Utilities benefit from a risk-based approach to cybersecurity
Because of the increased sophistication of attacks, utilities need to embrace a risk-based approach to cybersecurity to match the existing basic-level of compliance.
The idea utilities need to embrace and utilize a risk-based approach comes on the heels of the revelation of the denial of service attack sPower, a Utah-based renewable energy supplier, suffered in March 2019. They were the victim of an attack that involved exploitation of a known vulnerability in Cisco firewalls.
“What we saw in March was in one third of the country, grid operators lost visibility,” said Leo Simonovich, Siemens vice president and global head of industrial cyber and digital security.
While the producer did not suffer an operational issue, it did lead to a denial of service (DoS) which led to communication outages between the organization’s control center and the field devices at various sites.
The incident became public earlier this year when the National Energy Technology Laboratory revealed a cyber event caused problems at a utility in the western part of the U.S. on March 5. The report said the incident affected California, Utah and Wyoming, but it did not result in any power outages. The report did not reveal the name of the producer.
The North American Electric Reliability Corporation (NERC) said in September 2019 the security flaw impacted the web interface of firewalls, and the result was a DoS attack, which caused the appliances to reboot. The communication outages occurred over a period of 10-12 hours and each lasted for less than five minutes.
Simonovich was responding to a report entitled, “Caught in the Crosshairs: Are Utilities Keeping Up with the Industrial Cyber Threat?” sponsored by Siemens and conducted by the Ponemon Institute.
In the study, 56% of respondents reported at least one shutdown or operational data loss per year, and 25% ended up impacted by mega attacks, which are frequently aided with expertise developed by nation-state actors.
“There is a real sense of awareness of the challenge,” Simonovich said. “The respondents are recognizing they are unable to detect and they are experiencing damaging events. I think there has been a strong focus on compliance, and while compliance is good because it is prescriptive, it lifts the middle and it helps a majority of organizations develop a baseline of security. You still need a risk-based approach to keep up with the evolving cyber threat. That is a difference with the oil and gas sector where they manage based on risk and not based on compliance. Here, the utilities industry has done a lot to get the basics in place, and yet because the threat level has changed so much and it is so sophisticated, they have to beef up their capabilities.
“Compliance has done a lot of good for the industry. It created a baseline of hygiene and shored up defenses. It has been very good for the industry. You need both. You need a risk-based approach and you need a regulatory regime to ensure the industry takes action.
One other difference, Simonovich said, is the “interconnectedness” of the system between generation, transmission and distribution.
The vulnerability of critical infrastructure to cyber attacks has potential to cause severe financial, environmental and infrastructure damage, and according to all respondents, 64% said sophisticated attacks are a top challenge and 54% expect an attack on critical infrastructure in the next 12 months.
“What is happening in the utility space is the energy sector is going through a fundamental transformation with digitalization of power production and the introduction and switch out with traditional fossil generation for renewables and what that has done is created an increasingly hyper-intelligent, super-connected attack surface,” Simonovich said. “In many ways it is a Catch-22. On one hand, there is the brownfield with digital bolted on top. On the other hand, we have this digitally native, renewable landscape that is distributed and decentralized.”
“We wanted to understand what does risk look like in this energy transition and what are the readiness levels and what are the solutions they are thinking about? We found these are a major challenge for many utilities,” Simonovich said.
The utility industry is seeing the increased sophistication levels of the attacks targeting the industry.
“They are grappling from attacks that are sophisticated, with many coming from nation states, and many of those attacks being potent causing shutdowns, safety events and environmental incidents. Only 42% are ready to address this new cyber risk frontier and only 31% are able to respond when an incident does happen. Those statistics are troubling.”
The smaller utilities, Simonovich said, are particularly vulnerable and struggling to address this because they don’t have the staff.
There are four issues facing them:
- Visibility challenge
- Lack of humanpower or resources
- Ownership, who owns operations technology (OT) cyberspace in the utility area
- How to address nation state attacks.
While utilities are aware of the issue, and the know they need to do something, but the question is are they?
“Most of them are struggling with basic cyber management and today there is not a clear line between information technology (IT) and OT,” Simonovich said. “You have got to get them right before you can embark on the rest of the journey.”
The big utilities are on the right path, he said, but it is the midsized folks that need some assistance.
Along those lines, Simonovich offered some basic best practices to get utilities moving in the right direction:
- Know what you have
- Assign dedicated personnel to OT
- Create an incident response plan.