Across the country, and increasingly around the globe, information technology is playing a key role in the operations and organizational management of utility service providers. From customer-facing smart-metering technologies to administrative software tools that enhance automation and network monitoring, the revolution in interconnectivity has brought increased productivity and efficiencies, but also new areas of risk and vulnerability.
As a result, utility service providers must take a broad-spectrum approach to hardening their facilities, especially to cyber-criminals and hostile nation states that have the capability to cause harm and catastrophic impact to a system without ever approaching its physical structure.
An Evolving Crisis
Long thought to be isolated from cyber security threats, our utility infrastructure is critically impacted by the dramatic rise in global dependence on connected systems. This dependence greatly increases the number and types of vulnerabilities that utility providers face to their information technology (IT) infrastructure from sophisticated and motivated attacks. Currently the SANS Institute, a cooperative research and education organization focusing on information security training and security certification, has identified more than 200 areas of vulnerability to IT systems. These threats encompass a broad spectrum of vectors, most of which can be broken down into two areas: physical and logical breaches.
Physical breaches may include ‘vandalism’-type efforts to sabotage operations, or disruption of services due to natural or man-made catastrophes, such as disastrous storms and large-scale accidents. Logical access breaches can include a wide host of threats such as intentional hacking, inappropriate user access, and the introduction of malware (e.g. Trojan horses and Zero-Day Threats). Logical access breaches, due to the burgeoning interdependence of operations and information technology, are the fastest-growing concern. They are often synonymous with the term ‘cyber attack’ in the vernacular of the general public.
Breaches frequently occur due to a failure of both physical and logical protections for a specific system. For example the introduction of StuxNet, profiled on 60 Minutes, as well as separate Duqu viruses to Industrial Control systems occurred because portable media were carried across a physical perimeter and attached to the control system by a validated user of the system, which resulted in logical entry to the system and the introduction of malware into the environment. The effects of these botnet intrusions, and others like them, are anticipated to grow as networks become more powerful and high-speed interconnectivities expand.
Further, the size and complexity of today’s security threats continue to intensify, leaving organizations and governments vulnerable to cyber-attacks at a time when we are increasingly pressed for resources. A recent U. S. Congressional Budget Office review estimated the cost of implementing the Federal Information Security Act of 2008 (FISMA), designed to improve information security throughout the federal government, at $40 million in 2009 and about $570 million over the 2009-2013 period. Similarly, a 2011 study by research analysts Gartner estimates that the enterprise security market (infrastructure, software, and service) will grow from $59.8 billion in 2009 to approximately $97 billion in 2014, with a compound annual growth rate (CAGR) between 8.2 percent and 10.9 percent .
A Multi-layer Solution
Assets can best be insulated from each of these types of breaches by a multi-layer – known as Defense-In-Depth – approach to managing known risks and preventing introduction of unknown risks to the protected systems. Defense-In-Depth ensures that an organization evaluates both physical and logical security threats, and subsequently establishes multiple layers of protection, making penetration to exploit any given vulnerability much more difficult. The appropriate line of sight for instituting multi-layer defense begins at the enterprise level and establishes a baseline assessment for comparison of security initiatives across the organization over time.
Even as cyber security has become an area of increased focus, utilities still face many unknowns in terms of incident preparation as it is very difficult to obtain data about the true cost of a security event (single loss expectancy, or SLE) as even leading research estimates are, at best, generalizations. Driven in part by a shortage of in-house cyber security expertise to determine and evaluate different threat types, in most scenarios, companies focus on fixing cyber-related issues, rather than assessing and sharing the incident cost, thus limiting the accuracy of future cost projections.
Further compounding the challenge for management are the limited roles that utility experts are presently able to play. IT professionals within utility organizations are experts at managing information systems and environments. Similarly, operations professionals (OT) are trained to understand the intricacies and demands of ICS (industrial control systems). Both of these specialized functions exist to support the utility’s core mission: sustainment and delivery of electricity and water to service the needs of the American public. The focus of utility employees is to support the mission critical, 24/7, non-stop demand on the utility for the supply of services vital to health and human welfare.
However, neither IT nor OT professionals within a utility are specifically prepared or tasked to address the concerns and results of today’s cyber threats, such as anti-hacking protocols, Defense-in-Depth security postures, and compliance audits across the spectrum of security concerns. Cyber threats have grown in correlation to the convergence, interdependence, and development of both information and operational technology in the utility space, and the need for an intelligent and proactive approach to resolve risks is clear.
To better manage resources, a cost-benefit analysis should be conducted for each proposed security control. In some cases, the benefits of a more secure system may not actually justify the direct and indirect costs. Benefits also include more than just prevention of monetary loss; for example, controls may be essential for maintaining public trust and confidence.
Combating cyber threats is a significant challenge for the multitude of utility companies that are also wrestling with flat security budgets, aging workforces, shifts in security policies, and a shortage of IT staff qualified to address new types of electronic threats. In implementing a cyber security plan, utility CIO, IT, and network managers must address the dynamic nature of the cyberspace threat environment and comply with a broad range of security and compliance directives. Meeting these objectives effectively and within budget is often a daunting task but the prosperity and competitiveness of utility companies in the 21st Century depends on effective cyber security.
Given these hurdles, few organizations have the in-house capability to effectively develop and implement comprehensive cyber security protocols and are looking to outsource these services. (In the interests of full disclosure, my company provides such services.) While there are a number of firms that specialize in developing and supporting utility business models, utilities must find strategic cyber service providers with the skills to address:
1. Pre-audit Assessments, Audit Preparedness
2. Program Structure
3. Post-Audit Remediation
4. Strategic & Organizational Consulting: (helping clients draft roadmaps and strategies for cyber security compliance)
5. Vulnerability & Penetration Testing
6. Training Program Development & Delivery (helping develop a policies and procedures program, develop curriculum, provide training, etc.)
7. Risk Management (assessing risk from a cyber security perspective)
8. Cyber and Physical Security Design (helping clients stay in compliance with NERC CIP when adding new critical assets, building new facilities, building a new security organization, etc.)
Depending on the specific objectives of the organization, and their maturity along the cyber security spectrum, any number of assessments may be conducted to determine the protections extended to an organization’s assets:
- Program Maturity Assessments – a review of an individual utility’s security posture and a measurement against overall industry position and trending.
- Risk-Based Assessments – a review of all systems potentially categorized as critical infrastructure to determine appropriate protections, the degree to which those protections have been implemented, and the amount of residual risk associated with unapplied protections.
- Vulnerability Assessments – a review of systems deemed to be critical infrastructure assets to delineate potential threats along with the likelihood of those threats occurring and their impact on the specific asset.
Some sectors of the utility industry have already been subject to legislation mandating specific protections of critical infrastructure assets, and significant fines (up to $1 million per day per incident) are levied when non-compliance is discovered. Other sectors have yet to mandate through law that cyber security protections be applied, but in the face of such detrimental and escalating risk, the question is ‘Why wait?’
Despite significant increases to funding for research, development, and deployment of information assurance (IA) defenses, reports of attacks on, and damage to, IT infrastructure are in fact growing at an accelerated rate. While for most, if not all utilities, it is a matter of cost versus risk, the risks are clearly increasing. The wise and forward-thinking utility industry participants are therefore evaluating and planning in advance for ongoing cyber security initiatives to protect their systems.
Daniel Rueckert, P.E. is Associate Vice President at Black & Veatch – Management Consulting.
With more than 30 years of experience in information technology, project management and utilities business consulting Mr. Rueckert is responsible for the Compliance, Security & Risk business line within Black & Veatch along with management of large accounts, technology analyst relations and go-to-market strategy.
Mr. Rueckert joined Black & Veatch from Hewlett-Packard where he was Global Practice Director for Service Management and Security & Risk services within the consulting and integration organization. Mr. Rueckert led many key initiatives within HP around the packaging and use of Security best practices for enterprise customers combined with the use of ITIL “Best Practices”. Prior to that he was a Partner at Computer Sciences Corporation, working with technology start-ups in the San Francisco Bay area, and had 15 years of experience at Pacific Gas & Electric (PG&E) Company in various management positions.