Show Don't Tell: Four Ways to Address Cyber Risks to Energy SystemsPosted to Guidehouse in the Digital Utility Group
image credit: Photo 75209037 © Leowolfert | Dreamstime.com
- May 17, 2021 10:45 pm GMTMay 17, 2021 10:41 pm GMT
- 752 views
On April 20, the Biden administration introduced a 100-day plan to address cybersecurity risks to the US electric system, seeking to coordinate incentives and initiatives across government, academia, and industry. With more planning than action, the announcement includes enhanced cybersecurity goals and promotes concrete milestones for developing situational awareness and response capabilities. The May 8 ransomware attack on the Colonial Pipeline Company and the increase in ransomware attacks are catalyzing concern across the energy industry. As cyber risks to the industry continue to gain attention, new emphasis is being placed on the security of operational technology (OT) and industrial control systems (ICS). More importantly, the plan is a move to secure energy systems that provide electricity to other critical infrastructure including hospitals, finance, and transportation.
The Landscape: A Complex Energy Tapestry
The grid in the US is a diverse ecosystem of investor-owned, privately owned, and cooperative utilities responsible for distributing electricity. Depending on the business model, each segment has divergent state and federal rules, regulations, and oversight. Bulk power systems made up of generation and transmission systems are federally regulated. Distribution systems, overseen at the state level, are adopting new technologies and connecting distributed energy resources and energy storage technologies to their networks. Each of these grid segments have existing vulnerabilities and security challenges with the lack of security regulation for electric distribution of particular concern.
Hardware and software used across the energy industry is susceptible to supply chain attacks planned and executed via purchased and installed equipment and components. Utilities maintain enterprise networks, industrial networks, and increasingly connected devices and third-party software tools. Enterprise IT systems facilitate business functions and applications and form the basis for business-centric operations. Industrial OT systems enable the physical execution of processes and production systems. Securing OT is different in many ways from securing IT, but every organization has to understand risk—a measure of the magnitude of consequences weighed against known threats, vulnerabilities, and costs—to begin to build mature security programs to defend against cyberattacks.
Not a New Problem
The April 2021 plan specifically promotes the adoption of new tools for the “specialized computers” or control systems that operate the grid to “enhance their detection, mitigation and forensic capabilities.” Cybersecurity risk to these systems is not a new phenomenon. In October 2003 testimony before the House Committee on Government Reform, the U.S. Government Accountability Office (GAO) reported, “For several years, security risks have been reported in control systems, upon which many of the nation's critical infrastructures rely to monitor and control sensitive processes and physical functions.” The GAO cited five major drivers:
- Adoption of standardized technologies with well-known vulnerabilities
- Connectivity of control systems to other networks
- Constraints on the use of existing security technologies and practices
- Insecure remote connections
- Widespread availability of technical information about control systems
Each of these drivers continue to exist today, 18 years later, exacerbated by new cyber and supply chain threats, increased data dependency, convergence of IT and OT operations, grid modernization and industrial Internet of Things (IoT), expanded remote access, and externally managed services. These factors combine to multiply the magnitude of risk and potential for cascading or second-order consequences from a major cyber event. While some progress has been made since 2003, especially via the North American Electric Reliability Corporation Critical Infrastructure Protection regulations, there is much more to be done.
A New Approach: Show Don’t Tell
Energy systems will not be secured overnight, and the tools, tactics, and procedures of threat actors will continue to morph. Building a strong cohort of informed and capable leaders is key to strengthening US electric utilities’ ICS and securing the energy sector supply chain. Beyond training and certifications, there are four practical ways to expand this knowledge base:
- Share information on cyber hygiene, attack patterns, and the booming exploit economy: Many utilities are aware of phishing attempts and major risks like ransomware; however, characteristics of experienced attacks are often only disclosed to a handful of trusted parties. Wholesale information sharing on attacks will lead to more informed risk management, highlighting the importance of asset inventory, management, and visibility. Securing systems and networks requires knowledge of what data, devices, and systems exist and where, when, and how they communicate.
Attacks on US energy infrastructure are likely to be precise and specialized. Limited intelligence narrows risk assessments and hampers incident response planning and preparedness. Information on the exploit economy, including the sale of company credentials on the dark web, hacking for hire operations, and insider threats, should be as widely available as advanced persistent threat group intelligence. This information should be digestible for nontechnical audiences. Furthermore, new incentives are needed to subdue the perceived reputational costs and potential compliance fears throughout the energy industry.
- Expand blackstart simulation exercises with the Rapid Attack Detection, Isolation and Characterization Systems (RADICS) program: The Defense Advanced Research Projects Agency (DARPA) launched the RADICS program in 2016 to simulate blackstart recovery of an electric substation given a partial or complete shutdown as a result of a cyberattack. DARPA confirms that “in addition to improving situational awareness, RADICS researchers have developed countermeasures to cyberattacks designed to corrupt configuration files, introduce malicious code in control systems, or perpetrate others types of damage. Among these countermeasures are tools that could automatically map and assess the state and configuration of electrical power networks and detect and characterize power-grid malware.”
Utilities and asset owners should run simulations, including tabletop exercises, that do not affect operations to identify priorities if systems are compromised, such as sufficient access to backups. Many cultural, individual, and process assumptions can be challenged with simulations and exercises. For example, simulations can flesh out the extent to which personnel is prepared to rely on manual processes, who to notify first after an intrusion is identified, and the chain of command for incident response.
- Demonstrate the potential for cascading effects based on interdependence of critical sectors: The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response January 2021 Blueprint recognizes the potential for national cascading effects from a cyberattack on US energy systems—to national security, public health and safety, and the economy. In 2017, MIT researchers warned that understanding the extent of interdependence on electricity generation for other sectors was limited, but a complete understanding of catastrophic macroeconomic failure is not necessary for industry stakeholders to understand the potential for cascading risks.
Cascading failure examples can be inferred and distilled for stakeholders across the energy industry from the 2015 Business Blackout report on the insurance implications of a cyberattack on the US grid, Sirui Tang’s “Reliability Analysis of Electric Power Systems Considering Cyber Security,” thesis, actuarial science resources such as “An Actuarial Framework of Cyber Risk Management for Power Grids” from the National Science Foundation, and tangentially from data collected when studying how detonating a nuclear weapon impacts infrastructure and the economy. These examples indicate that although the exact formula for widespread disaster might not be available, the variables are well-known.
- Work with equipment manufacturers and systems vendors to connect vulnerabilities to mitigation efforts: The responsibility for securing energy systems has been placed on owners and operators that run systems made up of hundreds of hardware and software products from multiple companies and vendors. These products have proprietary vendor code and specific data protocols for communication and operation. They sometimes run applications embedded by the producer and unknown to the end user. They are surrounded by additional products bordering the enterprise—for example, internet application tools for customers to see consumption patterns and pay their bills online. Attackers are increasingly hijacking these tangential products to get inside enterprise networks, though attacks causing physical loss of view or control have been minimal so far.
Vendors need to do a better job explaining the industrial impact of known or discovered vulnerabilities. Leaving system vendors’ responsibilities out of any federal action on cybersecurity for energy systems ignores a major player in the ecosystem. When dealing with federal advisories, lateral logic might still be functional while a web application component of a system is compromised. In an industrial setting, this impact might not have a large effect on operations, safety, or security. A vendor might have advice for mitigation by providing details based on which communications ports are associated with each device. A governmental push for vendors to create reference lists should be a priority to complement advisories and Common Vulnerability Scoring System scores. Operators can look at which systems communicate with each protocol and take this into account for incident response and action.
In the Ransomware and Critical Infrastructure report, Guidehouse Insights discusses the drivers and barriers for implementing intrusion detection systems in ICS environments to enhance detection, mitigation, and forensic capabilities for OT.