Every stakeholder in the grid wants to imagine they’re impervious to cyber attacks.
The reality, of course, is that with increasing risk vectors such as larger surface areas, bring your own device workplaces and increased pressure on the grid, everyone needs to up the ante with cybersecurity risks.
Recent developments, too, have shown operational assets such as industrial control systems (ICS) to be of particular interest to cyber attackers, and also an area of particular cyber attack vulnerability.
With cyber attackers having much more agility afforded to them than incumbent utilities and service providers, knowing how to handle an attack as it happens is just as crucial.
In a recent webinar, ‘Protecting operational assets: Achieving visibility, security and control’ Chris Grove, CISSP, NSA-IAM and Director of Industrial Security at Indegy, set out a checklist of information utilities should have to hand in preparation for an attack, and how best to address them if they occur.
Fighting cyber attacks with operational awareness
Grove sets the scene for a utility in the midst of a cyber attack: “Let’s say our day started today with the bad news that we’d been compromised. We don’t know where it came from or where it’s going - all we know is that we’ve been compromised. Now, your task is to help us get back to a good state again. Think about all of the pieces of information you’re going to need.”
Grove says in this situation, what utilities need is a checklist of information they will need to efficiently and swiftly handle the intrusion.
The first item on this checklist, Grove explains, is identifying all of the assets communicating in the network, and noting their status: “Is something missing, like my safety system? Or, is there something here that shouldn’t be, like a compromised machine. That’s going to begin your asset inventory.”
Then, he explains, you need to discover all of the devices that are not communicating: “You wouldn’t believe how often I do security assessments at industrial facilities and I plug in the technology that I use to look at the network and find machines that are connected and not talking. Invariably, I’ll find machines that they didn’t know still existed.
“For example, a human-machine interface (HMI) that’s supposed to have been disconnected and the screen is off, but it’s still operating on the network and it hasn’t been patched in seven years. There are all kinds of things like that that exist on the network, but you can’t find them because they're not chatty, so they don’t show up in typical asset inventories that would be based on the live network. So we need to know about not just machines that are talking, but everything that’s connected.”
Next on Grove’s checklist is information about these assets, as well as what they are for, for instance: “Ok, this is a Windows 10, but what is it used for? Is it a workstation in a control room, or is it a manufacturing system? Is it my SCADA system, the engineering work station, an HMI?”
From there, Grove explains the need to develop an understanding of the risk associated with these devices: “What are the firmware versions, what about my programmable logic controllers - how often are they updated and how vulnerable are they? I may think I’m secure because I’ve disabled something, but in fact it’s not disabled. You need to understand and track the configuration of all of these things.”
Outdated cybersecurity practices in utilities
Grove explains that this level of preparation is hard to come by in utilities, where teams will instead work from Excel sheets which will by and large be outdated and uncared for, or copied multiple times and edited into different versions.
Grove says this is exemplary of legacy attitudes and issues with operational technology (OT) management, where IT technology does not work on the OT side. He says: “We need a tool that works well on the OT side to help us identify the open ports and vulnerabilities and then use that to create a risk rating, a metric which we can use moving forward.”
Whilst this sounds simple enough, Grove identifies potential difficulties: “One of the challenges that we’re going to come across is that we can’t just listen to the network to cover this - we have to be able to speak to some of these devices. By design, for example, Windows servers do not just broadcast that they are vulnerable. You have to interrogate it a little bit.”
The same goes for industrial controllers, where vulnerabilities aren’t immediately apparent just from guesswork or which family of hardware the device is from. Grove says: “You need to know the firmware version that’s installed and what’s been disabled, then you understand what the device is vulnerable to. All of this requires the ability to talk to the devices because this information does not live on the network.”
So how do we get to the point where we can gather this information and prepare us for the future where we find out we’ve been compromised and need help?
Three-pronged line of defence for cybersecurity
Grove identifies a three-pronged attack to accomplishing these goals.
The first, he says, is, policy-based protection: “In these industrial environments, we know what’s going to keep us awake at night. We should create a set of policies that identify behaviours connected to the risks that we’re trying to mitigate, and that is one of the first things should do when securing our OT environments.”
The next is looking for anomalies: “Creating policies is a great step, but you don’t know what you don’t know. Being able to monitor the network for anomalies is a key component for a good security solution for the OT side.”
Finally, Grove says utilities need to have device integrity: “Being able to enforce integrity on the controller will help safety, availability and security. Accomplishing that is done by monitoring the code logic - the programming that’s on the device. When these devices come out of the box, they’re like servers - they have nothing in there. Being able to control the code that’s in those devices, the input and output, is in many cases the best kind of security to have.”
Grove summarises that regardless of the risk vectors, these are the fundamentals for increasing cybersecurity in utilities. He says: “We can’t just use one or two of these three defences, because each one has their own drawback and can’t always stand on its own without the help of the others.”