This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
This Website Uses Cookies
By closing this message or continuing to use our site, you agree to our cookie policy. Learn More
This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
Subscribe
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • Home
  • News
    • Security Newswire
    • Technologies
    • Security Blog
    • Newsletter
    • Web Exclusives
  • Columns
    • Career Intelligence
    • Security Talk
    • The Corner Office
    • Leadership & Management
    • Cyber Tactics
    • Overseas and Secure
  • Management
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • More
  • Physical
    • Access Management
    • Video Surveillance
    • Identity Management
    • More
  • Cyber
  • Sectors
    • Education: University
    • Hospitals & Medical Centers
    • Critical Infrastructure
    • More
  • Exclusives
    • Security 500 Report
    • Most Influential People in Security
    • Top Guard and Security Officer Companies
    • The Security Leadership Issue
    • Annual Innovations, Technology, & Services Report
  • Events
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
    • Security 500 West
  • Resources
    • The Magazine
      • This Month's Issue
      • Digital Edition
      • Archives
      • Professional Security Canada
    • Videos
      • ISC West 2018
      • ASIS 2017
    • Photo Galleries
    • Polls
    • Classifieds & Job Listings
    • White Papers
    • Mobile App
    • Store
    • Sponsor Insights
  • InfoCenters
    • Video Management Systems
  • Contact
    • Editorial Guidelines
  • Advertise
Home » Utilities Combat Cyber Threats by Pooling Resources & Best Practices
Cyber Security NewsSecurity Leadership and ManagementManagementInfrastructure:Electric,Gas & WaterCyberSectors

Utilities Combat Cyber Threats by Pooling Resources & Best Practices

The critical infrastructure sector is a tempting target, but it has plenty of resilience against attacks.

Utilities Combat Cyber Threats by Pooling Resources & Best Practices

Southern California Edison participates in GridEx, a sector-wide exercise designed to test the industry’s response readiness to potential incidents. Photo courtesy of Southern California Edison

April 13, 2018
Ed Finkel
KEYWORDS cyber risk management / Terrorism / utility security
Reprints
No Comments

The size, scope and importance of America’s utility sector make it a tempting target for terrorists looking to wreak havoc or for financial criminals looking to infiltrate and pilfer. But the sector’s scale also means it has the resources to combat these threats, and utilities increasingly have been working together to share cybersecurity best practices as well as breaking information about possible threats.

Broadly speaking, utilities are well aware of the cyber and physical security threats they face and invest heavily in protecting themselves, says Bill Lawrence, senior director of the Electricity Information Sharing and Analysis Center (E-ISAC) at the North American Electric Reliability Corporation (NERC), which has developed industry-wide Critical Infrastructure Protection (CIP) standards for utilities and others in the critical infrastructure sector to follow.

“They want to do it in a risk-aware but also a cost-effective manner,” he says. “We’ve helped to raise the bar from the very large utilities all the way down to the smaller ones. The investments in education, training and technology are huge in the electricity sector. And vendors have responded to that, and there have been more and more specific training opportunities out there that focus on defensive networks. As good as the adversaries are, our team is also getting better.”

NERC uses a variety of tools, activities and strategies to help the nearly 1,900 registered entities that comprise the North American bulk-power system develop dynamic defenses against cyber threats, says Brian Harrell, vice president of security at AlertEnterprise, which assists critical infrastructure companies of various types, and a former director of critical infrastructure protection programs at NERC.

“Because the cyber environment is dynamic, NERC continues to enhance and improve cyber and physical security resources and practices,” he says. “NERC does this in a variety of ways, including developing and enforcing mandatory cybersecurity standards, operating E-ISAC and providing educational opportunities to the industry. NERC has also developed security best practices and guidelines to help industry identify security issues and apply mitigation strategies. NERC hosts events to promote security learning and practices.”

Utility boards of directors need to realize that the regulatory minimum of compliance is not necessarily enough to keep a company its resources secure, Harrell says. “Risk mitigation through security controls and countermeasures should drive risk down to acceptable levels,” he says. “To tackle increasing data threats, companies need to put cybersecurity at the very heart of the business. In the modern age, information security should be woven into the fiduciary, oversight and risk management purview of the board.”

 

The Importance of Cyber

An increasing number of utility companies have ramped up their security priorities by hiring a chief security officer to be the chief advocator, prognosticator and crisis manager, Harrell says. “The duties of the CSO have dramatically changed with the introduction of targeting electric infrastructure for attack, the advancement and reliance on cyber systems, and the job of ensuring compliance with the NERC CIP Standards. Likely the biggest responsibility is to create and foster a program that helps manage reputation risk.”

Southern California Edison monitors operations from its grid control center - Security Magazine

Southern California Edison monitors operations from its grid control center. Photo courtesy of Southern California Edison

Cybersecurity remains front-and-center in part because it’s murkier and less tangible than physical security, Lawrence says. “If you know there’s a bunch of bad guys zooming around in a van, it’s easy to get your mind around how to protect from that threat,” he says. “Whereas advances in technology are popping up all the time. The wary cybersecurity defender is one that treats their network as if the adversary knows it as well or better than they do. Then it’s up to them to make it difficult to maintain that [attack] foothold over time.”

To help combat these threats, the E-ISAC manages the national Cybersecurity Risk Information Sharing Program (CRISP), a public-private partnership co-funded by the Department of Energy and industry players. The program helps utilities get up to speed on whether and how adversaries are getting into their networks and how to expel or control their activity, says Lawrence, adding that state National Guard units have developed increasing cybersecurity capabilities and can be called upon for assistance.

The utility sector relies extensively on cyber systems to carry out its mission, monitor control systems and remotely access infrastructure, which means an ever-growing importance on protecting against cyber threats, Harrell says. Basic “hygiene” like stronger passwords, not using USB drives and increasing awareness of phishing attacks can prevent most malicious malware from finding its way into critical systems, he says.

Interdependencies among different types of utilities has meant an increasing need to work together within the sector, Harrell says. “The reliability of the electric industry is increasingly dependent on gas-fired generation and its associated infrastructure,” he says. “Most gas infrastructure is dependent on electricity to operate. Failure in either sector now has potential reliability impacts or cascading effects on the other.”

 

Top Threats … and Remedies

Nation-states and other potential malicious online actors pose the greatest threat to the power grid itself, says Glenn Haddox, director of cybersecurity and compliance for Southern California Edison. “If you want to do harm to the U.S., turn the power off,” he says. “Our job is to provide safe and reliable power. If an adversary attacks the grid, it not only causes a loss of power but a potential catastrophic loss of data from companies who rely on that electricity to keep their essential systems running. Obviously, the top concern is the possibility of destabilizing the grid as a prelude to a larger attack on the U.S.”

Brian Harrell, vice president of security at AlertEnterprise - Security Magazine

NERC uses a variety of tools, activities and strategies to help the nearly 1,900 registered entities that comprise the North American bulk-power system develop dynamic defenses against cyber threats, says Brian Harrell, vice president of security at AlertEnterprise, which assists critical infrastructure companies of various types, and a former director of critical infrastructure protection programs at NERC. Photo courtesy of Brian Harrell

Combating potential attacks against the grid requires intensive technical training of staff, a high level of integration among security systems and technical tools, and close relationships with appropriate federal government authorities, Haddox says. “We scan all the time for threats,” he says. “If anything comes up, we engage instantly. We’re always checking, checking, checking. Our entire defense is based on the fact that they’re going to get in. You always prepare for the ‘probability’ of being breached.”

Next on the list of top concerns for Haddox, is cyber criminals breaching internal systems to steal customer data. “Customer data doesn’t exist in the grid. There is no customer data to steal in the grid,” he says. “The thieves who are looking for money or personal data are more interested in our administrative systems. These actors tend to be less sophisticated. The cyber-crime organizations are probably the best in the world at accessing sensitive data, but they still don’t compare to the dedication of a nation-state attacker.”

Keeping out would-be thieves requires “what we refer to as good cyber hygiene – timely software patching, ongoing training and awareness campaigns for anyone who has network access [employees, contractors, third-party vendors], and finally, internal and external audit reviews to make sure we are not missing anything,” he says. “First we control access by protecting passwords and user accounts. Then, we protect against the insider threat to make sure somebody isn’t doing something as an agent for somebody else.”

KS Energy Services, a Midwest underground gas and electric contractor, frequently sees phishing attacks designed to get a financial or other customer data. This is why, according to Tony Brzoskowski, the Information Technology Directory, they work to encrypt all devices in their buildings and vehicles.

“Loss of data is the number one [concern], whether that be from an attack of some sort or from a third party getting access to the data we keep on our devices as part of the job we go out and perform.”

KS has seen several phishing attempts targeted to administrative and executive staff specifically. This is one reason why the IT department has worked so hard to stay on top of any “weak points” in the system; an example of this is limiting access to only what individual users need and nothing further. Brzoskowksi says, “If we see an individual user who would be compromised, [an attacker] would only be able to see things that person has access to.”

The company sends IT representatives around the region to different field offices to present new technologies, discuss changes in cybersecurity, and ensure that personnel are adequately trained.

Southern California Edison recruits college students to be interns in cybersecurity. They receive intense training and real-world experience while SCE finds the next-generation engineers and analysts to keep the department running. The utility spends a great deal of time teaching interns and the rest of the staff cooperative collaboration with other utilities, utility commissions, and the federal government, Haddox says. “The bad guys share really well,” he says. “The good guys need to learn how to share better.”

Cybersecurity at SCE teaches personnel how to keep themselves and their families secure from online threats, such as showing a teenager the dangers of social media or applying safe banking techniques, Haddox says.

“If you understand basic cybersecurity best practices for your personal life, you are in a better position to demonstrate proper cyber-secure behaviors at work,” he says. “Cyber training can be a bit like watching paint dry. However, if we show you how to protect your families from these same tactics – clicking unsecure links, opening unknown attachments or providing personal information to an unsecure site – you are more likely to be diligent about questioning suspicious emails and websites at work. People essentially want to do the right thing, so we arm them with the right tools through our training and awareness programs.”

 

Aftermath of Ukraine

The hackers who temporarily degraded the power grid in Ukraine in December 2015 and again in December 2016 provided a wakeup call for public and private sector entities, Lawrence says. “Adversaries with a high level of technology capability have created modular malware that has the potential of not only being useful to take down former Soviet Union-style systems like we saw Ukraine but also European protocols, and we are concerned about the ones we use here in North America,” he says.

Bill Lawrence, senior director of the Electricity Information Sharing and Analysis Center (E-ISAC) at the North American Electric Reliability Corporation (NERC) - Security Magazine

Broadly speaking, utilities are well aware of the cyber and physical security threats they face and invest heavily in protecting themselves, says Bill Lawrence, senior director of the Electricity Information Sharing and Analysis Center (E-ISAC) at the North American Electric Reliability Corporation (NERC), which has developed industry-wide Critical Infrastructure Protection (CIP) standards for utilities and others in the critical infrastructure sector to follow. Photo courtesy of Bill Lawrence

But even the Ukraine attack requires an enormous effort that only took down a few substations and then only for about eight hours – and the aftermath provided utilities around the world a case study with which to prepare themselves, Lawrence says. And while the interconnectedness of the North American grid might make it seem like an easy target, the fact that each utility handles security a bit differently makes a mass attack unlikely. “You have to tweak your malware to be sure you are going to get that [disabling] effect on all of those [utilities] to take down that entire area,” he says. “It’s an exponential problem.”

However, any perception that the risks of cyber-attacks on the utility sector are low, because only a few limited attacks have succeeded, should not prompt those in the sector to put their guard down, Harrell says. “The hackers who struck utilities in Ukraine ... weren’t just opportunists who stumbled across the networks and launched an attack to test their abilities,” he says. “The attackers were highly skilled and planned their assault over many months, first doing reconnaissance to study the networks and steal operator credentials, then launching a synchronized attack against operating systems.”

The fact that the electricity sector, along with nuclear, has mandatory cybersecurity standards also has been and will be helpful in ensuring against risks, Lawrence says. “There’s a lot of basic hygiene built in to mitigate risks,” he says. “Even though we’ve been cognizant of ransomware outbreaks, you haven’t seen those, knock on wood, impacting utilities here in the United States, particularly in our sector because of the security measures we’ve put in place.”

 

GridEx Protects

NERC also has run the large and growing Grid Security Exercise (GridEx), a sector-wide exercise designed to test the industry’s response readiness to potential incidents. It’s only been run every two years because the public and private partners want to ensure they are able to take time to ramp up any technology or policy changes needed to combat growing threats before they run the next set of tests, Lawrence says.

“We work with industry and government volunteers who devote their time and talent in coming up with really bad scenarios, not only in cyber but also in physical security, to challenge our members and government first responders,” he says. “We’ve seen the number of, I’ll call them overachievers, grow every GridEx. More utilities have taken cybersecurity to heart. … The numbers of overachievers went from a couple handfuls at GridEx 2 [in 2013] to dozens in GridEx 4 [last year].”

NERC and its partners who put together GridEx can customize the severity and quality of scenarios for each participant’s needs, Lawrence says. “We can make it so there are some gaps that allow them to explore their crisis response and recovery procedures,” he says. “Because we don’t tell them how specifically to attack their security procedures, they can challenge their employees to think about where they might not have gone far enough to protect themselves.”

The exercises shine a light on which companies communicate well internally and work together across “silos of excellence” to combat threats – and which ones have more work to do to bring that about, Lawrence says. “The more that they work together in this extreme crisis situation, the more they can handle low-hanging fruit,” he says. “It’s going to be really incumbent for organizations to share, to know when attacks are happening, and to get the word out so everybody is on heightened awareness.” GridEx IV added exercises on significant cross-sector impacts and participation from non-electric organizations, as well.

Southern California Edison participates in GridEx, Haddox says. “GridEx has allowed SCE to see how the federal government and our sister utilities will respond in the wake of a major attack, Haddox says. “For all to survive, it’s a team effort instead of a solo effort. There’s no winner if even one of us doesn’t survive.”

 

Utility Physical Security Concerns: Drones, Active Shooter

On the physical security side, utilities’ concerns range from the rise in drone technology to the always scary specter of an active shooter entering their premises.

As drones become cheaper, more common and sturdier, their ability to act as a vehicle to drop an explosive device into a substation or generating plant poses a significant risk, says Brian Harrell, vice president of security for AlertEnterprise and a former director of critical infrastructure at the North American Electric Reliability Corporation (NERC).

“These ‘tools’ could be used to inflict damage on critical infrastructure,” he says. “Utilities have begun to address the potential overhead threat by deploying frequency-jamming systems and detectors. Unfortunately, owners and operators of infrastructure sites don’t own the airspace above, so when a ‘hobbyist’s’ drone is driven into the ground by counter-drone technology, the utility will likely be liable for damages. Utilities should monitor and be mindful of local drone laws and Federal Aviation Administration operator rules.”

Unmanned aerial vehicles are equipped to not only monitor and do reconnaissance but also actively attack them, says Bill Lawrence, senior director of the Electricity Information Sharing and Analysis Center (E-ISAC) at NERC. “We’ve had that plugged in for that last two exercise cycles [at NERC’s Grid Security Exercise, or GridEx]. I don’t see that threat going away anytime soon.”

At the Tarrant Regional Water District (TRWD) in the Dallas-Fort Worth area, which serves more than two million people in 11 counties and has 150 miles of pipeline in Fort Worth, Arlington and surrounding areas (but not in Dallas), the most common day-to-day physical security concern is keeping track of third-party companies that have legitimate reasons to enter their properties to monitor meters, says Harry Hatcher, head of physical security for the district.

“We need to have a point of contact to say, ‘Should this gentleman be here? Does he work for you? Can we let him onto the property?’ ” he says.

More broadly speaking, though, TRWD, one of the largest raw water suppliers in Texas, is most concerned about an active shooter threat, whether from an intruder or an insider, Hatcher says, and he and his staff have been working to strengthen partnerships with local police departments and undertaking a security master plan with help from a consultant who has told the district it’s “above par” for water utilities from a technology implementation perspective. “We need to hone in on our operational strategy,” he says.

The district has employed alarm notification, standardized chain-link wire fencing, camera systems and expects to move into more sophisticated video analytics, Hatcher says. TRWD worked with vendor Genetec to unify access control and closed circuit television onto a single platform, streamlining security systems to monitor tasks and notifications and reducing the need for additional training or software down the road.

“We’re currently testing fence detection at the perimeter to see if we can get good alarms vs. false and nuisance alarms,” he says. TRWD has a group of five full-time and five combined part-time and reserve internal law enforcement officers as part of its operations staff. “We’re hoping to grow that for a future proactive strategy, versus reactive for the safety of our employees, but we have to build the support for what we need,” he adds.

Subscribe to Security Magazine

Recent Articles by Ed Finkel

2018 Guarding Report: Changing Times for the Guarding Industry

Study: Target Hardening Leads to Mixed Perceptions of Safety

Report: Robotic Technology to Continue Rapid Growth

Employee Abuse Tops List of Healthcare Security Concerns

Is Armed Security the Key to Better Hospital Safety?

Ed Finkel is a writer, editor and Web content manager with nearly three decades of professional experience. His areas of concentration include education, health/medical, legal, retail/food business and public policy.

Related Articles

Threat Assessment: Exercise & Evaluation Best Practices

Critical Infrastructure Sector Battles Growing Variety of Security Threats

Three Best Practices to Secure Critical Infrastructure

Growing Terrorism Threats Lead Sports Security Leaders to Change Tactics

Related Products

The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws 2E

You must login or register in order to post a comment.

Report Abusive Comment

Subscribe For Free!
  • Print & Digital Edition Subscriptions
  • Security eNewsletter & Other eNews Alerts
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

security-center

The Top 5 Reasons Why Your Security Program Needs Intelligence Personnel

Globe

Which Countries Have the Worst and Best Cybersecurity?

SEC0219-cover-Feat-slide_900px

The Road to CSO: Meet Microsoft's New Security Leader

password1-900px.jpg

New Vulnerabilities Found in Top Password Managers

password1-900px.jpg

How Americans Leave their Personal Info Open to Thieves

20180226SEC_DataminrFeb_360x184customcontent

Events

February 26, 2019

Harness Real-time Public Information to Improve Active Shooter Response

Corporate security teams hope never to respond to an active shooter situation. But given today’s realities, companies spend a great deal of time developing guidelines, holding training sessions, and carrying out drills to ensure that their staff will be prepared in case an active shooter event occurs.
March 7, 2019

Finding Your Physical Security Blind Spots with Artificial Intelligence (A.I.)

Security infrastructures are undergoing a digital transformation with growing adoption of intelligent access control, video surveillance and analytics as well as IoT devices and sensors – generating more data to than ever before. Harnessed properly with artificial intelligence and a risk-based model, this data can be exposed and leveraged to improve life safety, minimize risk and increase operational efficiency.
View All Submit An Event

Poll

Employee Background Screening

How Often Does Your Organization Conduct Background Screening on Employees?
View Results Poll Archive

Products

Effective Security Management, 6th Edition

Effective Security Management, 6th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

See More Products
Security-500

Security Magazine

SEC-Feb-2019-Cover_144px

2019 February

In Security’s February 2019 issue, meet Brian Tuskan, Microsoft's New Security Leader. Learn how he has used technology, his reputation, networking and a desire to help people to become Microsoft’s new CSO. Read about the Next Generation of White Hat Hackers, How to Evaluate Security's Role, and more.

View More Subscribe
  • More
    • Market Research
    • Custom Content & Marketing Services
    • Security Group
    • Editorial Guidelines
    • Privacy Policy
    • Survey And Sample
  • Want More
    • Subscribe
    • Connect
    • Partners

Copyright ©2019. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing