by Harry Thomas, OT Security Advisor at OTORIO
Thanks to computers, we can remotely access anything, giving customers real-time visibility into power outages and viewing their electricity usage. Computers, networks, and automation allow electric utilities to do more with fewer resources. But that also allows a bad actor with the ability to penetrate those systems and gain the same access as an operator.
We now connect our information technology (IT) networks with our operational (OT) networks. The connectivity exposed relays and other controllers to the Internet. Cyber-attacks are plausible. Because uptime has been the key metric for utilities, the OT network never had security scrutiny.
Cybersecurity requires defenders to be vigilant. Any hole in the armor allows an intruder to access critical systems. While defenders protect our networks, humans add additional weaknesses to the armor. We need help to keep pace with rapid technological advancements. Attackers use emails, phone calls, or imitate websites to gain valid access to our networks. Once in, attackers propagate malware throughout the network until they achieve their objective.
Gone are the days of security by obscurity. Today’s attackers have done their research. They know the ins and outs of specialized OT protocols. Threats have been exploring and mapping OT networks globally. These attackers can now develop specialized malware targeting the OT environment.
Cyber threats have evolved over the past decade. The frequency of incidents has steadily increased since 2013 to more than 500 attacks over the past year. These attacks include both specialized malware and ransomware.
Consequently, utilities must now protect against attacks by common cybercriminals and not just nation-states. This situation underlines the necessity of having robust cybersecurity measures in place.
Configuration management is an important process. It focuses on maintaining the integrity of all systems. A baseline is necessary. This baseline is your known good. You can compare this baseline to any new modifications. After detecting a change, you can go through the steps to manage whether it’s necessary. These steps provide a way to avoid risk. This process detects any unauthorized or erroneous change.
There are people, processes, and technology. Change management focuses on people and processes. This process requires requesting, vetting, and approving changes. There should be a process to handle emergency or exception requests. Every change should be documented and traceable. It should also address any potential security or compliance issues.
Combining people, processes, and technology ensures that systems are secure and compliant. People and processes address potential security risks. Technology automation can help audit security drift.
Maintaining detailed records of changes is paramount with the rise of devices and components within OT networks. Every change, however minor, can carry potential security implications. Understanding who is making a change and the specific change is crucial for managing the security and integrity of your systems.
Tracing changes is more than just security; it’s also about accountability and visibility. When an issue arises, having a comprehensive record of changes helps identify the source of the problem. It reduces the mean time to repair (MTTR). Providing a clear timeline of modifications helps ensure system stability, which supports swift incident response and minimizes its potential impact.
Tracking vital endpoint configuration details, such as device name, type, IP address, MAC address, installed firmware and software inventory, OS vulnerabilities and patches installed, open ports and services, et cetera, must also be leveraged. These details are fundamental to understanding the current state of your OT network and its potential vulnerabilities.
The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards secure North America’s electric system. These standards enforce cybersecurity protections across the utility sector. It can be easy to state that compliance and regulations are behind or work against modern cybersecurity. I disagree with this statement. Regulations are the last line of defense for your cybersecurity program.
Cybersecurity engineers are your first line of defense. They operate tools like OTORIO. They find threats as they happen. Then you have governance and risk. This focuses on preventing threats by identifying potential security flaws and vulnerabilities. The last line of defense is compliance. Compliance is the minimum that a utility needs to do. This is the minimum cybersecurity “safety” necessary to operate. Compliance can help start cybersecurity conversations. It raises cybersecurity awareness. Compliance ensures we can protect, detect, respond, and recover.
The volume of data generated by the energy sector and the systems' complexity make it challenging to track and manage all cybersecurity risks. Energy systems amplify this complexity, often comprising newer and older technologies, including legacy systems never designed with modern cybersecurity threats in mind. To manage this complexity, energy companies can take several steps:
Implement robust Change and Configuration Management Practices
Change management involves the people, processes, and decisions involved in implementing configurable asset changes. Change management includes building processes for requesting, vetting, and approving change requests, establishing procedures for emergency or exception change requests, and creating review and reporting processes supporting change management. Configuration management, on the other hand, focuses on maintaining the integrity of all configurable elements of a piece of hardware or software. This includes capturing a baseline build or settings for any specific asset, detecting deviations from that configuration, and managing the deployment of new builds or configurations. Both practices help ensure that any changes made to the system do not introduce new vulnerabilities and that all systems are maintained securely.
Invest in technologies that provide deep visibility into system Configurations
Given the complexity of energy systems, it's critical to have technologies that provide deep visibility into the configurations of systems, applications, and network devices. Such technologies should create configuration baselines and establish known good states for hardening the environment. They should also continuously identify changes to or deviations from the baseline that may indicate security and compliance issues. Finally, they must maintain an accurate, detailed record of changes.
Track Vital Endpoint Configuration Details
Endpoint details can include the device name, type, IP address, MAC address, installed firmware, and software inventory (including versions), operating system (including vulnerabilities and patches installed), open ports and services, policies modified, removable media, malicious code detected/AV, failure of event logging, and serial number. This information can help identify potential vulnerabilities and track changes that could introduce new ones.
Build a Culture That Supports and Sustains Cybersecurity
Integrating cybersecurity into culture is a top priority and involves making cybersecurity a business—not just a technical—imperative. Utilities should better use government resources, share lessons learned, train and mentor more cybersecurity practitioners, and involve the entire workforce in managing cybersecurity risks.
Stay Updated with Evolving Threats
The nature of cyber threats has changed substantially. Today’s would-be attackers are familiar with ICS, IoT devices, and specialized communications devices that are part of many OT systems. Moreover, numerous cybercriminal groups are investing in the capabilities of their technical staff. As a result, private enterprises must protect themselves against more sophisticated attacks by these well-funded attackers.
Staying current with these threats can help manage cybersecurity risks in the energy sector. However, it's important to remember that cybersecurity is an ongoing process, and energy companies must continually reassess and update their practices as new threats emerge.