Better Energy Industry Cybersecurity Requires Everyone’s Engagement
“One company’s [NERC CIP] violation can be another company’s lesson learned.” That was just one of the comments during opening presentations at the EnergySec Summit in Denver this week that focused on the fact that human behavioral change is as important as advanced technology solutions for securing the North American electricity system—and energy systems globally.
That particular comment, by Duke Energy’s NERC CIP compliance expert Josh Sandler, may sound like making lemonade out of lemons, but sharing lessons learned among industry participants is essential if everyone from power generators to distribution utilities has any hope of preventing and quickly mitigating future cyber attacks on critical industry infrastructure.
Though North American Electric Reliability Critical Infrastructure Protection (NERC CIP) standards were mentioned in multiple presentations and pre-summit workshops, those responsible for system security need not see standards-setting as a top-down effort. Sandler urged everyone at the event to participate in communities dedicated to security systems and standards setting. The options range from regional groups to the North American Generator Forum. “Those communities can drive policy,” he noted, and are consulted by NERC and other standards-setting organizations when new standards are being developed. Ultimately, those communities can “assist in the shift from compliance-based security to security-based compliance.”
In the meantime, the compliance environment is getting hotter. Sandler shared a slide showing a trend line for NERC non-CIP violations going down from 2007 to 2012 and a trend line for CIP-related violations going up over the same time period. In fact, in the past four quarters, he said, NERC CIP standard violations accounted for 75% of all NERC violations. The top standard for violations: CIP 7 (Systems Security Management), with nearly 400 in the past four quarters.
Minimizing and responding to security challenges requires both technology solutions (and Summit vendor-exhibitors were happy to chat with attendees from utilities) and human behavioral change, noted Rohyt Belani of Phishme. Belani observed that “The weak link is the human.” Even if equipment control is a hacker’s goal, it’s the humans operating that equipment and control systems that are being targeted. The approach? Phishing.
You may think that corporate firewalls and virus protection and other technical solutions mean that plant operators don’t need to worry about damaging email messages, but 91% of cyber attacks begin with spear phishing—and energy companies have been among those who have been victims of such attacks, Belani said. Technology is not a waste of time, but companies also need to have a shift in mindset. (His company does tests and training to effect behavior change.) Given that 66% of breaches go undetected “for months or more,” it’s essential that “human sensors” provide an early warning system to potentially malicious email or other electronic communications.
The 9th Annual Security Summit is presented by EnergySec, a nonprofit organization formed in 2001 for the purpose of fostering “frank and open conversations” across the energy industry, explained founder Patrick Miller. In his opening comments on Wednesday morning, Miller noted that EnergySec is the oldest information-sharing organization for cybersecurity in the electricity sector.
Other sessions at this year’s event focus on topics from building an incident response team and rapid risk assessment to integrating cybersecurity alerts into the operator display and improving IT operations in industrial control system environments.
POWER is a media sponsor of this year’s EnergySec Summit. See also my blog post on observations from the pre-summit workshops.
—Gail Reitenbach, PhD, Editor (@POWERmagazine, @GailReit)