Compliant Does Not Equal Secure
Take Aways from UTC Reno Put Focus on Utility Vulnerabilities
I had the privilege of attending and speaking at the first North American regional UTC show last week in Reno, Nevada. While there were several themes, the one that seems to finally have made its way to the forefront of everyone’s thoughts is security. ECI has been pushing utility security for years, and not just because we sell a great utility security package. We know from experience how devastating an attack on a utility can be, and we know that many utilities are not fully prepared.
According to the Department of Homeland Security's Industrial Control Systems Computer Emergency Response Team, power and utilities are the most targeted industry. Nearly 70% of all critical infrastructure providers have reported being breached in the last year. Note that this is the number reported breached and does not include any incidents that were undiscovered or unreported. The number that have been targeted is certainly higher.
High profile attacks like the one in Ukraine at Christmas, 2015 get a lot of coverage, but few may recall that the US national press reported widely that a nuclear power plant was “hacked” in July, 2017. If you read the details, the only reason that the intrusion was discovered was that the software caused some anomalous behavior unintentionally – not because the intrusion was found through any traditional security measures. In that case there was apparently never any real danger of damage to the generation system, but it should still serve as a warning bell.
Perhaps as a result of these reports, or perhaps because cyber security is generally better known, utilities and utility regulators are now spending a lot more time talking about utility security. Last week in Reno no fewer than four of the main presentations focused on or touched on cyber security (as well as physical security). One or two spoke in more detail about the NERC/FERC security regulations that are being put into place for US utilities.
The one statement about security regulations that resonated with me and with other attendees is that compliance with the regulations does not mean that your network is secure. Compliance can be met with some simple firewalls implemented between the IT and OT network. However, the vulnerability of the OT network on its own has been well documented – as has the inability of firewalls to stop man-in-the-middle and many other attack vectors. Regulations take years to be developed, agreed upon, and distributed. The bad guys work much faster than that. So, while compliance with the regulations is absolutely an important step, no one should assume that compliance equals secure.
A complete security solution for a utility network must include three main pillars. First, the integrity of the network must be secure – for both the IT and the OT/SCADA network. The operator must know what’s on the network, must be able to limit access to those elements, and must be able to understand what normal operation looks like so that anomalies can be flagged. Second, attack prevention must be in place. This means firewalls, controlled access, and other traditional security protocols at multiple access points within the network. Finally, the ability to detect real threats from the myriad of security alerts must be implemented. Without some sort of artificial intelligence and data analytics, it would be impossible to dig out the real threats from the thousands of flagged events every day. And, as attacks become more distributed and long-term, this analysis becomes critical to network security. Mere compliance with regulations will not put all three pillars in place.
I always say that any good talk on cyber security starts by scaring the audience and ends by making the audience feel better about the future. There are real threats to the utility networks - that’s the scary part. The good news is that very smart people are coming up with very good ways to ensure that networks are secure. Open systems allow collaboration among many people working on the solution, and the intelligence of the analytics systems gets better every day. Utility networks can absolutely be made very secure. Just don’t assume that compliance with the regulations is the only step in that process.