Increase in Malware Attacks Require New Playbook for Utilities: CIP Compliance Defense Not Enough
- October 17, 2017
- 1399 views
In the face of progressively sophisticated malware attacks, utility executives are becoming increasingly aware that there is more at risk than NERC CIP compliance failures and the associated penalties. Threats of ongoing cyber-attacks that could cripple the U.S. power grid, damaging their brand and shattering consumer and shareholder confidence are on the line. Yet for some utilities, spending on compliance continues to mushroom, leaving little budget to address security concerns holistically. Furthermore, a short-term compliance “first” focus, and efforts to reduce “compliance risk exposure” through reducing connectivity, may result in greater complexity and cost in the long-term as hackers exploit the lack of visibility and protections to utility endpoints.
As we celebrate National Cybersecurity Awareness Month, let’s take a deeper look at how the game is changing, including the evolving threat landscape, and how utilities could rethink their compliance “first” focus to proactively address these risks and create a winning defense.
The Situation: Cyber Threats to U.S. Utilities Reach Beyond CIP
Figure 1: Cyber Incidents Growing in Complexity and Severity
According to the Dragos MIMICS project, there are now a dozen active malware agents targeted at industrial control systems. Undoubtedly an analysis of the second cyber-attack (Ukraine 2 in the illustration) -- Industroyer or CrashOverride - on the Ukraine Power System, proves that a shift to open market development of malware is occurring. This new status means the increased likelihood of a dramatic up-tick in the variety and volume of future cyber-attacks. More hackers are enabled to move beyond surveillance into attack mode exploiting new weaknesses that require holistic security programs, not point solutions, to thwart their behavior.
Up to this point, security baselines and fundamental controls attributed to the enforcement of the CIP regulations have kept utilities safe from major cyberattacks. However, keeping pace with the escalating risks from new malware capabilities requires more than the compliance-orientated activities focused on the Bulk Electric System. The sample external threat diagram (below) illustrates the plethora of paths and potential points of entry where malwares could be entering a utility infrastructure.
Figure 2: Real-time System Threat Diagram
The fact is, even with the deployment of CIP required controls today’s real-time utility ecosystems are complex and hard to defend. Utilities must accept the reality that an impactful breach of the U.S. critical infrastructure, and to the electric system, is almost unavoidable. However, a utility’s leadership has the power and the fiduciary responsibility to mitigate their company’s risk of such an event.
The Solution: Manage Your Risk (Risk = Likelihood * Impact) Not the Threat
First: Reduce the Likelihood of a Breach
With a massive amount of new technologies targeted at one security aspect or another, it is increasingly difficult to select what products fit where and to determine if they provide the needed protection. This is particularly the case now that malware and any associated BOTs, once having penetrated your systems, remain dormant looking for signatures indicating activities such as credential exchange to opportunistically embed themselves in normal looking outgoing traffic. There will always be a new malware or BOT, so managing risk requires a more strategic, programmatic defensive approach focused on early detection coupled with appropriate advanced forensics tools for containment.
For example, over 30 years ago the concept known as the Strategic Defensive Initiative (SDI or Starwars) struck fear into many of the U.S. adversaries as its intent (if implemented) was to
severely reduce the likelihood of a successful attack on the U.S. mainland through early detection and layered perimeter defenses. This defensive shield approach is today known as “defense in-depth.” Following this strategic model, utility defensive perimeters should be pushed out as far away from the core elements you are trying to protect. Each defensive zone is monitored and advanced analytics evaluate activities across and between the entire defensive shield. This concept is illustrated below.
Figure 3: Defense-in-Depth Approach
The ability of this defensive shield to be successful depends on several factors:
1) The ability to identify meaningful data and then integrate that data in real-time from a variety of sources such as security applications and operations.
2) The ability to drive insight into potential mis-operation of the monitored control systems and programmable devices.
3) The ability to rebuff any potential threat.
4) The ability to assess the baseline on regular basis to determine the behavioral norms for security applications, control systems, programmable devices, communications processors, and other connected elements.
In summary, the development and implementation of an appropriate defense strategy for your new SCADA/EMS or DERMS project, or your key operations environment is essential. Certainly, a combination of NIST and CIP controls may provide a good starting point, however, they should be deployed as part of the overall defense strategy. A simple compliance checklist will not be sufficient.
Second: Reduce the Potential Impact
Should a threat penetrate the defensive shield, a key component in reducing the impact is isolation and containment of the infection. Levering the same principle of security zones, a different mechanism of containment may be appropriate as you near the most secure zones. At some point remote control of most, if not all, of the utility’s current control systems and IEDs -- at all voltage levels -- to be able to disconnect and reconnect is needed. Part of the programmatic approach to security is the documentation and frequent testing and exercise of these recovery controls. Looking at the threat diagram, the effectiveness in reducing impact will depend on taking appropriate action in response to the frequent reassessment of:
1) Evaluating current or anticipated ability to detect known infections in the utility’s control center and substation devices.
2) Evaluating current or anticipated capability, once the infection has been detected, to isolate that system component.
With malware and other threats continuing to evolve and the eventual penetration unavoidable, utilities must focus on evolving security approaches beyond the regulatory imperatives to manage their own risks. This calls for a playbook of strategic defense measures with programmatic solutions to reduce the likelihood and impact of any modelled threat:
1) Understand the threats to your ecosystem through frequent threat assessments that draw together the way systems work, communicate, and respond when managing real-time operations.
2) Protect your real-time operations with a defense in-depth strategy that includes evolving security measures and analytics focused on detecting and then containing the attack at the earliest possible moment.
3) Develop and practice containment, isolation, disconnection, and reconnection of your real-time systems.
Applying this strategy in today’s cybersecurity environment can help ensure that the utility can prove itself a worthy opponent of bad actors looking to provoke a disruption or harm. This pragmatic and effective approach to improving security defenses will allow utilities to protect the interests of its executives, employees, regulators, shareholders, and consumers.