In the second of our ‘Taming the Big Four’ blog series, which looks at four key challenges facing power distributors, Marco Berger, ECI’s Head of Critical Infrastructure Solutions, unlocks the door on security.
Challenge #2: Security: How Secure Does Secure Have to Be?
Let’s be honest, cyber security, or rather the lack of it, has damaged a fair few corporate reputations. We can each probably think of one or two major breaches in the last few years that have caught the power utilities industry napping. Breaches that, with even a slight shift in thinking or approach, most likely could have been prevented.
Sadly, I have no doubt we’ll see more frequent and sophisticated cyber-attacks in the critical infrastructure sector in the coming years. That’s state sponsored cyber warfare for you – the new weapon of mass destruction.
Two home truths
Before we delve any further into the whys and wherefores of cyber security, I think it’s worth being absolutely honest with you about two things. First, no organization, no network, and no system can be 100% secure. If any so-called ‘experts’ tell you otherwise, bring the conversation to a close quickly and politely show them the door. Second, you need to embrace the idea that there is no let up. For critical infrastructures, cyber security is a never-ending war waged on the battlefield of measure and countermeasure – with no interval, no half-time drinks, and no ‘off’ button.
Now we’ve exploded those two truth bombs, let’s explore why is it that power distributors are more vulnerable to cyber attacks than ever. Understanding the ‘why’ not only helps to put the challenge in context, it also highlights the ‘what’. In other words, the key areas power distributors will need to address to beef up security.
Today, utilities are more vulnerable because there are many more points of entry to the system than ever before. This is largely down to:
1) Distribution – we’ve had a major shift towards more distributed energy resources in the last 10 years. Instead of the uni-directional grid, where power came from a few big generation plants along one highway, we now have an ‘energy cloud’ fed by numerous and various generators (wind, solar, tidal, nuclear, coal and gas). This has created many more points of entry into the grid, and with it, many more points of vulnerability.
2) Smart metering – the business model for utilities companies has changed. In efforts to be more efficient and take the guesswork out of bills, and to offset people generating their own electricity, power distributors are moving to a pay-as-you-use model. This means installing smart meters in homes, buildings and businesses. And each smart meter is another potential entry point a hacker could exploit.
3) Mobility – our cars are no longer disconnected from the world. In-car Internet is a growing trend, as is Wi-Fi and wireless connectivity. And to recharge, electric vehicles need to communicate with the power grid, again creating another point of entry and another potential vulnerability.
Add all these together, and the number of entry points rises rapidly, which in turn is making it more challenging for any utility company to address security properly – at least in the short-term.
The human factor
Look at the statistics and they reveal that 70-80% of breaches are user violations. Whether it’s a disgruntled employee or via theft of user permissions, this is one door every organization is vulnerable to. And it’s fairly easy, with the help of someone on the inside, to breach a network, infect a database or workstation, or pull the plug on the grid.
Also, hackers often rely on an organization’s willingness to put its reputation before anything else. As such, few will admit to a breach publicly, particularly the critical infrastructure sector. Of course in the US, companies are obliged by law to report any cyber breaches to the National Counterintelligence Executive (NCIX) and the EU is on the road to adopting similar laws.
So what can you do about it?
Having a company-wide approach to cyber security is paramount. That means making security everyone’s responsibility with a top-down and bottom-up approach. In fact, cyber security is as much about instilling awareness and good habits in your people as it is about implementing security solutions.
One thing you shouldn’t do is stop any plans you have to modernize your IT and OT infrastructure. Like it or not, IT/OT convergence is happening in critical infrastructures because it makes financial sense to invest in one single platform. Yes, the convergence may increase the risk over yesterday’s segregated systems, but the good news is that today we have the tools to secure your mission critical applications. And as ever, the most vulnerable points remain the end points – router ports, workstations, integrated access device (IADs) – because they are unsecured.
And when it comes to protecting your OT, we believe you can use your communications layer, the backbone all your services and applications run along, to your advantage to improve your security. This layer of the network is often the most vulnerable as it connects the organization to the outside world. More worryingly, it’s also the layer least focused on by most cyber security solutions providers – yet unsurprisingly, the layer most used by cyber criminals.
That’s why a good solution protects you against three types of cyber threat 24/7/365:
- Attacks originating from IT aimed at the OT. So a hacker trying to penetrate the operations technology via a router or workstation.
- Attacks originating in the OT. So viruses or malware injected into the operational networks that affect SCADA, telemetry or an IAD, for example.
- Man in the middle scenario. A hacker taps into your fiber network, microwave radio or copper lines. At best, to listen to your comms. At worst, to steal info from your network or devices, or users.
4 steps to choosing a cyber solution
Finding the right solution is essential to the future health of your business (and your customers). There are a lot of vendors out there selling miracle cures, and there’s a lot to lose if you get it wrong. So make ‘analysis’ and ‘research’ your best friends early on in the selection process.
- Analyze your threats – first get your internal cyber experts to do a risk analysis, then get an external audit. The general rule of thumb is that the deeper you dig, the more vulnerabilities you’ll find, so you’ll need to decide when to stop.
- Prioritize – what are the most vulnerable points in your systems and what are the most urgent to address? Everything is important, but based on your risk analysis, prioritize the steps you need to take to strengthen security in the areas most at risk. Remember to secure your mission-critical operational systems first, because you and your customers need these systems to work 24/7.
- Survey the market – define the phases of implementation and go through the RFP process. Just remember no solution is 100% secure. It’s a matter of measure and countermeasure, and you’ll need to constantly update your security for evermore.
- Buy only what you need – with all the solutions on the market it’s easy to get lost. Everyone is trying to sell you “the only security solutions you’ll ever need”, but in the end it’s neither economical nor feasible to buy everything. See points 1 and 2.
One point I haven’t mentioned so far is how physical and cyber security are really two sides of the same coin. While many companies focus on one or the other, look for companies developing an approach that takes into account every dimension of security. In other words, one that combines both physical and cyber security to create a comprehensive, holistic and joined-up response.
I hope to be able to share more on that in future. Meanwhile, to learn about ECI’s MUSE cyber security solutions for Critical Industries, visit us here.
Click here to learn more about ECI's Solutions for Utilities and Critical Infrastructures.
Topics: Cyber Security, Critical Infrastructures, Utility
