In today’s scenario of regular attacks on electric utilities, it is very important to have defences across the depth of a utility’s day to day functioning. That is, a layered security approach will be key in strengthening its cybersecurity posture. Thus if a security control fails, the utility is robust and resilient and hence the effect of the attack is minimal. This provides redundancy in the system with respect to cybersecurity.
This approach is made up of multiple elements; namely people, processes and technology. At the outset there is physical security, procedures, policies and firewalls. Then we have system policies, account management, patch management and antimalware as the central element.
Multiple elements make up the approach
Appointing a Chief Information Security Officer (CISO) is a must for utilities who want to develop a cybersecurity framework. The CISO should ideally be a senior management position. He/she may not be an expert on cybersecurity but should understand the importance of cybersecurity and implications of not having comprehensive cybersecurity controls.
For a utility, ensuring physical security is as important as cybersecurity. High delay-time fencing products, vehicle barriers, retractable bollards, crash-rated gates and sally ports, video surveillance, intrusion detection systems and advanced motion analytics around the entire perimeter should be common elements at critical utility sites. Utilities must also use biometric readers and access control badges for more stringent control of unauthorised physical access.
Utilities must take steps towards formulation of a comprehensive Information Security Policy. Sub-policies and procedures specific to key operational areas should also be prepared. Utilities need to establish a formal mechanism by means of which all stakeholders (employees, contractors, sub-contractors and so on) are required to read and acknowledge the relevant portions of the applicable policies.
Risk assessment and mitigation processes should be established and/or reviewed regularly. In order for the magnitude of the problem to be understood by senior management, it is essential to formulate a mechanism for evaluating and approving residual information security risk in a manner similar to that existing for financial or operational risk. The information security risk should be owned by the utility. By outsourcing the operations, the responsibility of securing the utility’s cyber space lies with the utility itself. In addition, the business continuity plan needs to be appropriately tuned.
People are usually the weakest link in the security chain. Manipulating people’s behaviour is the easiest and least-expensive vector for attackers to exploit. Thus, it is important to conduct background checks of employees and have a well defined HR policy.
Procedure/guidelines for mobile phones/smart phones and portable media such as USB drives, CDs, DVDs are vital, as they are amongst the foremost source of malware infection and system compromise. They may also adopt procedures for blocking unauthorised removable media (for example USB devices) on systems.
In order to ensure that no data is inadvertently being leaked outside the organisation, policies for disposal of critical digital assets (CDA) must be formulated. Physical destruction of CDA may be considered as a part of organisation’s disposal processes.
Get up to speed on smartgrid cybersecurity - check out our Cybersecurity In Focus webinar series featuring insights from McAfee, EDP, EE-ISAC, CGI, South California Edison, CyberX, Kamstrup, E-Control, NextNine and much more
Monitoring of inbound and outbound communications is required to observe unusual or unauthorised activities. Automated mechanisms may be implemented for monitoring inbound and outbound traffic, which requires deployment of automatic intrusion prevention and detection systems. It would also be beneficial to deploy data diodes to ensure unidirectional flow of information wherever necessary.
The enterprise IT systems and ICS should be physically or logically isolated. This ensures that programmable logic controllers and remote terminal units are not connected to public networks such as the Internet, thus eliminating the majority of threats. Responsibilities should be segregated and role based access control (RBAC) needs to be implemented. RBAC is an approach that restricts access to systems to only authorised users irrespective of age, seniority, division, etc.
It is advisable to segregate the utility’s cyber space into zones such as external zone, corporate zone, manufacturing zone, cell zone, safety zone and so on. In this way, a defence in depth architecture is created and the attacker has to break through all the perimeters in order to attack the industrial control systems.
Subsequently, it is very important to apply perimeter protection for each zone. Hence, dual corporate firewalls, dual control system firewalls, dual control system LAN firewalls, field level firewalls, etc., should be common elements in the utility’s network. This will make it difficult for an attacker to breach the system.
Creating a demilitarised zone (DMZ) is another fundamental task that utilities must undertake. The DMZ is a network that separates the internal LAN from untrusted networks. Typically, external-facing servers, resources and services such as mail, web, VoIP etc. are located in the DMZ so they are accessible from the Internet but the rest of the internal LAN remains unreachable. This provides an additional level of security to the LAN as it prevents the attackers from directly accessing internal servers and data via the internet.
Utilities should identify critical information infrastructure (CII) and the corresponding incoming and outgoing dependencies. Identification of CII should not be done as a bookkeeping exercise but for identifying ownership and operation. The process for obtaining approval for notifying CII and approval of the sectoral statutory body for CII notification needs to be initiated. After identifying the CII, thorough vulnerability, threat and risk (VTR) analysis must be conducted by the utility, after which controls should be updated and the security posture reassessed.
Utilities should undertake regular security awareness training for its employees. Effectiveness of security awareness training needs to be reviewed at least once a year. Practical exercises may be included in the security awareness training that simulates actual cyber attacks.
In addition, utilities may want to have IT security service level agreements (SLA) while dealing with outside agencies. It is recommended that system hardening may be considered while procuring items. It will help in making the system secure by design. Also, before procuring any software, firmware or hardware, the utility must investigate the product’s cybersecurity related aspects. The selected products must then be tested, both individually and within the utility’s overall environment, to assess the product’s effectiveness.
Regular internal and external auditing of cybersecurity must be conducted. Changing auditors regularly should also be considered to avoid any oversight occurring because of systems becoming familiar.
There should be separate budgetary allocation for cybersecurity. It should not be the case that the IT department allocates money for cybersecurity. Budgetary allocation for cybersecurity should be done in addition to what is allocated to the IT department.
Furthermore, it is extremely important to assess the cybersecurity posture of any organisation on a regular basis. Apart from cybersecurity audits, it is very important to conduct cybersecurity readiness assessments on a regular basis. This will not only tell the utilities where they stand, but also will help in setting milestones for future deployments.
In spite of all the preventive measures, an attacker will always have the upper hand because the attacker needs to be lucky only once whereas the utility has to make sure that it prevents all cyber incidents. Hence, it is exceedingly important to have an incident reporting policy/procedure in place that will not only define a cyber incident, but also specify responsibilities and steps to be taken in case of an incident. Since all these measures involve people, processes and technology, ensuring cybersecurity for a utility’s cyber space is always a big challenge. A utility itself needs to shoulder the responsibility and create a robust and resilient cyber environment.
This article first appeared in a slightly different format in Metering & Smart Energy International, Issue 5, 2015