Small Steps, Big Results: What Your Utility Can Do Today to Improve the Security of Your AMI Program
- June 8, 2018
- 1493 views
You have seen the news stories:
- Lansing, Michigan’s Board of Water & Light invested $2.4M to develop a cyber-emergency response after doling out a $25,000 ransom to cyber criminals in 2016
- "Grizzly Steppe", a Russian cyberattack aimed at political organizations hit Burlington Electric utility in Vermont
- A ransomware incident of $52,000 cost the City of Atlanta $2.6M in recovery
- "Dragonfly" - A cyberespionage campaign that targeted energy-sector entities and enabled attackers to mount sabotage operations against victims (Chertoff Group)
Cyberattacks were once isolated occurrences mainly targeted at credit merchants for personal financial gain, but now extend to utility companies with the intent to cause extensive damage to infrastructure. Today's wars are being fought less on the ground, and more from behind the screen of a laptop. These attacks have become so commonplace that rarely a day goes by where a breach does not hit the news, yet two out of three Directors report having little to no knowledge in cybersecurity (Chertoff Group).
Industry regulators and organizations such as the North American Energy Reliability Corporation and the American Water Works Association have attempted to put some parameters around security, through the implementation of the Critical Infrastructure Protection standards (NERC-CIP) in the energy industry and the G430-14 for Security Guidelines of Operations and Management in the water sector. After some more pervasive breaches, Public Utility Commissions have started weighing in. The Michigan Public Service Commission developed the Technical Standards for Electric Service (Cases No. U-18043 and U-18203) which requires investor-owned and cooperative utilities to provide MPSC with an annual report on cybersecurity programs and planning, a description of cybersecurity training for employees, and notifications as soon as a cybersecurity incident that results in a loss of service, financial harm, or breach of sensitive business or customer data is detected. These standards extend to the AMI and metering level of cyber protection.
With all of the risks and threats clear, why haven't all utilities adopted clear industry-wide standards to avoid cybersecurity threats? The answer is, it depends. Depending on your location, utilities can struggle to secure and retain the expertise in-house. Vintage legacy systems as found in utility billing without a budget to conduct a full replacement along with disparate applications all co-mingling in on-premise environment is another more common cause of breach. The biggest gap, however, is in the implementation of a culture of security across all tenants- technology, business procedures, human resources, etc.
What can your utility do, to begin to instill a culture of security?
- START SMALL: One of the more common causes of cybersecurity breaches occurs by employee and procedural protocol. User education and awareness is key to closing some of the gap in security. Creating a culture of security involves buy-in by the organization from initial hiring. Establishing clear security policies that employees must abide by and creating personal responsibility in data protection are critical to setting the stage in employee safety. Annual reviews and refreshers are required for continuing education in the standards of protection. Reviewing consultant and vendor policies around security which hold contractual penalties ensures that all parties are a part of security practices.
- IT'S ALL ABOUT THE MONEY: IT Staff support is a requirement in the institution of security procedures and maintaining good network hygiene. Security should form a distinct portion of your utility's annual spend with sufficient funds set aside for:
- Hiring the right staff - Securing a staff led by a Chief Security Officer is essential in reducing risk. Right-sizing your IT department to make security a priority for most utilities involves additional budget that must be communicated and requested, often times, 6 months or more ahead of actual need.
- Additional technology tools - Staying abreast of tools for monitoring cyberthreats is vital to AMI (and overall) network health. Budgeting for procurement cost and licensing of new tools to manage an ever-evolving threat and risk profile is necessary when planning additional fiscal cycles.
- 3rd party resources - While internal vigilance and monitoring is indispensable, budgeting for 3rd party audits of your systems is required. Day to day operations of the AMI network may often dull senses of internal staff to imminent threats. Bringing a fresh eye to security operations annually also creates an insurance policy for responding to threats.
- ANNUAL ACTIVITIES: Regular monitoring for cyberthreats is an operational necessity, but it should not forgo the need for an annual risk assessment. A full risk assessment should include a review of policies and procedures from recruitment and human resources, audits of vendor security protocols, as well as overall hardware and software. Global agencies such as Information Systems Audit and Control Association (ISACA) provide recommended guidelines in performing comprehensive risk assessments.
- AN OUNCE OF PREVENTION IS WORTH A POUND OF CURE: As both the City of Atlanta and the City of Charlotte have discovered, the cost of a lack of preparation far exceeds the cost of the breach itself. Having a documented cybersecurity preparedness plan in case of the unexpected breach can improve response time and reduce operational impact costs. With 70% of water and energy providers reporting a breach, working through worst case scenarios through tabletop exercises and modeling impact will better prepare you and the organization for what may be an inevitable breach.
- AMI ISN'T THAT SPECIAL: Conducting regular network hygiene is the first line of defense against the day to day threats. AMI, in this case, is not special. Including AMI network security as part of the regular checks is imperative. The interoperability of AMI and Meter Data Management systems with historically legacy Billing systems, while improving customer service, means that risk of breach can be transferred between systems. Regular patching, early and often, should occur at all layers of the network, even down to the physical meter and transmitting device.
- TRUST THE EXPERTS: For a variety of reasons, your utility may not be in a situation to perform a cybersecurity risk assessment or threat modeling - lean on the experts. Working with trusted partners, such as Red Clay, can go miles with helping you prepare for your upcoming or maintenance of your AMI deployment and ensuring the safety of your grid and your customers.
While threats and invasions are nearly inevitable, substantial cost and impact doesn't have to be. User education, regular maintenance, and working through identifying and prioritizing your risks are the small steps that can lead to big results.
Co-authored by Michael Pearson, Chief Information Security Officer – Red Clay.