In November, Colorado cooperative Delta-Montrose Electric Association (DMEA) was the victim of a "malicious" cyberattack. It left a mark. DMEA couldn’t process payments and its billing capabilities were hampered. While a data breach of sensitive information did not occur, there was “a significant data loss.”
A month later, members were still unable to pay their bills. Fortunately, progress was made on the payments front when DMEA began processing them again in February. But remember it took three months for that to occur.
Following the incident, the National Rural Electric Cooperative Association (NRECA) said it is working with the federal government and electric cooperatives to "provide cybersecurity training, help co-ops modernize their systems and use technology to stay ahead of the curve."
All critical infrastructure is in the firing line
Image Credit: GlobalSign
Of course, it’s not just the electric grid that is being targeted. Whether it’s a city’s water supply, a major oil and gas pipeline or oil transport and storage companies, no one is immune. All critical infrastructure is a target.
To help regional electric and gas utility providers and all critical infrastructure players, the U.S. Cybersecurity & Infrastructure Security Agency, better known as CISA, is doing its level best to keep up with the latest threats. In advance of the Russia-Ukraine crisis, in early February the agency issued guidance for critical infrastructure organizations with instructions to prepare for and mitigate foreign influence operations. CISA has also issued a warning this year regarding the Log4j vulnerability and the impact it could have on critical infrastructure providers.
Both NIST and NERC play important roles in ensuring the security of critical infrastructure facilities.
Guidelines from the NIST Cybersecurity Framework were created for all organizations deemed as critical infrastructure to our nation and provides a framework for organizations to baseline their cyber security posture against their desired maturity state. The framework is not prescriptive in nature, but more a guide to determining an organization’s self-assessment to a desired outcome. The assessment is performed across a variety of functions – Identify, Protect, Detect, Respond and Recover however doesn’t describe how to close those gaps.
Whereas since 2008 the North American Reliability Corporation (NERC), has provided Critical Infrastructure Protection (CIP) rules, specifically, to address the unique security needs of the North American Bulk Electric System with the vast majority of the requirements addressing cyber security. NERC CIP outlines in greater detail depending on BES asset classification, and how safeguards should be implemented. In all cases, those BES providers governed by NERC CIP must comply with the requirements
Combined, the NIST framework and NERC CIP requirements can and should work hand in hand. There are great mappings between the NIST Cyber security framework and NERC CIP for Utility companies that exist today, to help simplify the process. One such example of how NERC specifies “How” to” address a NIST Framework “Function” is in the area of remote access. In this example NIST simply identifies that users and devices are authenticated using a method that is commensurate with the risk of the transaction, where NERC specifies organizational, operational, and procedural controls required for the BES classification and in this case, multi-factor authentication is specific to secure all remote transactions.
Image Credit: GlobalSign
Phishing is Getting Worse
Image Credit: GlobalSign
As many know, phishing is one of the top ways that cyber criminals wreak havoc. They do so by sending fraudulent emails, with the goal of tricking the recipient into sharing personal information, such as passwords and credit card numbers or spread malware/ransomware.
According to Spanning (a division of Kaseya) and CISCO’s 2021 Cybersecurity Threat Trends report, about 90% of data breaches occur due to phishing. Proofpoint’s 2022 State of the Phish report found that 83% of organizations reported experiencing a successful email-based phishing attack in 2021, versus 57% in 2020. In addition, 86% of organizations faced bulk phishing attacks last year, up from 77% the year before. BEC attacks and spear phishing attacks also increased in 2021.
Securing your regional grid
With so many bad actors, cybersecurity can no longer be a second thought. When you look at the devastation that can be wrought, you have to think – we can’t let that happen to us.
But regional electric providers are likely on a smaller budget, and do not have the resources – nor the cyber expertise - of larger organizations such as ISOs and RTOS. What to do? Look to SaaS technology providers that can help protect your organization without breaking the bank.
Five steps towards increased cybersecurity protection while resource constrained
Image Credit: GlobalSign
To help protect your organization’s digital assets within and outside your protected network and in transit and at rest from loss or breach of data work with PKI SaaS providers who can provide easy to use, cost effective, and highly reliable cyber-security solutions that can mitigate against cyber hacks that often lead to service disruptions, costly forensics and regulatory fines , PKI governs how digital certificates are issued and used to protect sensitive data, identify users and “things”, providing secure transmissions using encryption.
- To prevent the spread of malware through phishing attacks, having a digitally signed email from a trusted CA provides receipts of emails, especially outside of their domain either assurances of the sender or in some cases flags to seek IT advice before clicking on any links.
- Utilize Certificate Authorities that understand the unique security and regulatory needs of the Electric industry. Whether operating in energy generation, transmission, or the broker/market segments, be sure you are using North American Energy Standards Board (NAESB)-compliant digital certificates, enabling compliance and security officers to easily issue and manage certificates to authorize internal and external users.
- Don’t trust downloads unless they have been digitally signed (even internally) using a trusted Code Signing certificate. Downloading what appears to be harmless applications and executables from external and internal hosted sites is asking for trouble if the code hasn’t been signed with a trusted code signing or Extended code signing certificate that identifies the publisher of the software.
In other words, onlydownload files from Software Publishers from trusted sources.
- Meet CIP-005-5 — Cyber Security – Electronic Security Perimeter(s) - Part 2.3– Interactive Remote Access Management requirements directed on High and Medium BES Cyber Systems and their associated PCA using PKI. Digital certificates are highly scalable method to meet the multi-factor authentication requirement needed to secure all interactive remote access sessions. Utilities can easily leverage Active Directory to automate the full life cycle management of a variety of certificate types for users in a frictionless method leveraging AD’s silent installation of certificates. By using a SaaS Certificate Authority, the complexities of key management can be off shouldered, while still maintaining full control of user identity and access policies.
- Future proof your smart grid. As more grid systems are IP connected to insecure networks, secure those devices with machine certificates that protect your private data in transit with SSL sessions.
By leveraging a SaaS PKI service, ideally one with NAESB accreditation, multiple use cases can be met under a single platform.