Beyond the Firewall: Best Practices for Cybersecurity Risk Management

Good power industry cybersecurity risk management goes far beyond stopping intrusions. Preparing for when—not if—your operation comes under cyberattack means anticipating the potential damage to your company’s finances, reputation, and regulatory compliance. Here’s what the best-positioned power generators are doing to stay ahead of the risks.

Generating companies wondering if concerns about cybersecurity are overblown got some rude wake-up calls this winter.

The first call came when Ukrainian media reported that a December 23 blackout that left more than a million people in the Ivano-Frankivsk region in Ukraine without electricity for several hours was the result of a deliberate cyberattack perpetrated by a group based in Russia.

In a report on the incident published in January, security firm ESET confirmed that the attack on several Ukrainian electrical distribution companies was carried out using the well-known BlackEnergy malware family, which has been used in cyberattacks for nearly a decade. According to ESET, systems previously infected with the BlackEnergy backdoor were injected with a trojan known as KillDisk, which is capable of making infected computers unbootable. (In computer security, a backdoor is a means of bypassing normal authentication, while a trojan is malware that appears to be a legitimate file. A trojan can install or function as a backdoor, while a backdoor may exist for a variety of benign or malign reasons, including being placed there by the original programmer.)

In this case, the KillDisk component also contained “additional functionality specifically intended to sabotage industrial [control] systems” (ICSs). ESET said the systems were likely infected using simple spearphishing email techniques, where the malware is contained in an attachment. The KillDisk component contained commands that would shut down and overwrite several key ICS processes.

The company noted that the KillDisk element was only part of the intrusion.

“The BlackEnergy backdoor, as well as a recently discovered SSH backdoor, themselves provide attackers with remote access to infected systems. After having successfully infiltrated a critical system with either of these trojans, an attacker would, again theoretically, be perfectly capable of shutting it down. In such case, the planted KillDisk destructive trojan would act as a means of making recovery more difficult.”

Other experts believe that the Ukraine outage was in fact the result of intentional sabotage by the hackers after they took control of the system.

Then, on January 26, the Israel Electric Authority reported that it had come under a “very serious” cyberattack that caused much of its network to malfunction and multiple computers to be shut down. The attack took the form of “ransomware,” a type of malware used by criminals to lock down a computer system until a ransom is paid, and was also the result of a successful email phishing attack. Although the attack itself did not affect the country’s electric grid (which is run by a different entity, the Israel Electric Corp.), operations were severely disrupted. The source of the attack was not stated, but previous cyberattacks on Israeli government sites have been blamed on Iran or the militant group Hezbollah.

The risk of attack is clearly growing fast. An October 2015 study by PricewaterhouseCoopers of cybersecurity incidents found that the number of cyberattacks in the power and utility sector attributable to organized crime doubled in 2015, and the financial losses as a result of all incidents in the sector increased 95% year-over-year.

Know Your Risks

While the worst-case scenario of losing control of a power plant or grid management system and having malicious actors shut things down—as occurred in Ukraine—may be obvious, the potential risks from a successful cyberattack on a generating company or distribution utility extend far beyond that.

Regulatory Risks. There are increasing regulatory risks, as governments implement greater oversight of cybersecurity. Lack of compliance can result in fines and other legal action. The starting point for companies in the U.S. is the Critical Infrastructure Protection (CIP) Reliability Standards issued by the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corp. (NERC), but the CIP standards have been a moving target since their first issuance. They have been updated repeatedly, with the most recent action coming in January, when FERC issued its final rule adopting CIP Version 6. (And even that rule directed NERC to “develop certain modifications to improve” the standards.) Several states, such as California, are also looking more closely at cybersecurity issues.

In Europe, the European Commission (EC) in December 2015 agreed on the Network and Information Security Directive, which proposes to set standards for cybersecurity across the European Union, as well as promulgating certain reporting requirements. The text still needs to be approved by the European Parliament and the European Council, after which member states will have 21 months to implement the directive into their national laws and another six months to identify operators of essential services. The EC is also launching a public-private partnership on cybersecurity in 2016 as part of the Digital Single Market initiative that aims to lower online barriers between member states.

Government-mandated standards aren’t the only concern. Failure to meet voluntary guidelines, such as the National Institute of Standards and Technology’s 2014 Framework for Improving Critical Infrastructure Cybersecurity, can also create risks over and above the risks of cyberattack. Courts often look to such standards as evidence of whether a defendant party has acted with reasonable care to avoid harm to itself and others.

Financial Risks. In addition to risks of regulatory noncompliance, there are significant financial risks from cyberattacks, ranging from fraud enabled by data breaches, to equipment damage, to lost income resulting from systems being unavailable.

Insurance Policy Risks. Underlying these risks is an ongoing evolution of cyber insurance policies. Geoff White, head of cyber coverage for Barbican Insurance and chair of the Lloyd’s Market Association Cyber Working Group, who spoke to POWER via email, noted that “the cyber insurance sector as a whole has undergone a period of significant change in recent years. We have witnessed a marked expansion in the scope of cover to include aspects such as cyber extortion, crisis management costs, security and privacy liability, and regulatory defense costs.”

Yet, while more types of coverage are available, many carriers are beginning to carve cybersecurity risks out of traditional policies or greatly limit their exposure, so that a poorly prepared company may find a loss it expected to be covered no longer is.

“It is critical that power and utilities companies have a clear understanding of exactly where their exposures lie and the scale of these exposures,” White said. “This insight forms the basis of their coverage, ensuring that they have appropriate protection.”

Reputational Risks. Finally, there are potentially dire risks to a company’s reputation even if the attack was trivial or unsuccessful. Consider the effects on a utility’s relationship with its customers if its public-facing website is hacked and taken over so that the first thing customers see when visiting the site is evidence of the utility’s faulty security. The generating system may not have been compromised, but the company’s reputation for cybersecurity will have taken a big—and perhaps permanent—hit.

People First

How do generating companies guard against potential disasters of this sort? Jeremiah Talamantes, president of St. Paul, Minn.–based RedTeam Security Consulting, who spoke to POWER in January, has a threshold suggestion.

“Quite candidly, a lot of what we are going up against is companies throwing technology at the problem, which I think is the wrong approach.”

Good cybersecurity risk management, he said, is as much people management as technology management. Unless a company’s people, from the top down, understand all the risks and that protection is everyone’s job, there are going to be problems.

“A lot of folks throw technology at a problem and expect it to fix it,” Talamantes said, “and as a matter of fact, it is generally the opposite. Either the stakeholders are not taking cybersecurity seriously enough or they’re not devoting resources to it correctly.”

The first step in risk management is identifying the risks, a step that is more challenging than it might appear. Jonathan Pollet, founder of Spring, Texas–based Red Tiger Security, which advises generating companies on cybersecurity and who spoke to POWER in a January interview, noted that some companies in the power sector don’t even have a clear view of all their connected assets.

“If you don’t know what assets you have, it’s very difficult to prioritize how to protect them,” he noted. “And if you’re not protected, you don’t know if you’re under attack, which means you don’t have a good idea of how to respond.”

Pollet said the starting point is a comprehensive assessment of the company’s system and all the ways it allows entry and remote access.

“It’s very important that the technical infrastructure that supports the operation is safe and sound, after which you have to look at the framework of policies and procedures that govern how the system is managed.”

Because employees are often the weakest link in a company’s cybersecurity and often the vector for an intrusion—as with the Ukraine and Israel attacks—good risk management requires good companywide education, Talamantes said.

Once an assessment is made of the company’s cybersecurity risks, employees need to be educated on the biggest risks and the potential impacts on the business so that everyone appreciates what’s at stake.

“You need to have those policies disseminated in the form of security awareness training,” he said. “We really recommend it for all employees because it is a systemwide organizational endeavor. While certain roles have certain responsibilities, it should be everyone’s responsibility to report. They should know where to report to, and those people who are responding to reports should have a clear understanding of how to react.”

Overreliance on technical solutions can lead to trouble, Talamantes said.

“There is only so far that technology can go,” he noted. “We can have all these technical pieces in place, but nothing beats human intervention in terms of responding to these kinds of things. Intrusion detection systems are only tools. At the heart of it is people, and they need to know how to react and who to report to.”

Monitoring and Logging

Asked what separates the best-prepared generators from the poorly prepared generators, Pollet pointed to attitudes in upper management.

“Companies that are poorly situated,” he said, “look at cybersecurity as a necessary evil in order to meet the minimum requirements to stay out of the newspapers and avoid noncompliance. It starts at the top—either the senior executives get it, value it, fund it, and promote it and talk about it in board meetings, or they want to spend as little as possible to meet the requirements.”

The problem with the bare-bones approach, Pollet noted, is that it often results in power engineers being asked to handle cybersecurity issues on top of their regular jobs, putting out fires and patching vulnerabilities as they come up, instead of being proactive about security.

Properly prepared generators, by contrast, have dedicated teams devoted to cybersecurity who are given enough resources to do their jobs. They have the time and staff to watch for potential problems and abnormal events on the system and address them.

Why does all this matter? Because, as Talamantes pointed out, robust, accurate logging and recordkeeping is critical for cybersecurity risk management.

“Probably one of the most important areas is trying to establish a baseline of network operations, that is, understanding behaviorally how your network operates,” he said. “Then and only then will you understand how to detect abnormal events, such as a spike in bandwidth in a certain area.”

Once the baseline is established, accurate logging should be used to develop a picture of long-term trends.

“Then you have an ongoing history so you know what kind of traffic you’re seeing,” over time, he said.

“If you don’t have a team of people that are dedicated to monitoring everything, then you are simply not going to be able to respond. The whole system is going to fall apart.”

And indeed, such monitoring is not yet the rule. The PricewaterhouseCoopers study found that only 51% of companies in the power sector have active monitoring and analysis of their cybersecurity records in place.

Accurate records of network events are necessary for a variety of reasons. Without good logs, it may be impossible to determine whether or not there was an actual intrusion, or, if that is known, how far it went and what damage was done. Knowing what happened makes a company much better prepared for dealing with regulators and for responding to potential litigation. Being able to establish that an intrusion was unsuccessful or that damage was limited puts a generator in a much better position than if the scope of events remains unclear.

Pollet pointed to the 2003 Northeast Blackout, which began when an alarm and logging server operated by FirstEnergy in Ohio crashed (and then caused a cascading series of crashes on connected energy management system servers). This left the control room operators unaware of multiple growing problems on their system. NERC would later point to the lack of proper monitoring of the alarm detection system—there was no failure detection, so operators had no way of knowing the alarm monitor was down—as one cause of the blackout.

“If a company doesn’t have people ready to respond, doesn’t have the proper technologies, doesn’t have the proper logging to be able to understand what happened, when it has the spotlight showing on them [after a network breach] their financial hit is going to be that much greater,” Pollet said.

Backups and Restoring Data

Pollet drew a clear distinction between well-prepared generators and poorly prepared ones in how they handle their data backup and restoration processes. That process has gone far beyond traditional tape drives and CD-ROMs.

“We have clients who have embraced technologies like virtual machines so they can restore and recover their assets within seconds,” he noted. Other generators, by contrast, “take a CD-ROM backup and stash it somewhere. Then they don’t test their recovery processes or their recovery CD, so if in fact they were to have an Internet outage, they don’t have the ability to recover quickly, if they even have the staff to manage it.” When that happens, small problems can cascade into big ones, and big ones can become existential threats.

While NERC CIP-009-6 requires companies to develop and test backup and recovery plans, it does not dictate a specific method. That means a company taking the least expensive and least complicated approach may be in compliance while being badly exposed to potential problems.

Public Relations

Reputational risk management in cybersecurity is often not a key priority, even though substantial reputational damage can result from what are essentially insignificant incidents, such as distributed denial-of-service attacks on the company website or other public-facing gateways. Generators that are well prepared with a dedicated response team can mitigate these attacks quickly enough to avoid significant attention, Pollet said. Poor preparation, by contrast, can turn otherwise insignificant incidents into major black eyes.

Preparation needs to go beyond the IT department, however. Cybersecurity training should include personnel in public-facing roles such as media relations, so that those employees are properly prepared to understand and explain cyberattack events to the public when they occur. Even if an event is properly handled behind the scenes, mismanaging the public perception can result in significant reputational damage.

By contrast, a generator that is ready with solid information on what happened and the ability to explain it clearly can weather otherwise potentially embarrassing events in good shape. Media relations employees should have a good basic understanding of cybersecurity issues so that incidents can be described accurately and terminology used correctly.

Cybersecurity Insurance

Given the wide-ranging risks from cyberattacks, one might think cybersecurity insurance would be widely used. But in fact, a 2013 study by the Ponemon Institute found that only 31% of responding companies carried such a policy. Further, of those that did not, 43% had no plans to purchase one. Cost and policy exclusions were the main reasons cited for this reluctance.

However, the Ponemon study also found that of the 56% of responding organizations that had experienced a material security exploit or data breach during the previous 24 months (averaging $9.4 million in financial impact), 70% became “much more interested” in purchasing a policy afterward. This suggests that companies taking a “wait and see” approach often find out the hard way the value of a cybersecurity policy.

The same study found that of those organizations with policies, 71% felt the premiums were fair (or too low) and 67% were likely or extremely likely to recommend cybersecurity insurance to colleagues.

The market for cybersecurity insurance is clearly growing. The PricewaterhouseCoopers study forecasts that the global market will expand from $2.5 billion in 2016 to $7.5 billion by 2020.

Barbican’s White noted that the biggest risk is the financial fallout from interruptions in normal business operations. He pointed to a 2015 Lloyd’s study, “Business Blackout,” that estimated potential impacts from a remote-but-plausible large-scale cyberattack on the U.S. grid could run into the hundreds of billions of dollars.

“The study showed that business interruption losses were, by some way, the largest constituent of the overall loss figure. It is imperative that companies understand how to quantify their potential business interruption losses and factor these into the scope of their insurance cover.”

He also mentioned an ominous element of this risk.

“The question here is not so much whether cover is available,” he said, “but rather whether there is sufficient capacity within the insurance sector to meet overall demand. Some of the large-scale power companies will require multi-billion dollar limits; however, the insurance market is not currently in a position to provide that level of cover.”

That means that proper preparation to guard against and mitigate damage from cyberattack is all the more important.

“It is important to remember that this is a plausible situation that is being assessed with realistic potential loss estimates,” White warned. “Using [the 2015 study scenario], it is clear that those without adequate protection in place leave themselves vulnerable to severe financial losses.” ■

Thomas W. Overton, JD is a POWER associate editor.