In August 2017, the UK government proposed plans to implement the Security of Network and Information Systems Directive (NIS Directive). The aim is to improve the security of the UK’s essential services including utilities. With up to a £17 million penalty for not being up to standard, energy and water providers must to take action to prevent disruption to their services.
The challenges of convergence
In the past, utilities have largely relied on the separation of their business systems from their ICS (Industrial Control Systems) or Operational Technology (OT) to provide security. This meant air-gapping communications and control networks with no links to external networks.
Today the industry faces brand new challenges. With the drive for operational efficiencies, utilities are being forced to deploy digital solutions leveraging IIoT (Industrial Internet of Things) to integrate their operational systems and networks with internal business systems and external systems such as data analytic services.
Utilities are also under competitive pressures to explore opportunities to monetise their data in creative ways. All of this means a weakening of the separation of the customer, operational and corporate networks that previously existed. The nationwide roll out of smart meters is a great example and one that is recognised as a significant risk to the country’s critical infrastructure, if not secured properly.
Applying the right tools to the right technologies
Industrial networks and systems are set to undergo the digital transformation that commercial businesses underwent many years ago. This transformation will bring with it new and existing threats and risks. The potential for industrial cyber incidents to occur at a frequency we have become accustomed to in commercial enterprise is also real.
If industrial cybersecurity is not properly addressed within the utility sector then we are open to not just the risk of data breaches but a genuine risk to the availability of energy and water supply at a local and national level. In some areas there are no second chances. Terrorism levels of destruction could be initiated or public health put at significant risk. Even low level opportunist cyber vandalism has the potential to cause disruption (or annoyance and distraction at a minimum) and this risk is escalating quickly given the growing digitisation of asset management, automation and process control.
Utility companies must make sure they are prepared to deal with the emerging cyber challenges to securing industrial systems. This means improving security processes and capability while also improving operational efficiency and achieving business objectives.
Many utility companies do not have the experience or expertise to address ICS or OT security. Some organisations make the mistake of trying to apply an enterprise security model in an industrial environment or believe technology will solve the problem. This enterprise security view fails to recognise the fundamentals of control systems and the challenges associated with operating industrial plant. It is therefore prudent for utilities to learn the lessons and take insights from other organisations who operate critical national infrastructure.
The priorities in industrial environments are typically not the same as they are for business. Safety, availability, integrity and confidentiality is typically the order of priority across industrial systems. As an example, a change made by enterprise IT on a manufacturing system brought production to a complete standstill. Had this been a safety critical system in a utility company the outcome may have threatened public safety.
Understanding who, what and how….
If they have not already done so, utility companies should act now to protect their industrial infrastructure. There are many security activities utility companies can start today using existing resources. These ICS/OT security basics are fundamental to developing foundations for a robust ICS/OT security programme. Start by forming a multi discipline working group to address ICS/OT security. It is imperative that senior leadership from both Information Security and Engineering are part of the group. Technical personnel are also key participants.
Engineering teams should begin to document all ICS/OT cyber assets starting with what they believe are their critical cyber assets. They would include those networked controls, systems and devices that if compromised may impact health and safety or availability of the plant. High level diagrams and design documentation of the ICS/OT network is also essential, not only as an aide to assessing the risk and implementing appropriate technical controls but also to facilitate investigation and recovery when an incident occurs. Often this documentation does not exist but should be produced.
One primary attack vector often overlooked is the supply chain. With many small and specialist vendors supping utility companies this avenue of attack is an easy route to breach the defences of an ICS/OT network. By first compromising a supplier, an attacker can then exploit the trust and access smaller specialist suppliers have. Implementing a comprehensive supplier security assurance programme is essential to mitigate this risk.
In parallel, a risk assessment should be undertaken. This should be followed by a report documenting recommendations for improvement and an ICS/OT security road-map. Experience has shown that the risk assessment and report should be performed by ICS/OT security specialists.
From the directives issued to possible fines, through safety impacts and reputational damage the reasons to give cybersecurity due investment and attention become clear. It will be the level of integration with wider industrial and technical development that will be a key factor in how effective and efficient the implementation will be.