Today’s utility cyber environment is awash with potential threats, ranging from customer credit-card theft attempts like those that struck Target and Home Depot, to potential grid-damaging malware like the BlackEnergy variant found to have infiltrated U.S. grid control systems last year.
But many utilities lack the budgets and expertise to manage the cyberattacks against their IT systems, let alone find the handful of real threats hidden amidst the thousands of attempts flooding their firewalls on a daily basis.
That’s a problem that Bob Selzer, director of information technology for the Nebraska Municipal Power Pool, confronted last year. His organization serves nearly 200 municipal utilities in six states, some of them with fewer than 1,000 customers and perhaps one part-time IT employee. But most have at least one substation that connects to NMPP’s SCADA system, as well as daily internet interactions with NMPP’s enterprise IT system -- either of which could serve as avenues for cyberintrusions that could crawl their way into the grid at large.
To help find the threats NMPP was missing, Selzer turned to N-Dimension, a startup that specializes in cybersecurity tools and services for smaller utilities. Specifically, NMPP installed one of the Ontario-based company’s newly launched N-Sentinel devices on its SCADA network, turned it on, and watched the threats pour in.
“We had over 3.8 million attempts -- probes, if you will -- on our network” over an eight-week period, Selzer said. “That was rather enlightening to us. I think we all knew we were getting probed, but we didn’t know to what extent, or the severity of them.”
To turn that big, scary number into something NMPP could do something about, N-Dimension pulled its N-Sentinel device records into its cloud-based system, and started separating the wheat from the chaff. “That’s our core IP,” N-Dimension CEO Tom Ayers said in an interview last week -- “taking this entire stream of information and turning it into something that’s actionable [and] usable.”
“If you were to look at an unfiltered report that goes through our system, we would generally find for a Severity One problem,” the most serious, generating “maybe 300,000 to 400,000 hits in the previous week,” including viruses, remote access trojans, malware, exploit attempts and reconnaissance, he said. “Even a team of people aren’t going to sort through that many hits and try to figure out which are the worst.”
“We have categorized these for you, we’ve purged the false positives, and we think there are three, four or five that are the highest priority to you. It’s actionable information -- it’s not just a big data dump. You can be overwhelmed by having all this data, and of course, the result is, you do nothing.”
That’s actually a significant problem for even the most sophisticated enterprise cybersecurity systems, as Target’s experience shows. The U.S. retailer installed a $1.6 million state-of-the-art cybersecurity platform from FireEye, a startup that builds a “virtualized hardware environment” that recreates a customer’s IT system and then exposes it to real-world attacks.
But according to a report from Bloomberg, Target had first turned off FireEye’s automated malware detection feature, possibly because of false positives that had bedeviled its security team in the past, and then failed to follow up on multiple alerts of foul play after the credit card data was being stolen from its system.
“This is a problem we want to solve,” Ayers said -- and at a much lower cost than systems like FireEye’s, which is being used by the CIA and the Pentagon. A subscription to N-Sentinel costs less than $1,000 a month, and the customer can return it after 60 days if not satisfied, he noted. “They simply decide, does this information have value to us?”
Considering that the benefits of spending on cybersecurity are calculated in terms of avoided disasters, not day-to-day revenues or cost reductions, “this is one area where ROI is maybe not calculated as carefully as other investments that utilities need to make,” he said. To help bridge that gap between security and top decision-makers, N-Dimension packages its regular findings into reports that security personnel can bring to utility executives, he noted.
It also conducts initial security audits, to find the day-to-day security lapses that can expose utilities to risks, such as open ports on remote terminal units or programmable logic controllers that control grid equipment, or malware that’s been laying dormant within IT systems for who knows how long, but is sending out “pings” on a regular basis to inform its creator that it’s there, awaiting instructions.
N-Dimension also helps utilities keep each other up to date on the emerging threats they’re facing as an industry, he noted. As an approved vendor for Hometown Connections, an affiliate of the American Public Power Association, the company puts together anonymized summaries of its ongoing experiences with cyberthreats across its customer base, and shares them with each utility subscribing to its N-Sentinel service.
“They get to see...what’s going on with our utilities right now -- these are the common hacks, the common intrusions, the things we need to take care of right away,” he said. That’s a lot easier for utilities to do than, say, competing financial institutions, which tend to keep their cybersecurity experiences to themselves, he noted. But with the Obama administration’s recent executive order encouraging private-sector cybersecurity information sharing, “our timing could not have been better” for this service, he said.
N-Dimension raised a $3.85 million Series A round in 2012 and a $3.5 million Series B round in December, both led by EnerTech Capital Partners and Export Development Canada. That's not a lot of funding compared to cybersecurity companies serving broader industries like FireEye, which went public in 2013, or even other industrial control system-centric cybersecutity providers like Cylance, which has raised a total of $35 million.
So far, N-Dimension has sold its N-Sentinel service to four utility customers, and is trialing it with 15 more, mostly small municipal utilities. “That’s where we’ve really decided to come to market first, because we think that information has more value,” compared to large investor-owned utilities that can afford to spend millions on cybersecurity staff and technology.
At the same time, “two of our trials are with IOUs” interested in finding out whether the company can provide “them meaningful information that they’re not getting today.” At less than $1,000 a month, “they spend more on their coffee budgets.” We've reported on forecasts that predict that utilities will spend between $7.25 billion and $14 billion on cybersecurity through the end of the decade, with much of that aimed at the SCADA networks and industrial control systems.
Selzer noted that the N-Sentinel devices it’s using have helped it extend cybersecurity advice to its member utilities as well as monitor its own networks. As for the 12 specific security concerns N-Dimension laid out for NMPP, they came with specific recommendations that he’s been carrying out since then. While he didn’t describe all of them, he did note that one important move was to install newer firewalls at different parts of its SCADA and enterprise IT network, to help protect against the constantly evolving threats out there.
NMPP has also taken more prosaic steps, such as insisting that employees turn off their desktop PCs when they leave work; preventing them from visiting gambling sites on the internet -- including the Nebraska Lottery site; and prohibiting them from storing their passwords in Word documents or any other files that could be tapped by hackers, he noted. And in terms of funding for cybersecurity, “This doesn’t mean we’ve gone out and spent $1 million on new equipment -- but we’ve budgeted to beef up our security, and we’re doing that.”