Where does Cybersecurity End for Electric Utilities?
Across the energy sector and between various electric sector locations there are several assets and systems deemed “crown jewel assets” or “mission-critical systems”. Depending on who you ask, nearly every digital component they rely on is potentially at risk in some way. This painstaking reality has led to a focus on securing critical assets – the machines, equipment, and systems providing critical resources and services – and critical functions – actions, activities, or operations to connect, distribute, manage, and supply essential resources, products, or services.
It is easy to understand why electric infrastructure is critical to sustain health and wellness, healthcare and sanitation, clean water provision, and additional sectors like manufacturing, communications, finance, and more. The wide variety of stakeholders that maintain the U.S. electric grid are concerned not only with physical safety and security, but cybersecurity, supply chain demands, limitations, and risks, and the expansive nature of industrial internet of things (IIoT) connectivity to manage production and regional flows of electricity. The greatest cyber threats to the grid have been attacks focused on manipulating operational technology (OT) and industrial control systems (ICS).
OT/ICS technologies encompass a wide range of machines and configurations, to include pumps, compressors, valves, turbines, and similar equipment, interface computers and workstations, programmable logic controllers and many diagnostics, safety, metering, and monitoring and control systems that enable or report the status of variables, processes, and operations. These systems are increasingly accessible via social engineering for credentials, hijacking remote access, and connections to third party technologies with both remote access and internet connectivity.
Given the competing risks, priorities, and technological developments, the electric sector does not necessarily struggle with where to start their cybersecurity practices. Though resource and talent gaps exist, expertise, guidance, best practices, frameworks, and security tools are plentiful. The more compelling question today is: what is the right amount of effort and resources that will mitigate cyber risk in a sustainable way? If the job of implementing cybersecurity is never complete, what does enough look like?
Getting Cyber Right
Cybersecurity is a delicate balance. Too much focus on specific machines, devices, or equipment risks miscalculating the potential impacts from other parts of the process on the overall functionality of the process. Too much focus on the function itself risks not identifying the most critical components in the process. At the same time, teams may spend time remediating known product vulnerabilities that have limited operational impact or focus on defending against nation state level capabilities at the expense of fixing potential misconfiguration errors or installing important firmware updates.
Mature cybersecurity programs invest in people, tools, and processes to enforce security policy, review security information, and build more resilient digital targets. Any “set it and forget it” approach to cybersecurity will eventually fail. It requires knowing the nature and behavior of the assets within the environment, monitoring for threats, and having a measurable way to track, report, and reduce risk.
The approach must also be inherently adaptable to change to keep pace with disclosed vulnerabilities and novel threat actor tactics, techniques, and procedures (TTPs). To prevent worst case scenarios and cascading impacts, focus for electric utilities cybersecurity must be on reducing the severity of any cyber incident – accidental or malicious. There are four main weak spots to consider for evaluating the ability to reduce the severity of cyber incidents for electric utilities.
Weak Spot 1 – Network Status
On average a plant might have more than a dozen different types of vendor technologies running with proprietary code and industry specific protocols. Each system will have unique parameters for identification and for communications on a network. It is impossible to manually log granular details about each asset, its activity and traffic patterns, amounts of transferred data, protocols and function codes, source and destination ports, connection attempts, software and firmware versions and updates in real time.
Network diagrams offer a high-level map of static configurations but lack the ability to continually monitor traffic and timestamp network or data changes. If network activity is not monitored in real time, the status of assets is largely unknown, and whether or not they have vulnerabilities or not these assets cannot be protected without the necessary visibility into their day-to-day functionality. It’s often parroted that you cannot protect what you cannot see, but you also cannot investigate any mishap or accident to understand the root cause of a cyber incident without a dynamic, real-time status map of the inventory of machines and computers communicating in your environment.
Weak Spot 2 – Product Vulnerabilities
Vulnerabilities are not all the same, the degree to which vulnerabilities impact integrity and availability of systems varies. Some vulnerabilities have limited scope in that they only apply to a few types of software features or interfaces and therefore will not produce widespread impacts. Others impact a small fraction of a specific vendors products or install base. Some vulnerabilities are more difficult to automate or require individuals in the target environment to interact with the attack mechanisms required to exploit the vulnerability. Others may have additional compensating controls which mitigate their severity.
Today there are thousands of known product vulnerabilities to OT and ICS systems from each vendor that produces the machinery and equipment used in electric utilities for transmission and distribution. While each vulnerability is published with an associated common vulnerability scoring system (CVSS) score, it is impossible to immediately understand how severe the vulnerability will be for one entity’s risk profile based off of the designated severity of the vulnerability. Vulnerabilities have to be compared against operational status to understand their significance, and to prioritize actions and procedures that reduce the severity of their potential impacts.
Weak Spot 3 – Threat Actor Capabilities
We know that OT-specific attacks can sometimes be opportunistic to try to target “low hanging fruit” or copy and paste repeatable TTPs and code scripts to produce any impact at a low cost. However, there are fewer opportunities to reuse or automate attacks in OT networks. Highly tailored techniques that are more custom and less repeatable require more resources and reconnaissance and are less likely to be used in widespread scanning and probing.
For IoT, the primary attack surface for IoT devices is their default credentials over SSH. Once the attacker has gained entry, they will check to determine the underlying operating system to decide which payload to install on the system, often to deploy a botnet attack. These IoT botnets can grow to have hundreds of thousands of controlled devices under their helm, and their primary focus is to perform DDoS attacks against targets, to great effect.
Threat actors targeting OT and ICS seek to craft the perfect recipe of capabilities and vulnerabilities that will cause disruption or damage to their target. Scanning may identify such vulnerabilities, but many steps are then required to access and exploit these vulnerabilities. Threat intelligence is available to categorize known TTPs and code signature from previous incidents and is used to build out detection capabilities for alerting security teams to a potential recognized TTP or signature detected somewhere in their network. These capabilities, just like product vulnerabilities, must be examined in the context of the impacts they can have in the context of a specific environment or organization.
Weak Spot 4 – Data Rich, Information Poor
Components and connections continue to increase with multiple vendor systems and integrations. Reliance on patches that might not be feasible given the environment and its dependence on legacy technologies produces inadequate security coverage. Without utilizing the vast amount of communications, security, and operational data available by design, organizations have limited information to inform their risk tolerance and mitigation plans. This leaves entities with little to no evidence to review for evidence of compromise or negligent error.
Simply having and storing reems of data is not particularly useful for any risk mitigation. Behavioral analysis and anomaly detection for network operations can augment threat intelligence and overall security postures. Anomaly detection can alert on both deviations from normal communications patterns, as well as variables within the process – like sensor readings and flow parameters. This process data can be correlated with communications data to provide actionable intelligence to inform security procedures and reduce overall risk. Many organizations enable tools to gather and store data but fail to analyze data to enhance their mission.
Closing the Gap
Working with utility companies in the field reveals three characteristics that make the sector especially vulnerable to contemporary cyber scenarios. First, the increased number of threats and actors targeting utilities: nation-state actors, cybercriminals who understand the economic value represented by this sector, and hacktivists seeking to publicly advance their objectives or broad agendas. Second, utilities’ increasing attack surface, their geographic and organizational complexity, and the decentralized nature of many organizations’ operations. And third, the sector’s unique interdependencies between physical and cyber infrastructure. The sector is more vulnerable to exploitation, from billing fraud to manipulation of IoT sensors, the commandeering of operational-technology (OT) systems to stop processes, and even physical destruction.
In energy sector, cybersecurity assessments routinely reveal hundreds of insecure protocols and device vulnerabilities, as well as dozens of insecure password protections. In a case study of an electric utility with over 600 global sites serving millions of customers, focusing on the four outlined weaknesses improved the overall reliability, efficiency, and maturity of the operators’ cybersecurity program. The operations required in-depth support for specific IEC protocols, and centralized and automated monitoring of hydroelectric, thermoelectric, and wind generation plants. The collaboration of people, tools, and processes allow for notification of root cause analysis of accidental, misconfiguration, and potentially malicious cyber events around the clock, eliminating time-consuming manual OT/ICS and IoT mapping, troubleshooting, and vulnerability correlation efforts.
Written by Danielle Jablanski, Nozomi Networks