The North American power grid has been called the world’s largest machine and is considered one of the greatest achievements of the 20th century. Comprised of millions of miles of transmission lines, generating plants, substations, and innumerable other components, it’s an extremely complex system, most of which was built before the Internet era. As mostly private utilities layer more advanced technology – sensors, remote access, communications – onto old systems, concerns about the effectiveness of cybersecurity measures have taken center stage.
Attacks on the grid
A December 2015 power outage in the Ukraine is considered the first significant cyber attack on civil infrastructure. Investigative reports from the SysAdmin, Audit, Network, and Security (SANS) Institute and the United States Computer Emergency Readiness Team (ICS-CERT) confirm a sophisticated, multi-pronged attack was set in motion months before the outage.
Researchers determined that a utility employee opened an infected document, allowing malware to install itself on the control systems of several utilities. Simultaneously, denial of service attacks shut down customer call centers, prolonging the outages. Similar malware attacks recurred in January 2016, targeting utilities again, as well as a major Ukrainian airport.
The Ukrainian incident is not unique; U.S. officials claim the same type of attack could exploit vulnerabilities here. Lloyd’s of London claims in its 2015 Business Blackout report that a widespread outage could cause up to $1 trillion of damage, not to mention injury and loss of life. A 2014 report from ICS-CERT indicates that attacks on energy facilities have increased as much as 380% since 2010.
In February, the Obama administration announced the Cybersecurity National Action Plan, which focuses on modernizing federal systems and increasing partnerships with the private sector.
North American Electric Reliability Corp.’s (NERC) Critical Infrastructure Protection (CIP) standards, now in version 5, expand the scope of cyber and physical security measures with which utilities had to prove compliance by an April 1, 2016, deadline. More facilities now fall under the purview of CIP v5, including wind and solar generators that previously weren’t registered with NERC.
As the regulations pile on, power generation companies struggle to sort out what it all means, implement new processes, and prepare for compliance audits. Failure to comply with CIP v5 can result in fines of up to $1 million per violation, per day.
NERC’s CIP v5 is more comprehensive than the previous version, and applies to all bulk electric system (BES) generating facilities. CIP v5 urges utilities to go beyond compliance to address:
- Security awareness
- Physical security
- Remote access connections
- Incident response
Two new standards in CIP v5 specifically address requirements for documenting cybersecurity measures and controls that prevent unauthorized access or changes – CIP-010 (Cybersecurity–Configuration Change Management and Vulnerability Assessments) and CIP-011 (Cybersecurity–Information Protection). To meet these standards, cross-enterprise visibility would prove that recommended policies and procedures are being created, deployed, monitored, and continuously improved. Working implementations are at the heart of CIP v5 requirements, but to comply, it won’t be sufficient to have written policies. Working procedures and controls have to be deployed in an audit, and energy firms will have to prove that they are operational.
Many smaller utilities (co-ops, independent producers, and renewable energy companies) are unprepared to prove compliance with the updated standards, in part because they haven’t fallen under NERC’s domain before. These firms will need to review everything from hiring and training procedures to IT maintenance to data acquisition and industrial control systems (ICS). As wind and solar companies connect to grid infrastructure, hackers could exploit their particular vulnerabilities, possibly using them as a gateway to more widespread attacks.
Larger utilities also face challenges, including remote access, mobile devices, and global supply chains introducing new liabilities. As energy facilities become more connected, risk expands. Risks can be anything from a configuration error to a natural disaster. In order to identify probable threats, it is important to prioritize remediation effort, and create incident response plans. Data from multiple sources throughout the enterprise must be gathered in a single location accessible to all stakeholders. This is impossible to manage through multiple spreadsheets, software solutions, and processes owned by disparate departments.
Governance, risk management
An integrated approach to compliance, risk management, and IT security is required because cyber-threats, operational risks, and regulatory requirements are increasingly complex and interconnected. Likewise, traditional governance, risk management, and compliance (GRC) technologies are burdensome to implement and manage, and dated solutions can’t be configured to match the new requirements. Manual tracking and reporting processes are prone to error and unlikely to support the required level of protection or compliance evidence.
To become audit-ready, energy businesses require a GRC solution that provides a comprehensive view of enterprise operations, tracking, and managing assets; vendors; incidents; and remediation activities. Disaster recovery and business continuity plans have to be carefully developed, documented, and tested. More employees need to be extensively vetted and trained in security awareness and compliance matters.
These are enormous undertakings to pile on top of an industry already burdened by complex operations and low tolerance for error. Adopting proactive, process-based management of the compliance lifecycle is more cost-effective and enables the business to stay focused on strategic objectives.
Establishing a GRC solution with a common framework in place, data from across the company can be used to link compliance, risk management, and business continuity activities via process and policy. Work in one area is reinforced by related activities in the others, enabling deeper insight into interdependencies. A comprehensive GRC solution should include dependency mapping and a way to tie risks to key assets, so disaster recovery plans and business impact analyses can be tested and improved based on the results.
Being able to investigate attacks from a unified, cross-functional perspective then helps with effective incident response. CIP v5 requires reporting within an hour of incident recognition as well as thorough reviews of response effectiveness. A GRC platform streamlines incident reporting, turning it into a repeatable process that preserves critical root cause analysis and identifies links to similar incidents. Such integrated, data-driven processes simultaneously fulfill compliance requirements and prevent future attacks.
A full-featured, comprehensive platform that can streamline data collection, policy enforcement, tracking, and reporting activities is essential to cybersecurity programs and regulatory compliance. The enterprise maturity and intelligence that will grow from systematized processes, powerful analytics, and data-driven planning will provide future-facing benefits well beyond compliance and risk management.
Proliferating threats, expanding regulations, and grid modernization efforts have created a perfect storm. Smarter, more connected energy systems are not necessarily safer systems. Utilities will have to build cyber security operations that keep up with technological advances and the malicious actors that always seem to have a more powerful exploit kit at the ready. Advanced GRC solutions are essential to build a solid foundation and arm security teams with the agile tools and insights they need to reliably defend and maintain these life-sustaining systems.
About the author: Sam Abadir is the director of product management at LockPath and can be reached at firstname.lastname@example.org.