Reliability and resiliency are buzzwords in today’s world of power generation. The focus is often on valuing those attributes, be it through subsidizing baseload power to make it more economically viable, or through other means.
Reliable delivery of electricity, of course, also depends on cyber-resilient systems, at power plants and across the grid. Cyberattacks against power plants and transmission and distribution systems have highlighted this need; in the U.S., the Department of Energy (DOE) in early 2018 created the Office of Cybersecurity, Energy Security, and Emergency Response (CESER), an agency to support the resiliency of the nation’s electric power grid, and oil and gas infrastructure, against cyber threats and potential intrusions. CESER’s activities, according to the DOE, “include the ongoing support of research, development, and demonstration of advanced cybersecurity solutions, acceleration of information sharing to enhance situational awareness, and technical assistance in the development and adoption of best practices.”
NCC Group is an information assurance firm headquartered in Manchester, UK. NCC’s service areas cover software escrow and verification, cybersecurity consulting and managed services, website performance, software testing, and domain services. The company says it has more than 15,000 clients globally, with office locations worldwide, including eight in the U.S. NCC’s staff are considered experts in cybersecurity and risk mitigation, working with businesses including energy companies to protect brands, reputation, value, and assets.
NCC is a founding member of the Operational Technology Cyber Security Alliance (OTCSA), a group announced in October 2019 and designed to help bridge gaps in security for operational technology, critical infrastructures, and industrial control systems. OTCSA’s founding members include such energy and industrial leaders as ABB, Check Point Software, BlackBerry Cylance, Forescout, Fortinet, Microsoft, Mocana, Qualys, SCADAFence, Splunk, and Wärtsilä.
Two members of NCC’s team, Damon Small and Rob Wood, recently spoke with POWER about the importance of cybersecurity for energy companies, and how executives need to support their company’s information technology (IT), operational technology (OT), and other departments in establishing cybersecurity strategies and protocols. Small is technical director at NCC, and Wood is practice VP for hardware and embedded security services.
POWER: Those working in the power generation sector acknowledge the importance of cybersecurity, but it often seems as if companies simply rely on their IT departments to keep their information networks and assets safe, as opposed to getting all workers involved. What have you seen in your experience?
Small: “My observation is the same. I go to a lot of security conferences, and you find it’s a bit of an echo chamber, that everyone there agrees with what you say about the importance of cybersecurity. So how do you get to the conversation that security is everyone’s problem, not just IT’s problem? As soon as you say information security, everyone thinks IT. We need to change the language, so we need to talk about the safety of information, to take it out of the realm of IT and OT and make it part of the business, which is where it needs to be.”
Wood: “One thing that I have found, and I’ve done a lot of talks at conferences that were not security-focused, is that it needs to be ingrained in the business. It needs to be part of the message, even if it’s just an awareness campaign.”
Small: “Those conversations need to be taking place in the board room. The business needs to say, ‘We’re going to care about this, and we’re going to measure the value of information assets.’ ”
POWER: How can that valuation be accomplished?
Wood: “In the automotive space, they didn’t have security. Now cars are connected to the internet. The auto industry knows safety, and now they’re moving ahead with security. We recognize that it’s hard to quantify. How do you put a price on security? How much should we [as a company] spend, not knowing whether something is going to happen? Ransomware, as bad as it is, has been helpful because it’s opened a lot of eyes to the problem. Ransomware has been very good at putting a dollar value on it, and once you have that, it’s obviously a business decision.”
Small: “It’s like insurance. The way you justify the spend is valuating information assets, putting it into dollars. I don’t mean the routers, the physical equipment. I mean the information assets. When an information asset goes away, like a medical record, now you can quantify it, as in, how much money will you lose if it goes away.”
POWER: Your group consults with businesses on how to implement programs and mitigate risk. Can you talk about a suggested plan?
Wood: “On the technical side, one technique I’ve seen work really well, [a company] will have a core security team, where their job is nothing but security, and then they’ll have a security champion, a point person on other teams for cybersecurity.”
Small: “The cybersecurity champion has the authority to absolutely stop a project in its tracks. And I’ve seen it happen, with multimillion-dollar projects scrapped due to a cybersecurity problem.”
Wood: “That structure works well, but it definitely needs to come from above. We need to recognize that security is important, and it’s going to be funded. We need to fix the problem of understaffed and overworked security teams.”
POWER: What is a worst-case scenario should malware infiltrate an energy company’s network?
Wood: “The worst-case scenario kind of depends on who the attacker is. If it’s a targeted attack, it’s a lot worse. There can be continuity issues. Something such as Stuxnet [which caused damage to Iran’s nuclear program], where actual physical systems are breaking, that’s definitely something you don’t want at a nuclear facility. They were specifically trying to destroy equipment.”
Small: “The types of systems that may be affected by ransomware may not be mission-critical, there may be another system capable of taking over. With Stuxnet, it destroyed physical equipment. I do a lot of work with oil and gas companies, and with refineries. When you’re talking about major damage, you’re talking about safety and loss of life.”
(Editor’s note: News reports in September 2019 said an Iranian engineer recruited by the Netherlands planted the Stuxnet virus at an Iranian nuclear research site in 2007. The virus was uncovered in 2010, but how the program was introduced had remained a mystery until Yahoo! News reported the findings of a years-long investigation, which said the Dutch intelligence agency AIVD, at the request of the U.S. CIA and Israel’s Mossad spy agency, recruited an Iranian engineer to implant the virus program into Iran’s Natanz uranium enrichment facility. Up to 1,000 centrifuges out of 5,000 were damaged by the virus, a major setback for Iran’s nuclear program.)
POWER: What can facilities do to make themselves safe from a cyberattack?
Wood: “I would never declare anything safe or secure … it’s always safer or more secure. It’s basically security hygiene. Think about having control panels on the internet. If a nuclear reactor was on there [connected to the internet] I’d be terrified. The problem with most industrial controls, there is basically no security on the network, so if that gets bridged with another network, it’s a problem.”
Small: “It’s not that any of these energy producers are negligent, but many times in the brownfield areas, with systems that have been running for several decades, in the before time [pre-internet] they may not have been connected to any network. Those things couldn’t talk to the internet. In the decades since, you’re seeing the tremendous value in these connections, with HMI [human-machine interface]. So now you’re taking these old networks and bridging them to the business network, and that’s causing issues that can’t be anticipated. Some of the problems we find when we look at these systems are very basic things. The OT and the IT teams, who historically are two different departments who never talk to each other, need to set aside their disagreements and come together.”
POWER: Can you sum up where things stand today?
Small: “There are no security decisions, there are only business decisions. We can’t expect a business to become more security-savvy. The computer scientists need to become more business-savvy.”
—Darrell Proctor is a POWER associate editor (@DarrellProctor1, @POWERmagazine).