A holistic approach to cybersecurity management and compliance

Utilities should ‘think top down’ and implement an integrated and plant-wide approach to cybersecurity.
Published: Fri 29 Apr 2016

Brought to you by:

Integrated operations through digital transformation for utilities have become critical if they want to prosper in the new energy future. Data­centric decision making is what will enable utilities to stay ahead in a highly competitive industry. It will help them improve safety, efficiency and service levels.  

However, the connection of critical assets has exposed electrical utilities to cyberthreats which are growing in sophistication and intensity.  

Cybersecurity ­ getting the basics right  

The recent cybersecurity attack on the Ukrainian power grid holds many lessons for power generation plants and distribution centres across the globe. [​Electricity Authorities Face Severe Cybersecurity Attacks​].

Lacking sophisticated security methods (like multi-factor authentication) for remote access, attackers were able to use credentials that they likely acquired through a spear phishing campaign to gain crucial access to systems that controlled the breakers.

Sid Snitkin,​ vice president for ARC Advisory Group, a leading technology research and advisory firm for industry and infrastructure, told Engerati that the attack highlights the seriousness of cybersecurity, particularly for the electrical power industry. Many of these systems were designed before cybersecurity was a concern and lack basic security features. ​ Even with good defences, he says that smart companies should “always assume that their systems will ultimately be compromised.”

He explained that while the power industry is investing heavily in cybersecurity solutions, many facilities still lack basic security measures. ​ He suggests that companies make sure that basic security practices are properly in place before adopting more advanced technology. With the basics covered, utilities can introduce more advanced cybersecurity solutions and trust that they can be fully leveraged

Importance of cybersecurity updates

Energy manufacturers and suppliers often struggle to keep the security of systems up to date and this leaves them vulnerable to new forms of attacks, he adds.  

Proactive and reactive solutions have to be updated constantly in order to stay ahead of ongoing threats. Without effective maintenance management, no cybersecurity technology will be of much use in stopping attacks.  

But, due to budget constraints and a global shortfall in cybersecurity expertise, many companies find it impossible to deploy the necessary experts to sites to manage security.  Furthermore, manual processes and point solutions are costly and simply do not scale.  

Dr Snitkin suggests that companies consider using the services of an ​Operational Technology (OT) security management software company which specialises in solutions for the industrial and critical infrastructure market. NextNine is one such company that helps industrial enterprises and critical infrastructure companies maintain their security systems and keep them patched.   

In a separate interview, Eli Mahal, VP Marketing at NextNine, told Engerati that his company recognises the complex cybersecurity needs of the electrical utility environment “which still have legacy and proprietary equipment that were not designed with security in mind.” He adds that often ​OT​ ​security ownership is not clear and IT and OT goals are different especially when it comes to the adoption of new technology. Potential gaps like these need to be pinpointed and secured by a combination of robust security management technology, a clear defining of processes and strong collaboration among staff.

Check out our upcoming cybersecurity webinar sessions with insights from EDP, ABB, Kamstrup, Southern California Edison, CGI, EY, McAfee-Intel and more ...  

Case Study­Cyber Hardening

Mr Mahal points to a case study of a global cyber­hardening system deployed by NextNine at a major oil company. The project was carried out in conjunction with its partner Yokogawa Electric Corporation​, a Japanese electrical engineering​ and software company that focuses on plant automation systems.  

The aim of the project was to:

  • Standardize security practices at the company’s plants around the world and minimize control system vulnerability

  • Manage an accurate inventory of industrial assets, configuration and monitor changes. There is always a need for full visibility as a starting point for a secured operation since “you can’t protect assets that you don’t know about.”

  • Establish safety and reliability improvement of industrial assets by granting first and third parties a secured remote access  

As a result of the project, data is now funnelled from a security operation centre where policies, privileges, and authorisation are formulated and granted.  It is now easier for the company’s head office to analyse and fully understand the security situation at each site since there is now a simple method of collecting logs and activities of assets. Data­centric decisions are made more easily and securely.

Added to this, the patching and anti-malware signature updates are done automatically whereas before, this was  carried out sporadically. Automated processes are saving the company a lot of time and money.

Integrated and plant-wide approach to cybersecurity

Mr Mahal says that companies need to ‘think top down’ and implement an integrated and plant-wide approach to cybersecurity. He adds that it is important to standardize security policies across plants yet allow the creation of granular policies that can be easily automated.  

Also, think about the security essentials as a first line of defence before investing in ultra­sophisticated methods, he points out.

“Most industrial enterprises are barely covering the basics. What’s the point in buying a sophisticated sensor­based alarm if you don’t bother to close the door at night?”