The electricity sector is in the midst of a fundamental cultural change with respect to cybersecurity. While the electricity sector has been the only critical infrastructure sector that has had mandatory and enforceable cybersecurity standards to date, this minimum level of protection is not enough to battle the continuous onslaught of malicious code and targeted attacks against IT and Industrial Control Systems (ICS). The comprehensive “baseline of security” found within the NERC Critical Infrastructure Protection Standards is necessary to ensure that we are all speaking the same language. These mandatory standards, while minimal, provide awareness and basic security precautions for utilities. However, cybersecurity professionals are hungry for a strategic advantage to battle new denial of service attacks and unauthorized access to systems. Industry has started to focus its efforts on combating the issue head-on through timely cyber threat intelligence. Large utilities with the manpower and resources to address this initiative are changing the security model from reactive to proactive. If you understand your adversaries’ tactics, intent and capabilities, you can develop strategies to combat their attacks and better plan for future threats. Better, more proactive security can be achieved through information sharing agreements and partnerships with other utilities, regulatory agencies and intelligence partners.
The electricity sector, along with other energy sector partners such as the oil and natural gas sector and the chemical sector, are already drowning in cybersecurity information overload. Raw, unfiltered data feeds, typically from third-party companies, provide information regarding harmful IP addresses and other information such as virus or disruptive software installation. This mountain of data, while useful in theory, is oftentimes overwhelming and needlessly sounds alarm bells. Many utilities do not have the dedicated resources to dissect and aggregate this data and are thus unable to react appropriately, or wind up drawing inaccurate conclusions. As a result, the electricity sector is demanding more access from regulators and federal partners to actionable intelligence and threat streams. With this added intelligence, utilities can better pinpoint threats to specific systems and focus efforts on system recovery and restoration. This will undoubtedly drive better, more informed responses to security incidents.
President Barack Obama recently stated that “the country needs to integrate intelligence to combat cyber threats, just as we have done to combat terrorism.” While the United States government has nearly limitless resources and the ability to conduct offensive operations, this statement still rings true for private sector businesses. Near real-time intelligence sharing can enable critical infrastructure owners and operators to block rapidly emerging threats and mitigate targeted attacks against utility infrastructure. The complexity of the cyber operational domain, the speed with which activity and operations take place, and the supposed inherent advantage of the attacker has been discussed among utilities and the NERC Electricity Sector Information Sharing and Analysis Center (ES-ISAC). The ES-ISAC, which establishes situational awareness, incident management and coordination for security events within the electricity sector, has been the prime advocate for the need to feed real-time intelligence updates to stakeholders. By beginning to define the overall environment and the problem set in manageable threat stream products and emphasizing the importance of integrating sound and time-tested intelligence thinking and methodology into the equation, it becomes easier to address the problem. This intelligence is meant to help reduce uncertainty for the decision-maker and prevent surprise.
It is no revelation that the majority of infrastructure in North America is owned and operated by the private sector. Because of this, it is vital that the public and private sectors work together to protect these assets. Over the past few years, the FBI, DHS and the Department of Energy have made considerable strides in improving information sharing and giving classified access to intelligence products such as bulletins, alerts and secret level briefings. These data points have been used to mitigate threats, reduce cyber risk and update internal security policies. Additionally, this data flow has enhanced communications between security teams, management and board members by providing authoritative threat warnings, which ultimately drive better investment strategies by more directly connecting security priorities with business risk management priorities.
Ultimately, information and intelligence sharing is a two-way street. Private sector entities must remove the words “compliance risk” from their lexicon and readily share relevant information as it happens. Nobody knows their systems better than they do. Nobody knows how the world’s largest machine works better than the dedicated engineers within the electricity sector. Thus, cyber alerts coming from utility cybersecurity professionals are imperative to the collaborative exchange process. Concurrently, federal intelligence partners must alert those within the sector who actually have the ability to stop the cyber-bleeding. The electricity sector has been hiring security professionals with military, law enforcement and intelligence backgrounds, so actionable information that has been compiled, analyzed and validated by federal intelligence partners, should be disseminated to the sector for action once available.
Utility CSOs, CISOs and CIOs must continue to raise the cybersecurity intelligence information issue with their state fusion centers, FBI Cyber Watch liaisons and other intelligence professionals within DHS and DOE. A mature cybersecurity program integrates baseline compliance, risk management, trained professionals and the continuous recognition that there’s a threat of compromise. Cyber space is an increasingly attractive hunting ground for criminals, activists and terrorists motivated to make money, gain media attention, or cause disruption to utilities through online attacks. Regardless of motive, advanced cyber threat actors are organized, patient and willing to make significant investments to accomplish their objectives. Threats are varied, often highly complex and continually evolving. Recent reports confirm that cyber-attacks on several multinational energy companies resulted in security breaches long before the victims became aware that their systems had been compromised. Energy companies are attractive targets because they possess valuable proprietary data and intellectual property and a serious breach will most likely be newsworthy. With today’s civilization dependent on interconnected cyber networks to virtually operate many of the critical systems that make our daily lives easier, many criminals, terrorists, or governments will attack those critical systems in order to inflict maximum damage. To battle these threats, the utility industry and government intelligence agencies must act in unison, through a public-private partnership, to stay one step ahead.