Energy Industry Needs Help on Two Security Fronts

August 13, 2013

In the energy sector, security analysts need to recognize unwanted behaviors to best protect these critical infrastructures. Photo courtesy of the Homeland Security Digital Library www.hsdl.org

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology is encouraging chief security officers to help address two information technology challenges faced by the energy sector. Feedback on two proposed “use cases” may lead to solutions providing centralized control of access to structures and systems while reducing security blind spots in their operations.

NCCoE works with industry, academic and government experts to create open, standards-based, modular, end-to-end solutions to cybersecurity challenges that are broadly applicable across a sector. The solutions are customizable to the needs of individual businesses, and help them more easily comply with relevant standards and regulations. The work is organized around use cases that describe sector-specific challenges.

“These use cases represent sector-wide cybersecurity challenges that we will address through a collaborative effort among NCCoE, the energy sector and technology partners,” comments Nate Lesser, deputy director of the NCCoE. “Before inviting participation from our technology partners, we seek public input on the use cases to ensure that the resulting solutions are as useful as possible.”

The first use case focuses on energy companies’ need to control physical and logical access to their resources, including buildings, equipment, information technology and industrial control systems. This requires the ability to authenticate identity with a high degree of certainty and to enforce access controls consistently, uniformly and quickly—and across all resources.

The second use case solution would allow security analysts to see operational and information technologies as a cohesive whole, making it easier for them to detect issues that could disrupt services.

Energy companies, as their chief security officers and chief information security officers know, rely on two distinct types of IT systems.

Business enterprise systems run billing, personnel and other enterprise functions while operational systems, which rely heavily on so-called cyber-physical systems, generate, distribute and meter power. While standard IT security solutions are available to protect and monitor enterprise IT, those products are often an imperfect fit for operational technology and may need augmenting to avoid security blind spots.

Security analysts strive to ensure correct behavior in operational technology and identify the connections between IT data and unwanted operational behavior (i.e., disruptions to systems or services to consumers), and improve detection and remediation of those unwanted behaviors. But analysts can only correct what they can actually see. Without proper sensors in place, an analyst might never see an event, either as it happens or after the fact.

Successful solutions would provide blueprints for improving cybersecurity based on standards and best practices to help reduce the probability of attacks or anomalous system behaviors and make them easier to detect, mitigate and investigate after the fact. They would support energy companies’ business needs by reducing risks, system complexity and costs.

Security and SDM readers can view the two proposed use cases at http://csrc.nist.gov/nccoe/Projects/Energy.html.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.