Market view: Seven pillars of cyber defence

The energy sector’s critical infrastructure has been identified as among the top global targets for hackers, so John Langley-Davis offers seven pillars of cyber defence to consider in a security plan.

As the energy industry increasingly moves towards automation and connected services, it is attracting the attention of hackers. These threat actors are looking to cause widespread disruption, meaning the pressure is on to defend this arm of critical infrastructure.

Cyber-security incidents are escalating in volume and complexity. While still new to the age of connectivity, the energy industry is becoming increasingly aware of cyber-­security threats and the need for standardised, effective solutions to combat them.

The energy that utilities provide serves as the lifeblood of a functioning modern society. But the facts speak for themselves: a report by the European Union Agency for Network and Information Security (ENISA) on the Cost of Incidents affecting CIIs ­(Critical Information Infrastructures) found that the energy sector, alongside the finance and ICT sectors, has the highest incident costs – and these attacks are on the rise.

Where vulnerabilities lie

Now that cyber security is a top-of-mind concern, utility stakeholders are mimicking their IT peers and seeking ways to strengthen their infrastructure security. Just look inside the industry’s substations, where proprietary devices once considered for specialised applications are now being scrutinised for vulnerabilities. After all, the sensitive information found there (such as online documentation that describes how these devices work) can be accessed via the internet by anyone, including those with malicious intent.

Electrical substations today are characterised by different mixes of information technology (IT) and operational technology (OT). Operational technology is defined as the automation and control systems and components that monitor, measure and protect critical infrastructure.

There are many ways to access computer systems. The number has increased dramatically now that employees commonly use mobile devices or USB keys to connect. With so many devices in play, the chances of malicious software invading these systems increases. This could cause a ­utility’s control system or network to go down and damage substation systems that control the grid – affecting not only a business, but also the economy and security of a country or region.

To address this problem, many substation automation vendors have tried the bolt-on security approach, keeping cyber security functionally separate from non-secured OT devices and building a layer of security around them. This approach may allow for a layer of access control and monitoring, but once the initial layer is breached, devices remain vulnerable.

While bolt-on solutions allow for a fast implementation to reduce the risk of a cyber attack on OT devices, substation asset managers should consider upgrading their OT devices during their lifecycle to newer devices containing built-in cyber-security functions.

The seven pillars

To help prevent system unavailability and quickly recover from a security incident, it is essential to have a robust cyber-security programme in place. An integrated cyber-security solution designed for critical infrastructures allows users to increase the safety, availability and reliability of industrial ­control systems.

The seven steps below should form the key elements of any utility company’s ­security plan:

1. Identify critical cyber assets

Identify the assets that are essential to operations and ensure that there are up-to-date back-ups of these, which allow for quick recovery in the case of loss or failure.

2. Minimise access to the most sensitive information

Partition the sensitive data inside communication pipes. Sometimes wide area networks (WANs) are used for multiple purposes, such as internet protocol (IP) telephony, CCTV, teleprotection, and supervisory control and data acquisition (SCADA). Segment and use quality of service to preserve critical ­functions according to priority.

3. Control user access

Restrict users’ electronic and physical access to prevent unauthorised access of confidential and critical company information.

4. Implement patch management policies

Eliminate known security vulnerabilities by implementing a system that monitors and applies software patches.

5. Prevent malicious software attacks

Protect against malicious programmes using application whitelisting, which allows only authorised applications and services to run on a computer.

6. Develop a disaster recovery and response plan

Ensure processes, policies and procedures are in place to recover critical technology infrastructure in the event of a breach.

7. Monitor cyber systems for attacks

Monitor systems continuously for signs of attack, such as failed logins and account deletion and creation, and ensure an alert system is in place for reporting any attacks.

 

Implementing these strategies is critical for protection. However, given the proliferation of cyber-security breaches across industries in recent years, many experts believe it is no longer a question of if, but when, a company will experience a breach.

With this in mind, utilities also need to deploy the proper recovery tools and processes to supplement the cyber-security protection technologies put in place. Not only will this mitigate the damage to systems, it also minimises the substantial damage that can be done, in terms of financial impact, and brand value and reputation – some of today’s biggest differentiators.