Cyber attacks could potentially be reduced by the presence of a healthy cyberscurity insurance market. Currently, many companies decline available coverage because they believe the costs to be prohibitive, they are uncertain about what would be covered, and they are willing to risk that they will not be the target of a cyber attack. As NERC security standards continue to evolve and be revised, FERC and utility companies are supplying important input and constructive comments to promote continual improvements. Vendors are definitely driving the development of the standards and assisting with the guidelines, as well.
How much influence each faction has is a subject for debate. Operating under the premise that every idea is welcomed and is valid, those who are willing to work with the standards can ultimately influence them before they are finalized. Once they are in place, there is nothing that can be done other than to wait for the next version to emerge. Some believe those who get the best result are those who shout the loudest.
Many bright individuals share their valued opinions on various committees, and the most influential of them truly can affect change. The DOE has been indentifying various labs and centers of excellence that have taken the initiative and are focusing on putting quality people to work in different areas of the cybersecurity landscape. Companies that are the most active in the process, particularly the large ones, tend to affect the process to a greater degree. Though they offer helpful guidelines, adherence to suggested standards is not the law. Utilities and vendors have suggested some practical standard practices, but they are not compulsory, so individual companies decide whether or not they wish to follow them.
These are the actual people with boots on the ground doing the day-to-day work, providing input to the standards drafting team. Many are members of the power industry which is very de-centralized. Companies in the energy sector have different rate structures in different states that affect their profitability and what they may charge for the services they provide. When power plants need to enhance their cybersecurity, it requires a significant investment and someone is going to pay for that. Financial considerations may dictate whether or not security controls are implemented and this fact needs to be emphasized in any discussion about the adaptation of new standards and regulations.
The nation absolutely has to have power. Stakeholders from many different organizations come to the table in consensus to create the next generation of standards. Of course, each organization has its own agenda to promote and this ultimately colors the way the standards end up for better or worse. Unfortunately, compliance teams, legal teams, and managers struggle with how to precisely to interpret these recommendations and requirements. They are often uncertain about what actions to take. While most are willing and ready to comply, some find it difficult to discern the official meaning of the regulatory language.
This can cause confusion for compliance personnel who are forced to rely on whim and vague interpretations of NERC standards and regulations. To counteract the unclear nature of NERC CIPs, many companies are actively documenting how they intend to fulfill, mitigate, or comply with the requirements and hope auditors find merit in this diligent record keeping. Since so many interpretations are presently in play, auditors can only note whether or not a company did what it said it intended to do regarding NERC CIPs compliance.
Some power plants also struggle to comply with standards and regulations because they lack the electronic products and devices such as those manufactured by Seimans and GE that make such compliance possible. Though NERC is perhaps taken more seriously, NIST standards are regularly integrated into many cybersecurity platforms, and they may point the way that critical infrastructure protection is going. Because compliance to NIST guidelines is voluntarily, there is no mandate for companies to follow them.
Factoring in the hundreds of priorities energy businesses have, the budgetary impact of cybersecurity implementation often takes a backseat to what seem to be more pressing immediate concerns.
Beyond its presence as a buzzword , the Framework is costly to integrate and often a budget does not exist for such expenses. Beyond that, many doubt that industrial control system vendors can provide working solutions that operate in tandem with products from other vendors.
They are wary of involving third parties. The ultimate goal is to provide businesses, their suppliers, their customers, and government agencies with a common language and methodology for determining how they can best protect themselves. Whether they come from Microsoft, FERC, or an interested individual citizen with a great idea, they are all treated with equal reverence.
NIST is primarily interested in whether the idea is technologically sound, cost effective, and if it is implementable. Occasionally, NIST has contracts and receives support from federally funded research and developments centers connected with aerospace or the Institute for Defense Analysis that helps them to create a first draft.
Once the draft is completed, it is posted on the website where public and private interests can view it and make comments. NERC summarizes the comments it receives and publishes them so that people can assess the reaction to the suggested standards for themselves. NIST employs an adjudication process in which a team of industry experts reviews individual comments and provides a response. Eventually, the comments help NIST arrive at a final adjudication for each particular comment — an exhaustive process.
What NIST aims to achieve is a normalization of the dialogue that occurs when people are discussing cybersecurity. This allows for a coalescence of ideas, concepts, and principles from various sectors and presents many different choices about how the Framework is implemented.
The next few years will see the continued implementation of the five revisions of the Framework which have been approved. Versions six and seven are on the way and will feature some changes in language for clarification. NIST standards exist to prevent attacks and intrusions from outside forces within the power system and to maintain control of the energy grid.
All facets of the bulk power system are considered when it comes to disaster recovery. At present, NIST refers companies to a lot of third party documents which seem to leave people lacking for a lot of detail. Advancing technologies will continue to affect all aspects of life in the near future with computer hardware and software at the core of this evolution. More reflection will be required concerning the building of cybersecurity products and systems as things grow increasingly more complex. Some feel the industry has already passed that point.
Defending operating systems from the cyber attacks of today and tomorrow may require significant reengineering of the IT infrastructure at the systemic and at the product level. This will require trusting in technological principles, concepts, and methodologies in order to build highly assured components and systems.
The greatest challenge will be in keeping the size of future operating systems manageable and understandable so that best practices can be applied. There is hope that systems will be developed which are more penetration-resistant. In the event that an attack is successful and permeates an outer perimeter, the energy sector must work toward creating technology that stops malware from bringing down entire power plants or the entire grid. The bulk energy industry faces huge challenges heading into the future. Re-architecting the networks, segmenting them, and implementing security management will be tremendously expensive.
There is a danger that companies will assess the high cost of hardware, software, licensing, and installation, plus the expense of operations and maintenance of the infrastructure, and they will underestimate. In many cases they will opt for the inexpensive route and have no automation software to schedule recurring or compliance required maintenance.
Of course, the larger the company, the more security products they have to integrate and the more complex procedures they have to follow. Expecting humans to manually operate security systems can be risky, but in the interest of the bottom line, many power plants will forego more reliable automation systems. Maintaining cyber security devices is a relatively new field. Electric utilities have known how to keep transmission systems operational for the past 50 years. They knew how to design, protect, carry power, connect to the transmission system, and distribute power.
Now, these companies are adapting to new technologies and the learning curve is dramatic.
More compartmentalized technicians are needed, such as file, server, and networking experts. Despite all the present-day defenses already in place, the infrastructure may not yet exist which can detect and thwart attacks across the spectrum. More monitoring capabilities are needed to formulate a proactive defense. As utility companies use more cloud services they will have to be more cognizant of what the risks are as Smart Grid penetration will continue to increase. Certainly, more real time detection will be utilized because people want to know what is going to happen.
There are many strategies and types of attack which may occur. Older technologies such as firewalls and anti-virus programs try to detect malware by discovering code sequences. Unfortunately, this takes time. Modern cybersecurity products are unable to detect a complete chain of events. They may detect malware, but breaches occur in mere moments and often it is too late to enact any meaningful counter-attack measures.
The successful real-time defense systems of tomorrow will be able to analyze incoming data and detect and isolate malicious exploits immediately before they advance along the kill chain. At this point, automated systems or humans can intervene and take protective actions.
The authentication of identity is still an important aspect of maintaining effective security measures in the energy sector. Too often, existing credentials can be abused, have been badly implemented or managed, and lead to major vulnerabilities or incidents. In the long-term they will continue trying to overcome technological constraints.
Until they can purchase it from vendors, they may have to mitigate threats with a local firewall. The San Bruno pipeline incident brings into focus the dangers of antiquated security systems and bad data. Despite the vulnerability of power facilities, security personnel do seem to understand the importance of contingency planning. The electrical grid is highly reliable overall, but when an incident occurs response plans have to go into effect before malware can gain a foothold and damage critical operating systems.
It is essential that people know exactly how to respond in a given situation. Contingency plans for power plants may include alternative processing sites, alternative communications capabilities, and alternative storage facilities. Those are three tiers that are typically focused upon.
The ultimate goal is to navigate an attack and to continue to be operational in a debilitated or degraded state.
Contingency plans exist for four major types of threats, including natural disasters, structural failures, cyber attacks, and errors of omission or commission. Fortunately, ES-ISAC and all of the networks of collaborative communication now in place improve the outlook for maintaining the grid safely and effectively. Many international control systems, while different than those installed domestically, are connected to a global cybersecurity network.
Of course, there is still a lot of concern regarding air gaps, primitive protections, and unicorns. The energy sector is dependent upon forward-thinking companies that are coming up with progressive solutions to deal with existing security issues. Cyber-criminals possess impressive attack skills and the hacking tools available to them make it easy to find new attack ventures, especially when it comes to old equipment in industrial control systems. New systems are so complex they are connected in ways that their manufacturers might not even understand.
End users may not be aware that the interfaces of the control systems they operate are publically available on the internet. Cyber-criminals can search for a particular geographical site or for a specific vendor and breach the user interface HMI of that control system. There has been a good deal of research done concerning Zero Days, which personify the unknown vulnerability. Following a cyber-attack, the perpetrators can actually take control of the system and build it with new vulnerabilities, which they can later come back and exploit. The energy sector is relying on basic technology like never before, and it is vulnerable.
Detecting and deterring cybercrime with standard surveillance cameras is not the most effective way of protecting critical infrastructure. Cameras are only as good as the people who monitor them and people are easily distracted. Cameras need to be coupled with analytics that alert and alarm. This type of technology does exist and it can greatly enhance existing security systems. Software is becoming more cogitative all the time.
Thusly, there is a huge turnover rate within the energy sector. It sometimes takes an expensive incident to bring this fact into focus. Despite the increasingly automated nature of IT platform systems, most insiders believe a human interface will continue be needed going forward. That being said, when a large utility has several hundred assets monitoring it, it is not feasible for two or three security operators to maintain visual security in that space. Visual analytics and automatic alert systems will continue to be employed more and more because it is not possible for individuals to physically monitor data streams continuously to see if any aberrations might be occurring.
The future will see more real time analytics employed, to detect incidences as they are happening, or to detect them in advance. Again, there will most likely be a human interface involved to analyze data and recognize the source of any incursions and threats, or to deal with issues of multiple alarms, weather, or even wild game. Eventually, incidents occur despite the best efforts of security teams. There is some debate as to whether information concerning cyber-crimes in the energy sector should be shared publically.
Many in the industry are of the mindset that such intelligence has no business being parsed out to those without a need-to-know. Most would seem to prefer that information be shared privately among utilities so that if an attack is coordinated, it could be collectively defended against. Power companies do an acceptable job of sharing information concerning threats or security events that occur across various groups. It makes sense for the utility industry to share information, but there are not many vehicles established at this point to facilitate that process.
There is a consortium among some security vendors that has been created for the purpose of information sharing.
In addition, Symantec and some other big players have reportedly been distributing intelligence to one another. Some have called for the creation of an ICS version of this information sharing model, but it may still be a couple of years before that goal is realized. To protect against these threats, it is necessary to create a secure cyber-barrier around the Industrial Control System ICS. Some prefer a holistic approach to the cybersecurity problem. This would entail building products and systems that are as defensible as they can be and then continuously monitoring them.
Even if everything is built to the best possible specifications, a small amount of attacks are still inevitably going to happen. Understanding the various types of cyber-attacks and sharing relevant information regarding these events can be very valuable, but again, most companies would be reticent to share it because of the damaging effect doing so could have on their reputation.
Ultimately, it is a team sport. If there is a specific vulnerability in a power plant and the same commercial components developed by a shared vendor are being used across the industry, quickly distributed information could help other companies address those vulnerabilities quickly, before they become the next victim. Most in the energy sector seem to feel that the public has a limited need-to-know priority regarding cyber-attack incidents. It is considered more important for selected agencies, the tech community, and vendors to receive critical information so future incidents can be prevented.
Otherwise, it would be difficult to establish any pattern analysis of cyber-criminality, or to inform vendors about products which may have been compromised.
Because compliance to NIST guidelines is voluntarily, there is no mandate for companies to follow them. As critical industrial infrastructure continues to be threatened by Flame, Stuxnet, Night Dragon , and Duqu attacks, the ICS security market will continue to expand. A utility will prepare specs that deal with functionality and the types of devices they plug into. Of course, the larger the company, the more security products they have to integrate and the more complex procedures they have to follow. Certain power plants on the federal side such as the TVA and Bonneville Power have additional work to do.
There has been much talk about establishing a clearinghouse of information for companies in the energy sector regarding cybersecurity. Power companies need to know about potential phishing or malware attacks so that they can increase their awareness and work to mitigate these potential threats. Sometimes in the implementation of cybersecurity defense measures, it may be necessary to share information with other countries, as in the case of Europe and North America where stability of the grid crosses our political borders.
If individual nations are tracking poor behaviors and unsafe cyber conditions, it would be advantageous for them to share more than anecdotal stories with neighboring countries. This is the case today. There is a paucity of information exchanged between nations regarding cybersecurity. Insurance companies and the safety industry are endeavoring to compile a lot of statistical data, but many in the energy sphere continue to operate in what has been termed, the age of stories. There has been some anxiety caused by the thought of information sharing between utilities in the energy sector, and worries about shared threat alerts between nations.
Is it safe to entrust overseas vendors in the development of security systems designed to prevent cyber-attacks? Are there elements of xenophobia and ungrounded fears to be found in the resistance these overseas firms sometimes face, or is some prudence warranted? A lot of these trepidations have been overcome out of necessity because cybersecurity threats are experienced universally, all around the world. Ultimately, global information sharing is essential. The industry is entrenched and business relationships are long-standing. The energy grid operates on a level of comfort and trust.
It would take a third party from an overseas country with unique technologies and capabilities to ingratiate itself in the North American energy market and find favor there. As critical industrial infrastructure continues to be threatened by Flame, Stuxnet, Night Dragon , and Duqu attacks, the ICS security market will continue to expand.
Consulting companies and enterprise security vendors are major players in this arena. NERC has the power of regulation and wields heavy influence with electric utilities, oil, and gas sectors , but it is difficult to gauge the ratio or market size of NERC in the security solution market because there is no way to do a proper segmentation. Many of the products that are used to achieve some level of NERC CIPs valuation could also be used to provide visibility and provide security management capabilities in other industries such as manufacturing.
Keeping up with constantly advancing technologies is a huge operational challenge for utilities in the energy sector. Additionally, systems are becoming more and more connected with each other so the probability that these networks will be compromised or attacked is growing exponentially larger. The threat has been reinforced … by the appearance of a computer virus known as the Havex Trojan, which hackers appear to have used to attack oil and gas firms. It is imperative that technology deployed in the infrastructure today can be upgraded and made to be integrated with the next generation of evolving systems.
Some companies build the most impressive products, but they are not compatible with anything else. As a parallel, consider iPhones. How many iPhones have there been and how many chargers? Billions of dollars are spent to secure the latest products, but often things have to be reconfigured because products are not compatible.
Meanwhile, cyber-attackers are adept at remaining one step ahead of the game, so security teams must do their best to stay on top of the technological race in cybersecurity. A large majority of the utilities are prioritizing investment to upgrade adequately.
Smaller companies tend to have a one-size-fits-all situation; a person or a small group of people at the head of the table who have a multi-faceted skill set in the cybersecurity area. Sometimes it is an Electrical Engineer or a specialized maintenance team. Some organizations hire or develop an Industrial IT or Operational OT tech group in which a multi-member team is assembled to tackle problems.
Utilities are building aggregations that operate somewhere between control groups and IT organizations with the hope that they can understand the strengths and issues of both. Because utilities are not technology companies, they depend on security vendors to provide the technological expertise they require. This being said, companies in the energy sector tend to remain with vendors they have worked with in the past that they trust.
This loyalty may be based on an individual, long-standing relationship. There is a tendency for utilities to continue using products that their personnel are familiar with because training for the deployment of new technologies is expensive. While most within the industry itself are reticent to name names when it comes to identifying vendors that are particularly influential, many utilities seek out an EPC Engineering, Procurement, Construction or an engineering firm such as Flur.
Such vendors would be responsible for designing a plant as far as concrete, metalwork, and electrical schematics. The control system is often offered up for bidding to outside vendors. A utility will prepare specs that deal with functionality and the types of devices they plug into. Vendors will then bid on the project, competing with other security solutions vendors to deliver the specs at the best price. Companies in the energy sector have to deal with compliance issues, so they are adjusting their procurement guidelines and contracts to include cyber security in their specifications.
Marsha Thurman Program Specialist, U. The future will see a continued rapid evolution of many new security solutions and products designed to meet the challenge of defending energy infrastructure against cyber-attacks. Several platforms are already operational and they continue to be refined and improved.
Control system upgrades are needed for Institutions and organizations with an archaic or legacy code base. Some of these systems may have code bases that are 20 years old. These organizations are not likely to regress and rewrite every line of code. They will instead develop secure new practices in hopes of being able to show that their entire code base is secure. Of course, new certification standards will inevitably come which will have to be complied with, which will hasten the ongoing evolution towards improving the security of the grid.
Security solutions vendors have devices with the ability to detect anomalies and aberrations in the operating systems that are needed to fill the tech-deficit gap faced by utilities today. These vendors can also provide the security of of amp logging, patching, change management, MOC Maintenance of Certification , and remote access. So when do you, as investors, start to prioritize cybersecurity mechanisms with your emerging CEOs? From government computers to railway tickets to gas and telecom firms, the attacks that have occurred globally are merely the tip of the iceberg. Just this month, parent company of Yahoo, Verizon, announced that a Yahoo data breach affected every single customer account that existed at the time.
So what about the rise of cyber-insurance? Yes, the market is continuing to experience strong growth. But cyber insurance, unfortunately, is not a proper safeguard against all attacks. The goal is to harmonize data privacy laws across Europe and to reshape the way organizations across the region approach data privacy. Although many key points are clear, there are many details of the regulation that have yet to be determined. So what is emerging? A world in which cybercrime and extreme regulation of data privacy become the norm.
A world in which machine learning is used to combat these cyberattacks.