Keeping the Lights On: How Plant Operators Manage Cyber Risk
Interrupting power grids is one of the most effective ways to cripple a town or a city. If a region can’t keep the lights on, pretty much everything must come to a halt until the issue is remedied. For this reason, the power and energy industry has become a prime target for cyberattacks on operational technology (OT).
Over the past seven years, Ukraine has been ground zero for these types of attacks. Russian hackers in 2015 successfully shut down a portion of the country’s power grid during the cold winter months. A year later, the country endured another attempt on its power infrastructure. Now, there is reason to believe the same techniques are being used against Ukraine again in its current conflict with Russia. This weaponization of cyber tools against the power and energy sector has put plant operators on high alert and looking for the best ways to protect their plants against the growing threat.
As connected devices have proliferated in OT environments, attack surfaces have expanded, opening the door to a host of new threats. And the risk isn’t limited to facilities operating within conflict zones. Terrorists looking to cause chaos, hackers seeking big payouts and ideologically motivated hacktivists have all noted the potential for widespread impact with this form of attack. Now, many government entities and private critical infrastructure operators are scrambling to secure their operations against impending cyberattacks.
The Governance Gap
Governments in the U.S. and abroad have already introduced various regulations and guidelines in an effort to protect their nations’ critical infrastructure (Figure 1). However, as the number of attacks on critical infrastructure continues to rise, regulatory efforts are likely to ramp up in an effort to safeguard populations and property.
The U.S. government response to the issue is seemingly heading in the right direction and private businesses are heeding the call. Leaders within the power and energy industries have taken steps to adhere to federal and international guidance. Standards like NERC CIP have been implemented to create an industry-led baseline for cyber best practices. However, these guidelines are often too general and do not keep pace with the speed at which threats are advancing. Requirements for firewalls, for example, become outdated within a couple of years as hackers employed new technologies like artificial intelligence to help them breach networks.
Hackers’ ability to rapidly adapt and evolve complicates issues for regulators. The creaking wheels of government aren’t well equipped to keep up. It is for this reason that, despite the government’s best efforts, it can only ever mandate compliance—and that compliance rarely means security.
The future will likely see the U.S. shift to performance-based standards and work to go beyond the typical assessment-based approaches in place. Security needs to move not at the pace of compliance, but at the pace of business. Operators should have their focus on safety and operational availability first and foremost, rather than merely ticking boxes to achieve compliance.
The OT-IT Schism
As connected OT environments are a relatively recent phenomenon, operational cybersecurity programs are generally less mature than their information technology (IT) counterparts. Unlike IT systems, which are replaced and updated every few years, power plants and grid systems tend to be built on layers of legacy equipment that are designed to operate for decades.
It is a common misconception that IT cybersecurity professionals have the right experience to handle OT cyber threats. As these attacks can lead to cyber-physical consequences associated with the equipment and systems in an operational environment, cyber professionals with expertise in operational risk management are generally better equipped to respond to potential operational disruptions.
The attacks we have seen over the last two years have shown why OT cybersecurity expertise is critical. In the next couple of years, we will start to see companies increase their budgets accordingly as attacks continue and new best practices are developed. One area that is likely to see an influx of investment is cyber training and programs specifically for those running OT systems. Teaching operators and floor technicians how to monitor for breaches can close the gap between traditional risk management and cybersecurity. These programs will most likely be run in lab-type settings by third-party administrators with backgrounds in both IT and OT environments.
Catching Up
Operations professionals are rising to the task and looking to close the maturity gap. However, getting started doesn’t have to be complicated. Taking the following steps can help risk management leaders in power and energy design OT cyber programs that safeguard the nations’ critical infrastructure:
Inventory—It’s surprising how few organizations have a complete picture of their OT networks. Undertaking a comprehensive asset inventory is essential to understanding the points of attack open to bad actors. Today, automating that inventory is easier than ever before when considering all the different OT security products and services available in the market.
Map—Once the assets have been identified, teams can build a map of how those devices interact with each other, with the internet, and with people (both internal employees and third-party representatives). Even if a worker or vendor isn’t acting maliciously, they can be an unknowing conduit for ransomware if a hacker takes advantage of their access. A widely accepted approach here is to apply a Zones and Conduits, or the ISA/IEC 62443 standard, to distinguish different security levels in the OT environments.
Check—A robust cybersecurity strategy includes preventing attacks that come through the supply chain. Any new software or equipment added to the network should be put through cyber acceptance testing to ensure it isn’t compromised. Utilizing a reputable 3rd party to carefully review the device’s bill of materials should also be common practice as it indicates which other suppliers have touched the device, providing insight into the trustworthiness of the component.
Prioritize—There is no perfect approach to cybersecurity, so weighing the risks and understanding which pieces are most essential to operations can provide a roadmap for resource allocation. Assessing asset criticality and cybersecurity risks using a threat-based approach helps operators ensure the functions that keep the facility’s baseline functions online take priority over less-critical areas.
Monitor—Knowing the assets you have allows you to establish a baseline to measure against changes or abnormalities in the system that may indicate that an unknown entity has gained access. Continuous network and event monitoring using automated solutions allows operators and technicians to identify signs of a breach before the bad actor has a chance to cause damage.
Train—Timely, immersive, and role-based training is important so that each person understands the workflow and the role they play, which builds consistency and gives more nuanced insight into each worker’s responsibilities. Behavioral chain-based trainings are also an important tool for responding to an attack. When workers understand what events trigger which actions, organizations can streamline their response to an incident. Organizations that do not have the tools to conduct these trainings internally can partner with MSSPs with expertise in operations and cybersecurity to help implement these programs.
Respond—All hackers have different goals. Some are looking to hold data for ransom, some are looking to break things and cause chaos and others are looking to grind everything to a halt. Attackers targeting OT in particular are generally looking to put pressure on critical infrastructure with high visibility and low cyber maturity. Doing so disrupts supply chains and allows them to demand higher ransoms be paid faster.
Organizations need to develop plans for a variety of high-pressure situations so they can be executed at a moment’s notice. If an organization is developing a response plan after a breach occurs, they are already too late. Hackers continue to capitalize from the panic associated with a high-profile attack, therefore, having a plan in place ahead of time can reduce the panic lower the impact, and lead to a coordinated response.
Design—Organizations adding new assets or building new networks now have the chance to address cybersecurity concerns during the design and building process. The science of being “secure by design” means having protections built into the assets rather than layered on top after the fact. This engineering approach leads to cyber hygiene being a feature of the system rather than an addition.
With new digital technology driving more efficient systems and renewable energy sources being hooked up to the grid, the power and energy industry has never been so connected. While OT cybersecurity has traditionally been put off for later, or pushed under the umbrella of IT, the time has come for an OT-first approach to security. As decision makers see the impact of a cyberattack and begin to understand the nuances of operational environments, they will move away from IT solutions for cyber physical problems. When attackers are looking to blow things up and shut down operations, an IT-centric approach won’t cut it.
The frontlines are no longer far off in foreign lands but in the systems and networks of a nation’s critical infrastructure. And, like it or not, operators are now playing a key role in as the first line of defense. Operations teams need to be empowered with the OT cybersecurity tools they need to prevent major impacts. Getting a mature cybersecurity program set up takes time, so operators can start their cyber journey around building visibility and control over their most critical assets.
—Ian Bramson is Global Head, Industrial Cybersecurity, for ABS Group.