2019 will be an important year for the energy sector as global utilities in smart energy, water and gas address the compliance requirements for critical infrastructure ordered by both the NIS Directive and GDPR in the EU.
The big challenges will stem from the proliferation of end-user data in these sectors, its increasing failure to hackers and malicious attackers and compliance with new regulation.
OT and IT teams will need to be aware of and responsive to cyber-security risks, both in terms of prevention and detection.
With regards to opportunities, this is a good time for utilities, energy suppliers and other critical infrastructure operators to carefully consider their obligations and transparently present action plans for cybersecurity and data protection compliance.
Smart Energy International spoke to Gilad Bandel, vice president of products at global critical infrastructure cybersecurity protection firm Radiflow.
The company’s in-house cybersecurity team recently found a vulnerability in Schneider Electric’s Modicon M221 PLC, a very common industrial controller, saving utilities millions in potential damages to their operations.
Cyber attacks on critical infrastructure are becoming increasingly common and sophisticated. The cases that have made global headlines in the industry and consumer-facing media, such as Triton, have had drastic consequences.
Earlier this year, the Trump administration accused Russia of a two-year long cyber attack on its national power grid.
According to FBI sources, these attacks are still ongoing. The mere fact that an attack like this can take place has highlighted the critical need for improved critical infrastructure security on a global level.
March this year saw the announcement of an office of Cybersecurity, Energy Security and Emergency Response for the United States, allocating $96 million for this center.
US utilities are predicted to spend over $7 billion on grid cybersecurity by 2020, but in order to implement solutions effectively, utilities first need to understand the interconnectedness of their systems, the relative strengths and vulnerabilities of the systems in use and then evaluate the solutions on offer.
The NEC CIP (Critical Infrastructure Protection) regulation is already in place in the US, which place a focus on security at substation level. European authorities have arguably taken a more comprehensive approach and in May, placed in effect the Network and Information Systems (NIS) Directive.
The announcement of which industries will have to comply with the new regulation is due by 7 November, but several countries are already ahead of this schedule with local regulation.
Some European countries have blazed initial trials in the region, such as the UK with its NCSE regulations and BSI in Germany.
Clear the roadblocks – build new bridges
“Many utilities are still learning to embrace the relationship between engineering and IT that’s required in order to establish and run effective cybersecurity,” says Bandel.
“In many cases, systems security teams try to apply IT-related security tools to OT networks, which is totally futile. OT networks behave very differently than IT networks. For example, OT networks are highly static and deterministic, while IT networks are dynamic. Cyberattack infiltration lateral movement is very long and actual attack launching is function of a strategic event in the OT network. If this much different than the IT network environment, where movement is swift and unrelated to external events in most cases.”
Instead, as a starting point, he recommends approaching an external organisation with expertise in cybersecurity for critical infrastructure and operation technology environments for a full security assessment.
“This will really deliver value in two major ways: firstly, the utility will be able to create a roadmap that will indicate concrete steps that should be taken to improve security and secondly, the assessment will enable the utility to comply with the first requirement of the NIS directive, which is to do a security posture evaluation.”
According to Bandel, a good cybersecurity partner will physically visit your site and collect information from as many data points as is required for a comprehensive assessment.
A report like this should have three clear sections, continues Bandel, providing visibility of their findings in terms of devices, assets and connectivity protocols.
The second section should detail the vulnerabilities, exposures, risk, threats and other problems found in the network and lastly, the report should indicate a mitigation plan for risk minimization with a list of the action steps necessary.
“These actions can then be prioritized and budgeted for. Often, security improvements can be implemented in phases and fall within existing or upcoming budgets.”
This then forms a comprehensive assessment that can be presented to senior management and provide a clear and easily understandable plan to massively improve security and compliance.
A report issued by Gartner in early 2018 noted seven questions security risk managers should be asking before determining a cybersecurity project. Amongst them were several critical considerations. Does your partner provide security for both OT and IT infrastructure or systems? Do they offer both protection and detection, are they vendor dependent, or can they truly provide the ideal solution for your requirements and is your partner equipped to support infrastructure in rugged conditions?
Radiflow is one of the few vendors in this space that can positively answer with a yes to all questions, claims Bandel.
There is no “one size fits all” solution:
“It’s important to note that there is no single approach or solution that provides a full answer,” explains Bandel.
“Secure systems for critical infrastructure are best built on a combined solution that creates layers of protection, both active and passive. There is also an important distinction to bear in mind between intrusion detection and threat detection. An effective solution will provide both early warning before any attack is launched and obviously intrusion detection once and intruder is detected. This way we can cover all the phases of a security project that starts with assessment includes protection, detection and obviously reaction and response in case of a security breach.”
Keeping costs down
Many solutions rely on the placement of a server on every single site, such as a substation, water pump, railway junction or important transmission point. This in turn raises the cost of both the initial installation and subsequent upgrades as well as maintenance. Furthermore, this considerably more expensive option does not provide network-wide insight, being limited to one site.
A smart probe is a much more cost-effective option, offering a low-maintenance device that can be placed on remote sites, even if only one PLC is in use at that location. A probe can collect all relevant network traffic, compress it up to a ratio of 1:10 and communicate to a central site, providing network oversight requiring modest bandwidth
“As a final point,” concludes Bandel, “it’s critical that critical infrastructure operators take a proactive role in their own security. One has to remain alert and run threat analysis on an ongoing basis. Security is not static, in fact it’s ever-evolving, and so your security partner should be evolving their solutions constantly to remain ahead of the next threat.”
Harmonizing risk and consequence strategies across IT and OT environments for greater cyber resilience
Strengthening OT Resilience: Protecting Critical Systems in a Rapidly Evolving Threat Environment
Quarterly ICS Security Report 2024 Q3