaces grow, a zero trust approach identifies the data, devices, applications, and systems that must be protected. 

There are two clear conclusions that utilities can draw.  First, continuing to conduct cyber security operations on a traditional perimeter model will produce diminishing returns as perimeters change.  Second, insider threats are a growing concern for utilities and other organizations.  Any cyber security framework that helps address that significant concern should be examined for its value to utility OT operations. Zero trust is a paradigm shift that fundamentally changes a utility’s cyber security architecture from the traditional perimeter model.  EPRI’s OT cyber security research team is laying the groundwork to address some of the questions posed above to help utilities understand the benefits and costs to adopting this model to secure mission-critical operations. 

Christine Hertzog's picture

Thank Christine for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.

Discussions

Matt Chester's picture
Matt Chester on Jun 18, 2020 12:14 pm GMT

There’s another reason to consider the zero trust concept for utilities.  It’s challenging to model and manage a secure perimeter when cyber risk assessments may include DER aggregations managed by third parties in web- or cloud-based systems. Instead of attempting to continuously expand secure perimeters as grid edge attack surfaces grow, a zero trust approach identifies the data, devices, applications, and systems that must be protected. 

This part makes a lot of sense-- the utilities of the future will presumably continue to include more third parties like this, especially as the role of the 'pro-sumer' and small scale generators tapping into the grid both expand. Will zero trust make it more difficult for these new actors to get into the grid, though?

Karen Marcus's picture
Karen Marcus on Jun 26, 2020 4:08 pm GMT

Thanks for this post, Christine - very interesting. I'm curious as to what steps utilities would need to take to adopt zero trust policies. How would current operations need to change and what new methods, technologies, or professional expertise would be required? 

Christine Hertzog's picture
Christine Hertzog on Jun 26, 2020 10:38 pm GMT

Current operations at utilities are based on the traditional perimeter defense approach.  EPRI believes there's a significant amount of work to adopting this new concept and architecture.  The extent and scope of those changes are research questions.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »