Utilities Combat Cyber Threats by Pooling Resources & Best Practices
The critical infrastructure sector is a tempting target, but it has plenty of resilience against attacks.
The size, scope and importance of America’s utility sector make it a tempting target for terrorists looking to wreak havoc or for financial criminals looking to infiltrate and pilfer. But the sector’s scale also means it has the resources to combat these threats, and utilities increasingly have been working together to share cybersecurity best practices as well as breaking information about possible threats.
Broadly speaking, utilities are well aware of the cyber and physical security threats they face and invest heavily in protecting themselves, says Bill Lawrence, senior director of the Electricity Information Sharing and Analysis Center (E-ISAC) at the North American Electric Reliability Corporation (NERC), which has developed industry-wide Critical Infrastructure Protection (CIP) standards for utilities and others in the critical infrastructure sector to follow.
“They want to do it in a risk-aware but also a cost-effective manner,” he says. “We’ve helped to raise the bar from the very large utilities all the way down to the smaller ones. The investments in education, training and technology are huge in the electricity sector. And vendors have responded to that, and there have been more and more specific training opportunities out there that focus on defensive networks. As good as the adversaries are, our team is also getting better.”
NERC uses a variety of tools, activities and strategies to help the nearly 1,900 registered entities that comprise the North American bulk-power system develop dynamic defenses against cyber threats, says Brian Harrell, vice president of security at AlertEnterprise, which assists critical infrastructure companies of various types, and a former director of critical infrastructure protection programs at NERC.
“Because the cyber environment is dynamic, NERC continues to enhance and improve cyber and physical security resources and practices,” he says. “NERC does this in a variety of ways, including developing and enforcing mandatory cybersecurity standards, operating E-ISAC and providing educational opportunities to the industry. NERC has also developed security best practices and guidelines to help industry identify security issues and apply mitigation strategies. NERC hosts events to promote security learning and practices.”
Utility boards of directors need to realize that the regulatory minimum of compliance is not necessarily enough to keep a company its resources secure, Harrell says. “Risk mitigation through security controls and countermeasures should drive risk down to acceptable levels,” he says. “To tackle increasing data threats, companies need to put cybersecurity at the very heart of the business. In the modern age, information security should be woven into the fiduciary, oversight and risk management purview of the board.”
The Importance of Cyber
An increasing number of utility companies have ramped up their security priorities by hiring a chief security officer to be the chief advocator, prognosticator and crisis manager, Harrell says. “The duties of the CSO have dramatically changed with the introduction of targeting electric infrastructure for attack, the advancement and reliance on cyber systems, and the job of ensuring compliance with the NERC CIP Standards. Likely the biggest responsibility is to create and foster a program that helps manage reputation risk.”
Cybersecurity remains front-and-center in part because it’s murkier and less tangible than physical security, Lawrence says. “If you know there’s a bunch of bad guys zooming around in a van, it’s easy to get your mind around how to protect from that threat,” he says. “Whereas advances in technology are popping up all the time. The wary cybersecurity defender is one that treats their network as if the adversary knows it as well or better than they do. Then it’s up to them to make it difficult to maintain that [attack] foothold over time.”
To help combat these threats, the E-ISAC manages the national Cybersecurity Risk Information Sharing Program (CRISP), a public-private partnership co-funded by the Department of Energy and industry players. The program helps utilities get up to speed on whether and how adversaries are getting into their networks and how to expel or control their activity, says Lawrence, adding that state National Guard units have developed increasing cybersecurity capabilities and can be called upon for assistance.
The utility sector relies extensively on cyber systems to carry out its mission, monitor control systems and remotely access infrastructure, which means an ever-growing importance on protecting against cyber threats, Harrell says. Basic “hygiene” like stronger passwords, not using USB drives and increasing awareness of phishing attacks can prevent most malicious malware from finding its way into critical systems, he says.
Interdependencies among different types of utilities has meant an increasing need to work together within the sector, Harrell says. “The reliability of the electric industry is increasingly dependent on gas-fired generation and its associated infrastructure,” he says. “Most gas infrastructure is dependent on electricity to operate. Failure in either sector now has potential reliability impacts or cascading effects on the other.”
Top Threats … and Remedies
Nation-states and other potential malicious online actors pose the greatest threat to the power grid itself, says Glenn Haddox, director of cybersecurity and compliance for Southern California Edison. “If you want to do harm to the U.S., turn the power off,” he says. “Our job is to provide safe and reliable power. If an adversary attacks the grid, it not only causes a loss of power but a potential catastrophic loss of data from companies who rely on that electricity to keep their essential systems running. Obviously, the top concern is the possibility of destabilizing the grid as a prelude to a larger attack on the U.S.”
Combating potential attacks against the grid requires intensive technical training of staff, a high level of integration among security systems and technical tools, and close relationships with appropriate federal government authorities, Haddox says. “We scan all the time for threats,” he says. “If anything comes up, we engage instantly. We’re always checking, checking, checking. Our entire defense is based on the fact that they’re going to get in. You always prepare for the ‘probability’ of being breached.”
Next on the list of top concerns for Haddox, is cyber criminals breaching internal systems to steal customer data. “Customer data doesn’t exist in the grid. There is no customer data to steal in the grid,” he says. “The thieves who are looking for money or personal data are more interested in our administrative systems. These actors tend to be less sophisticated. The cyber-crime organizations are probably the best in the world at accessing sensitive data, but they still don’t compare to the dedication of a nation-state attacker.”
Keeping out would-be thieves requires “what we refer to as good cyber hygiene – timely software patching, ongoing training and awareness campaigns for anyone who has network access [employees, contractors, third-party vendors], and finally, internal and external audit reviews to make sure we are not missing anything,” he says. “First we control access by protecting passwords and user accounts. Then, we protect against the insider threat to make sure somebody isn’t doing something as an agent for somebody else.”
KS Energy Services, a Midwest underground gas and electric contractor, frequently sees phishing attacks designed to get a financial or other customer data. This is why, according to Tony Brzoskowski, the Information Technology Directory, they work to encrypt all devices in their buildings and vehicles.
“Loss of data is the number one [concern], whether that be from an attack of some sort or from a third party getting access to the data we keep on our devices as part of the job we go out and perform.”
KS has seen several phishing attempts targeted to administrative and executive staff specifically. This is one reason why the IT department has worked so hard to stay on top of any “weak points” in the system; an example of this is limiting access to only what individual users need and nothing further. Brzoskowksi says, “If we see an individual user who would be compromised, [an attacker] would only be able to see things that person has access to.”
The company sends IT representatives around the region to different field offices to present new technologies, discuss changes in cybersecurity, and ensure that personnel are adequately trained.
Southern California Edison recruits college students to be interns in cybersecurity. They receive intense training and real-world experience while SCE finds the next-generation engineers and analysts to keep the department running. The utility spends a great deal of time teaching interns and the rest of the staff cooperative collaboration with other utilities, utility commissions, and the federal government, Haddox says. “The bad guys share really well,” he says. “The good guys need to learn how to share better.”
Cybersecurity at SCE teaches personnel how to keep themselves and their families secure from online threats, such as showing a teenager the dangers of social media or applying safe banking techniques, Haddox says.
“If you understand basic cybersecurity best practices for your personal life, you are in a better position to demonstrate proper cyber-secure behaviors at work,” he says. “Cyber training can be a bit like watching paint dry. However, if we show you how to protect your families from these same tactics – clicking unsecure links, opening unknown attachments or providing personal information to an unsecure site – you are more likely to be diligent about questioning suspicious emails and websites at work. People essentially want to do the right thing, so we arm them with the right tools through our training and awareness programs.”
Aftermath of Ukraine
The hackers who temporarily degraded the power grid in Ukraine in December 2015 and again in December 2016 provided a wakeup call for public and private sector entities, Lawrence says. “Adversaries with a high level of technology capability have created modular malware that has the potential of not only being useful to take down former Soviet Union-style systems like we saw Ukraine but also European protocols, and we are concerned about the ones we use here in North America,” he says.
But even the Ukraine attack requires an enormous effort that only took down a few substations and then only for about eight hours – and the aftermath provided utilities around the world a case study with which to prepare themselves, Lawrence says. And while the interconnectedness of the North American grid might make it seem like an easy target, the fact that each utility handles security a bit differently makes a mass attack unlikely. “You have to tweak your malware to be sure you are going to get that [disabling] effect on all of those [utilities] to take down that entire area,” he says. “It’s an exponential problem.”
However, any perception that the risks of cyber-attacks on the utility sector are low, because only a few limited attacks have succeeded, should not prompt those in the sector to put their guard down, Harrell says. “The hackers who struck utilities in Ukraine ... weren’t just opportunists who stumbled across the networks and launched an attack to test their abilities,” he says. “The attackers were highly skilled and planned their assault over many months, first doing reconnaissance to study the networks and steal operator credentials, then launching a synchronized attack against operating systems.”
The fact that the electricity sector, along with nuclear, has mandatory cybersecurity standards also has been and will be helpful in ensuring against risks, Lawrence says. “There’s a lot of basic hygiene built in to mitigate risks,” he says. “Even though we’ve been cognizant of ransomware outbreaks, you haven’t seen those, knock on wood, impacting utilities here in the United States, particularly in our sector because of the security measures we’ve put in place.”
NERC also has run the large and growing Grid Security Exercise (GridEx), a sector-wide exercise designed to test the industry’s response readiness to potential incidents. It’s only been run every two years because the public and private partners want to ensure they are able to take time to ramp up any technology or policy changes needed to combat growing threats before they run the next set of tests, Lawrence says.
“We work with industry and government volunteers who devote their time and talent in coming up with really bad scenarios, not only in cyber but also in physical security, to challenge our members and government first responders,” he says. “We’ve seen the number of, I’ll call them overachievers, grow every GridEx. More utilities have taken cybersecurity to heart. … The numbers of overachievers went from a couple handfuls at GridEx 2 [in 2013] to dozens in GridEx 4 [last year].”
NERC and its partners who put together GridEx can customize the severity and quality of scenarios for each participant’s needs, Lawrence says. “We can make it so there are some gaps that allow them to explore their crisis response and recovery procedures,” he says. “Because we don’t tell them how specifically to attack their security procedures, they can challenge their employees to think about where they might not have gone far enough to protect themselves.”
The exercises shine a light on which companies communicate well internally and work together across “silos of excellence” to combat threats – and which ones have more work to do to bring that about, Lawrence says. “The more that they work together in this extreme crisis situation, the more they can handle low-hanging fruit,” he says. “It’s going to be really incumbent for organizations to share, to know when attacks are happening, and to get the word out so everybody is on heightened awareness.” GridEx IV added exercises on significant cross-sector impacts and participation from non-electric organizations, as well.
Southern California Edison participates in GridEx, Haddox says. “GridEx has allowed SCE to see how the federal government and our sister utilities will respond in the wake of a major attack, Haddox says. “For all to survive, it’s a team effort instead of a solo effort. There’s no winner if even one of us doesn’t survive.”
Utility Physical Security Concerns: Drones, Active Shooter
On the physical security side, utilities’ concerns range from the rise in drone technology to the always scary specter of an active shooter entering their premises.
As drones become cheaper, more common and sturdier, their ability to act as a vehicle to drop an explosive device into a substation or generating plant poses a significant risk, says Brian Harrell, vice president of security for AlertEnterprise and a former director of critical infrastructure at the North American Electric Reliability Corporation (NERC).
“These ‘tools’ could be used to inflict damage on critical infrastructure,” he says. “Utilities have begun to address the potential overhead threat by deploying frequency-jamming systems and detectors. Unfortunately, owners and operators of infrastructure sites don’t own the airspace above, so when a ‘hobbyist’s’ drone is driven into the ground by counter-drone technology, the utility will likely be liable for damages. Utilities should monitor and be mindful of local drone laws and Federal Aviation Administration operator rules.”
Unmanned aerial vehicles are equipped to not only monitor and do reconnaissance but also actively attack them, says Bill Lawrence, senior director of the Electricity Information Sharing and Analysis Center (E-ISAC) at NERC. “We’ve had that plugged in for that last two exercise cycles [at NERC’s Grid Security Exercise, or GridEx]. I don’t see that threat going away anytime soon.”
At the Tarrant Regional Water District (TRWD) in the Dallas-Fort Worth area, which serves more than two million people in 11 counties and has 150 miles of pipeline in Fort Worth, Arlington and surrounding areas (but not in Dallas), the most common day-to-day physical security concern is keeping track of third-party companies that have legitimate reasons to enter their properties to monitor meters, says Harry Hatcher, head of physical security for the district.
“We need to have a point of contact to say, ‘Should this gentleman be here? Does he work for you? Can we let him onto the property?’ ” he says.
More broadly speaking, though, TRWD, one of the largest raw water suppliers in Texas, is most concerned about an active shooter threat, whether from an intruder or an insider, Hatcher says, and he and his staff have been working to strengthen partnerships with local police departments and undertaking a security master plan with help from a consultant who has told the district it’s “above par” for water utilities from a technology implementation perspective. “We need to hone in on our operational strategy,” he says.
The district has employed alarm notification, standardized chain-link wire fencing, camera systems and expects to move into more sophisticated video analytics, Hatcher says. TRWD worked with vendor Genetec to unify access control and closed circuit television onto a single platform, streamlining security systems to monitor tasks and notifications and reducing the need for additional training or software down the road.
“We’re currently testing fence detection at the perimeter to see if we can get good alarms vs. false and nuisance alarms,” he says. TRWD has a group of five full-time and five combined part-time and reserve internal law enforcement officers as part of its operations staff. “We’re hoping to grow that for a future proactive strategy, versus reactive for the safety of our employees, but we have to build the support for what we need,” he adds.