The utility sector is generally ahead of other industries when it comes to cybersecurity readiness. But what will it take to keep them ahead of cyber attackers?
Starting in July, U.S. utilities must comply with a new federal standard aimed at bolstering security -- especially cybersecurity. Version 5/6 of the North American Reliability Corporation’s Critical Infrastructure Protection standard (NERC CIP) takes a new approach to mandating security for bulk power systems. Rather than telling utilities how they should address known risks, it requires utilities to assess and rate security risks for their assets and systems, and come up with their own programs.
Among other things, this risk-based approach means utilities must now implement cybersecurity for all substations. Previously, some substations and other assets were left out.
But well before the latest NERC CIP, U.S. utilities were working to strengthen cybersecurity.
“Actually, in the U.S., utilities are ahead of most other industries in terms of cybersecurity,” said Robert Albach, product line manager for Cisco cybersecurity products. “They’re usually pretty good about implementing hierarchical network design and other fundamental security practices. But there are some common gaps, like continuing to run vulnerable applications, and often they lack proper monitoring to capture threats before they cause harm.”
Above all else, utilities have a mission to keep our lights on. How utilities maintain system availability is a key area that directly affects customers and highlights the impact of strengthening utility cybersecurity.
Ensuring safe and reliable operation is the fundamental mission of a utility. If controls or communications for grid assets fail, the equipment must continue to operate in a safe, reliable manner, even in non-ideal situations such as when under attack. This is especially important for substations, which are increasingly monitored and managed via remote access, often by contractors in remote locations.
There are a lot of questions that utilities need to consider, said Albach.
What’s the state of the external systems being used to contact utility equipment?
Is the employee's or contractor’s home laptop infected with malware? Is their home network secure?
What are the conditions under which the utility is granting access to critical equipment?
Are the people who are authorized for access doing what we expect them to do?
It’s practically impossible to ensure security for every person, application and device that interacts with utility assets. However, utilities can enhance system-wide monitoring capabilities -- to learn what normal operation and interaction looks like, and to recognize when problems that may indicate attacks or other security risks may be occurring. This means deploying new system intelligence that allows utilities to use their network and devices as sensors.
Devices that serve as checkpoints on network communications, such as firewalls and gateways, can play a key role here.
For instance, substations typically contain assets that operate on less secure, older communication protocols. A utility may place one or more firewalls at a substation to speak to the network on behalf of the assets. In addition to making network traffic at the substation level easier to monitor (which makes it easier to spot problems), such appliances also support fail-safe operation.
“You can build fail safe modes into a firewall, and make resilience easier to achieve,” said Sven Schrecker, Intel’s chief architect for IOT security solutions. “This might allow connected assets to only talk to local nodes, so the substation just keeps running, even when the management back-end is down. This has the effect of building out intelligence and autonomy at the edge of the grid, where it used to be a rather dumb edge.”
Intelligent security appliances offer other security benefits. For instance, an appliance can provide a unique cryptographic identifier for each connected device. This enables authentication and shields assets from unauthorized external view by non-authorized device connections. Older asset controls typically offer no cryptographic protection, which can make them less capable to resist intrusion.
Of course, cybersecurity attacks can be successful -- as evidenced on Dec. 23, 2015, when a cyberattack against a Ukrainian utility caused a six-hour outage across a wide region, knocking out power to hundreds of thousands of customers.
Outages happen -- which is why the real goal of cybersecurity is resilience. Utilities already have clear policies for power restoration and prioritizing repairs, and cybersecurity is increasingly considered in outage response and recovery. For instance, how might a utility minimize the risk of reactivating or spreading a cyberattack by bringing potentially compromised equipment back on-line?
Fortunately, utilities can usually expect their neighbors to help in a crisis. For many decades, utilities have come to each other’s aid to recover from major outages, or to help prevent the spread of outages or system damage. The Edison Electric Institute is developing a program for cybersecurity mutual assistance.
Also, there are efforts to share cybersecurity information across the sector in order to promote common situational awareness. For instance, the nascent Cybersecurity Risk Information Sharing Program program by NERC and DOE is an architectural approach to common situational awareness for the electric sector.
Cybersecurity isn’t just an operational imperative for utilities; it has become a business imperative, too.
“Utilities are now technology companies that happen to be generating and distributing power,” said Nadya Bartol, vice president of industry affairs and cybersecurity strategist for the Utilities Telecom Council.
The implications of this shift become crucial when considering that most of any utility’s assets, and business, relate to local power distribution.
NERC only regulates bulk power networks. However, solutions that are deployed to grid assets can be deployed to local assets as well. This can offer advantages, such as achieving holistic NERC CIP compliance system-wide without having to file all the paperwork for local distribution assets.
Utilities now have more resources than ever before to ensure their security -- but they also have more potential vulnerabilities. Will the utility industry continue to demonstrate its cybersecurity leadership over other sectors?
Intel and Cisco answer that question in a new white paper on mitigating security risks for utilities. Read it here.