Energy Central Power Perspectives™: A Red Team/Blue Team analysis to leveraging existing systems to effectively detect unauthorized devices and prevent network compromise, an Interview with Pauli Laine of Fingrid
image credit: Pauli Laine
- Feb 12, 2020 4:15 pm GMT
- 456 views
Cybersecurity at the top of the priority list for utilities these days, recognizing that without a secured network that many of the other advancements the industry seeks simply can’t exist. This focus is only going to become more apparent as the digital utility advances, and that’s why the upcoming Utility Telecoms 2020 Conference, taking place in late February in Amsterdam, will be one for the whole industry to keep an eye on.
As one approach towards cybersecurity, Pauli Laine is set to present his talk entitled “Prevention and Detection: A Red Team – Blue Team analysis – leveraging existing systems to effectively detect unauthorized devices, users or suspicious and to prevent network compromise.” In order to give the Energy Central Community a taste of this critical topic, Pauli agreed to participate in a pre-conference Q&A for our Power Perspective™ Interview Series:
Matt Chester: First things first, can you give some background about yourself, what you’re working on these days, and how you got involved in cyber security issues in the utility sector?
Pauli Laine: I have always had a passion to all sort of technical things and that’s probably the reason why cybersecurity is close to my heart. I’ve been working in security related matters since I graduated at 2001 across different sectors like retail, insurance, construction and now in the energy Sector. After about six years of working experience, I started certification programs in information security field. Gaining more years with practical experience, combined with theoretical knowledge, I have understood the importance of doing things right from the beginning, since that will carry on through the whole life-cycle of the system.
MC: Can you give an overview of Red Team / Blue Team Trainings that you do for the utility sector? What do these trainings look like, how are the implemented, and how often are they used?
PL: I have been involved in several trainings as a Blue Team member, but I don’t do trainings since there are a lot of companies that can provide excellent trainings for companies. Trainings vary depending on the scope. There are cybersecurity trainings in simulated environment or lab environment where usually the Blue Team defends infrastructure and the Red Team tries to penetrate the infrastructure. This way, no harm or downtime can be done to real infrastructure. There can also be several Blue Teams in the same training. For example: one Blue Team controls company A’s infrastructure that has a deep cooperation with company B, which infrastructure is controlled by the other Blue Team. Together, they will face incidents caused by the Red Team that represent a state sponsored actor or some other hostile activity towards their businesses. This way, we will test both Blue Teams’ ability to communicate with each other and their ability to detect and defend against Red Team activities. There are other teams that control the training so that it will stay on the right track at all times: giving more pressure to some team, changing the rules slightly, disclosing new information etc. This same situation can be created towards Blue Team’s own infrastructure in a real environment. Simulated training usually takes place once a year or even twice per year if there are different scenarios or member to take part on.
MC: What are some of the common lessons that utility actors will come away with after a Red Team / Blue Team training? What are some actionable items that typically result?
PL: Trainings are usually a wakeup call to the IT or security people. Usually IT is very busy on executing business needs and there are pressures on the business side to have the project or process done in time. Business does not usually understand the importance of monitoring, logging, and hardening the system before it goes to production and security may be compromised if these are not planned and implemented during early stage of the project. Sometimes security is even considered as a bottle neck of the project, while usually this is just a lack of planning or involvement of security at the early stage.
Usually after a Red Team / Blue Team Training, IT or security staff will wake up to understand that the real savings come when compromises are avoided and the real risks are introduced when project or process is compromised because of high pressure of going into production too fast. Someone should always take responsibility when trade-offs are done with security. No one wants to be in the situation where someone else is controlling your IT environment while you have been kicked out of it as a system administrator, just because there was not enough time to implement patch management or penetration test. This should happen only in the lab or simulated training. So, the management support for cybersecurity is crucial to avoid excessive tradeoffs between security.
MC: You note that a plan that isn’t tested is one that may not correlate to reality. What are the best ways to ensure reality matches what a utility plans and trains for regarding cybersecurity?
PL: Tests should always be done as realistically as possible. If not possible in real environment, then in lab or similar environment to you own, it depends on the criticality of the system. For example, many companies does not test what happens if one of the core routers or connections goes down or what if one data center goes down? If you have a High Availability (HA) environment, the HA should be tested system by system and then put in the bigger scale like datacenter scale. Tests should be done on a regular basis and they are easy to follow and improve.
The same applies to cybersecurity. If an incident response plan is never tested, create an incident! It’s way better than waiting for it to happen and then start wondering what should we do now, if it’s even detected early enough before you are kicked out of your own environment. It is also easy to justify which one will be cheaper: conducting an incident of your own in a controlled manner or waiting for it to happen at some time in the future with unknown consequences without even knowing are you able to detect it.
MC: These conferences are always great opportunities to not only share your ideas and insights but also to learn from others. What presentations or broad topics are you eager to hear about at the Utility Telecoms Conference? How will what you learn inform what you bring back to your work?
PL: This is the first time for me to be in Utility Telecoms Conference, so I guess I’m more openminded to this event. Perhaps I’d like to hear other participants ideas of what ever good things they have done in the cybersecurity area that I could adapt to improve our environment. Or some crucial failures and how they have learned their lessons.
If you’re interested in hearing more about Pauli’s insights into cybersecurity in the utility telecom space, be sure to check out his presentation at the Utility Telecoms 2020 conference, taking place from February 25 to 27 in Amsterdam. You can check out the agenda and register for the conference here.