IT/OT Convergence: Examining the Effort to Integrate Cybersecurity into Electric Utility | Emergency Preparedness Plans
- October 1, 2018
- 1230 views
As the US Department of Homeland Security (DHS) recognizes its 15th annual National Cybersecurity Awareness Month in October 2018, we are reminded of the major electric utility breach and infrastructure outage that occurred in the Ukraine in December 2015, and that recent reports indicate Russian presence in US grid infrastructure.
Malware signatures indicate a continued effort to infiltrate the US energy sector through Internet-connected SCADA devices. A review of NERC Lessons Learned whitepapers provides further details of vulnerabilities that led to successful hacking attempts.
Integrating IT with OT emergency preparedness processes reflects the new reality that, especially for larger SCADA-based utilities, the traditional analog, electro-mechanical grid has become heavily embedded with digital devices and software susceptible to intrusion by increasingly sophisticated and well-funded hacking groups.
Remote Terminal Units (RTUs), relays, switches, and sensors are now integrated with programmable logic controllers (PLCs), which, according to cyber researcher Brian Krebs, among others, represent a known attack vector.
Add to those devices the ever-expanding universe of industry-related IoT and mobile devices and apps, and you have a formerly well-defended physical grid now exposed to a wide range of potentially damaging digital vulnerabilities.
Further, in the many small to mid-size, non-bulk system distribution utilities, digital IT may be interconnected with the business, financial, and HR operations of the organization. Thus the lines and potential attack vectors between IT, OT, business, and finance have in certain environments become inextricably blurred, presenting a challenge in strategic thinking to departments and staff of formerly-siloed utility organizations.
It might be argued that preparedness and incident response are where the IT/OT convergence comes to a head. How are utilities bridging the traditional gap between IT, physical plant, and business emergency preparedness operations? And how can effective cyber preparedness be structured when new hacking exploit kits continue to proliferate online and malware is constantly morphing into new and evermore clandestine, undetectable strains? How do you plan for the unknowable?
At the National Rural Electric Cooperatives Association (NRECA), which represents and advocates for 900+ co-op utilities, Cynthia Hsu, Cybersecurity Program Manager, is spearheading the federally-funded Rural Cooperative Cybersecurity Capabilities (RC3) Program that provides self-assessment, training, information-exchange summits, and R&D tools designed to strengthen the cybersecurity posture of small and medium-sized distribution utilities.
According to Hsu, an important component of the RC3 Program is the development of Guidebooks that describe specific roles, responsibilities, actions and options each department of the utility can take during an intrusion event.
“Our goal in these guidebooks is to not only give our member co-ops awareness of their roles and responsibilities when it comes to cybersecurity, but also to help them understand practices that they might want to consider when building their emergency response plans,” Hsu explains. “What we do in the cybersecurity program is to bring to staff ‘candidate practices’ which individual utilities then build into their own response plans” specific to their unique organizational and operations environments. “What’s best for one co-op will not necessarily be best for another co-op.”
Drawing upon the experience of other coops is key to developing effective, custom-fit security measures. “Peer-to-peer communication during RC3 Program summits enables co-ops to learn from each other’s successes, challenges, and practices,” Hsu emphasizes.
Adds Tracy K. Warren, NRECA Senior Communications Manager, “Due to the wide geographic, rural nature serviced by electric co-ops, we have always been at the forefront of AMI development, distribution, and new technologies, including security.”
Tied to the same $7.5 million DOE grant, Mike Hyland at the American Public Power Association (APPA) describes their Cybersecurity Capability Maturity Model-based (C2M2) cyber program as a “crawl, walk, run, military style approach” to getting their IT/OT emergency preparedness program into full operation.
Like NRECA, APPA starts with a self-assessment tool or scorecard (accessible to APPA members) that municipal utilities use to review all aspects of their security posture, raise awareness, and identify gaps that need to be addressed. Also, like NRECA, APPA sees it role as “educating utilities on assessing their cyber hygiene” in an effort to determine where they need to harden their systems, operations, and the flow of decision-making during an event.
Hyland explains that “just as we had to develop a culture of physical safety in earlier decades, the goal now is to develop a culture of security” in which everyone in the organization is brought up to speed and “made aware of the risks, what devices and information most needs to be protected, and what individuals’ specific roles and responsibilities” will be in the event of an incident. Hyland reiterates the now common refrain in the cyber world; "It's not if but when" a hack will occur. When preparedness plans have been finalized, Hyland urges organizations to conduct training exercises around them.
Utilities are also urged to use the expertise of their vendors in formulating solid preparedness plans. “Vendors have a strong interest in seeing the success of their products and services in the field and represent a valuable resource to utilities,” Hyland states.
Echoing Hyland and APPA’s approach, Ashley Wargo, an emergency preparedness expert at Hagerty Consulting - which recently helped orchestrate a multi-state National Emergency Management Association (NEMA) funded cybersecurity exercise - emphasizes the importance of “understanding the governance structure involved” by identifying who the stakeholders are, how they will communicate, and what decisions they will make and actions they will take in preparation of a cyber event. Decisions and actions may be dictated to a small or large degree by regulations with which a specific utility may be required to comply and submit to post-event audit.
Wargo cites IT/OT convergence – which the Hagerty group refers to as the Cyber Nexus – as a key component to achieving “clearly defined roles and responsibilities” during an event.
As Ted Schneider of the utility resource management firm ARCOS LLC points out, the cyber threat landscape is constantly shifting as hackers' tools, tactics, and procedures (TTP) adjust to evolving defenses, making specific preparedness planning a virtually impossible game of cat and mouse. Among other strategies to circumvent the clever circumventers, Schneider recommends contracting to cloud-based SaaS security services, having staff acquire security certifications, and lay an "increasingly complex number of traps for intruders to trip over."
To further confront and prepare for the shifting threat landscape, implementing a vigorous pre-incident communication and coordination structure between likely stakeholders can vastly increase the likelihood of a quicker, more effective, and resilient response.
Kicking off National Cybersecurity Awareness Month in October 2018 will be the APPA, NRECA, and EEI -sponsored Briefing on Electric Sector Cybersecurity to be held October 1, 2018 1-3 pm in Washington, DC. The kickoff is expected to be live-cast. You can RSVP at email@example.com
Interested parties will further benefit from a visit to DOE’s new Office of Cybersecurity, Energy Security, and Emergency Response (CESER).