With a growing number of assets across the service territory, utilities face understandable challenges in securing these, both from the physical and especially digital perspectives.
Key to the implementation of a cybersecurity solution is to properly assess the risk, which in turn requires identification of the relevant assets, particularly those that are most critical.
While various asset management solutions are available, the US National Cybersecurity Centre of Excellence at the National Institute of Standards and Technology is now entering the fray, at the stated request of the (US) energy sector, with the aim to provide guidance along with an example solution for the operational technology (OT) assets.
Specifically, the project seeks to address the following characteristics of asset management:
● Discovery, i.e. the establishment of a full baseline of physical and logical locations of assets.
● Identification, i.e. capture of asset attributes, such as manufacturer, model, operating system, Internet Protocol (IP) addresses, media access control (MAC) addresses, protocols, patch-level information and firmware versions.
● Visibility, i.e. continuous identification of newly connected or disconnected devices, and IP (routable and non-routable) and serial connections to other devices.
● Disposition, i.e. the level of criticality (high, medium, or low) of a particular asset, its relation to other assets within the OT network and its communication with other devices.
● Alerting capabilities, i.e. detection of a deviation from the expected operation of assets.
The project description document notes that the wide variety of industrial control system assets, such as SCADA systems, distributed control systems, programmable logic controllers (PLCs) and intelligent electronic devices (IEDs) that provide command and control information and functions on OT networks are primary targets of cyber attacks.
And of course such attacks don’t have boundaries. For example, the group known as Dragonfly believed to be behind activities targeting the power sectors in Europe and North America was of indeterminate origin. Tensions between Russia and the west have led to cyber attack warnings being issued.
The proposed high-level architecture for the project is illustrated (right).
A key assumption is that all the assets within an organisation’s infrastructure, especially those that are considered critical, need to be identified, tracked and managed. In addition, it is assumed that some level of an asset management capability already exists within the organisation.
The example solution will be built on current standards and best practices using commercially available and/or open-source technologies. Components will include OT/industrial control system-specific asset discovery and management tools, reliable and secure communication devices, cybersecurity attack detection capability and log management and alerting.
The desired capabilities include an OT asset inventory, high-speed communication mechanisms for remote asset management, continuous asset monitoring and patch level information. Other anticipated business benefits are reduced cybersecurity risk and potentially reduced safety and operational risk and a faster response to security alerts.
The participating cybersecurity vendors are ForeScout Technologies, Tripwire, Dragos, Splunk, KORE Wireless, TDi Technologies, FoxGuard Solutions, and Veracity Industrial Networks.
No timeline is given for the project but it should be monitored as a significant contribution to a deepening and widespread problem. And while it is first and foremost an initiative for the US energy sector, its application should be universal.