Behind the hype of the general data protection regulation (GDPR) in the media, another equally significant regulation passed in the UK, with many utilities yet to fully address it.
The Network and Information Systems Regulations 2018 (NIS), which applies to a variety of critical infrastructures including the energy and utility sectors, requires providers of essential services to take the appropriate technical and organisational measures to manage security risks to the network and information systems on which their services rely.
While only applicable to the UK currently, this demand for state-of-the-art cybersecurity in critical infrastructures will inevitably spread, and the potential cost of poor security will continue to rise alongside consumer and regulatory demands.
With expert insight from Chris Grove, CISSP, NSA-IAM, and Director of Industrial Security for Indegy, we ask: How can energy companies detect attacks and identify threats if they don't have clear visibility on all their assets - they can't protect what they can't see?
Distributed energy resources and visibility
When utilities first laid out operational technology (OT) architecture, systems such as SCADA had two distinct aims - ensuring operational safety and supply reliability.
With research firm Zpryme estimating that US utilities alone will spend $7.25bn on grid cybersecurity by 2020, it is easy to understand the importance of finding a solution which not only protects utilities, but also presents a clear business case and benefit to utilities beyond simple defense mechanisms.
The rapid penetration of distributed assets on the grid has led to a potentially unstable infrastructure, where provisions to monitor, secure and control individual assets have not been fully addressed, such as automated asset management and security controls.
In addition to poor operational efficiency, assessing risk and maintaining security is essentially impossible for these industrial control systems (ICS) without an automated asset management system. Simply put, you cannot secure that which you cannot see.
In its white paper, ‘Top Three Use Cases for Automated OT Asset Discovery and Management’, Indegy sets out three key use cases in automated asset management can improve utility cybersecurity and compliance whilst also improving operational efficiency.
Use cases for asset management and cybersecurity
1] Understanding and controlling the cybersecurity resilience of ICS assets.
While IT networks have long since employed automated asset discovery and management, ICS environments are still lacking, says Indegy’s white paper. In favouring manual processes such as using barcodes and labels - or worse still, not tracking assets at all, utilities are generating incorrect, outdated and time consuming information on their assets.
Maintaining a comprehensive asset inventory can assist utilities in improving operational processes by granting them visibility on key activities, such as which assets require updating or maintenance, providing greater security and stability across the OT landscape and minimising disruption to production.
Grove says: “In my experience working in many industrial facilities, across all sectors, I’ve found that developing and sustaining an accurate asset inventory is a key challenge that organizations struggle with, and a core competency of Indegy.”
2] Improving operational incident response, shortening resolution time and ensuring operational continuity.
Recovering devices is crucial after any cyber disruption occurs, and to do so quickly, utilities need to ensure information on assets is as current as possible, both to prevent repeat occurrences and find the responsible party.
Inaccurate data can also be the cause of disruption. In the white paper, Indegy cites the example of a system integrator in the manufacturing industry, who, due to outdated internet protocol information on manually maintained spreadsheets, modified code of the wrong programmable logic controller (PLC), resulting in a series of operational issues and defective unit manufacture.
The result? A 24-hour lockdown on product assembly, where the engineering staff had to manually determine which PLC was changed, revert the changes and find the correct unit before restarting operations.
This kind of disruption not only costs businesses greatly, but also wastes another precious asset: the expert staff working on restoration rather than more important tasks.
Grove comments on this difficulty: “Some of the day-to-day duties of engineers and maintenance personnel includes ‘chasing ghosts’ in the process and infrastructure. Various types of issues require analyzing various levels of data in order to resolve them. During these times, having a tool that audits and tracks everything in OT becomes invaluable. When chasing ghosts, whether they be IT cybersecurity incidents, negligent or compromised insiders, employee mistakes, malware infections, or other scenarios, organizations need as much visibility as possible.”
3] Complying with industry regulations stipulating identification and inventory of critical assets.
Like the earlier mentioned NIS and GDPR regulations, institutes worldwide such as the US National Institute of Standards and Technology (NIST) Cybersecurity Framework are diligently working to standardise and formalise industry best practises to ensure the security and sustainability of critical infrastructures.
Many of these new frameworks worldwide require effective automated asset discovery and ongoing management of an asset inventory in order to achieve compliance.
However, Grove notes that this isn’t where the utility relationship with cybersecurity should end. “It’s always good to remember that regulations should be looked at as a minimum level of security in order to legally maintain operations and conduct business - but the end goal of good cybersecurity should go beyond regulations and look towards the bigger picture of reducing risk and improving resilience. Regulatory compliance should be a by-product of a well-baked, comprehensive, and layered security model.”
Watch the webinar
Join Chris Grove in our upcoming webinar, “Protecting operational assets: Achieving visibility, security and control”, to learn more about the cybersecurity landscape, new regulatory developments and all-encompassing solutions to assist in securing the utility.