Cyber incidents used to be sporadic in nature, but now they are all too frequently front page news. Sony Pictures Entertainment, Target, JPMorgan Chase and Anthem are just a few of the most recent cyber casualties, with all of these companies now no longer just known for the products they sell and the services they provide, but also for the data breaches that have caused irreparable damage to their reputations. These incidents have unsurprisingly catapulted cybersecurity to the top of senior management’s concerns.
In utilities, security has been on the radar for some time now as the industry has been developing baseline standards from the early 2000s. However, these baseline standards are now not sufficient to address the threats. The industry needs to strengthen its defenses even further as there has been a noticeable uptick in cyber threats in the energy sector over the past few years. According to the US Department of Homeland Security, 53% of the 200 incidents responded to by its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) between October 2012 and May 2013 were directed toward the energy sector, the second highest industry was manufacturing.
The hits just keep on coming
In 2014, a cyber-attack perpetrated by “UglyGorilla” — a hacker alleged to be based in China —infiltrated the computers of a Northeastern US public utility company. He plucked schematics of its pipelines, sought access to systems that regulate the flow of natural gas and channels, which could potentially cut off a city’s heat, or make a pipeline explode. Among UglyGorilla’s many energy industry quarries in 2012 were the e-mail accounts of executives and managers at utilities in Pennsylvania, New Jersey and Georgia.
The list of examples goes on:
2015: BlackEnergy malware targeted specific control systems in critical infrastructure
2014: Havex attack targeted energy and utilities companies via spam emails and compromised vendor websites
2012: Shamoon attack caused massive business disruption after around 50,000 computers were taken out of service in Saudi Aramco
2011: Night Dragon malware stole valuable information from oil and gas companies
2010: Stuxnet malware attacked the Iranian nuclear fuel processing industry
The energy sector faces unique threats to both its business and operations sides. On the business side, examples of cyber threats include data theft, denial of service attacks, web site defacement, and customer information disclosure or privacy breaches. On the operations side, cyber threats could target the generation and delivery of power. The greatest threat to electricity delivery is a sophisticated and coordinated cyber-physical attack on the operations side, aimed at causing power outages.
As critical infrastructure providers, consumers have a higher expectation for utilities to be reliable and secure because people’s lives depend on them.
A lesson in history
The Energy Policy Act of 2005 created an Electric Reliability Organization (ERO) to develop and enforce mandatory cybersecurity standards. The North American Electric Reliability Corporation (NERC) was designated as the ERO in 2006 and worked with electric power industry experts to develop the NERC Critical Infrastructure Protection (CIP) standards, which were approved by the Federal Energy Regulatory Commission (FERC) in 2008, making them mandatory for owners and operators of the bulk electric system.
Since 2008, the standards have been updated as the threat landscape continues to evolve. The latest set of CIP standards, Version 5, which was approved by FERC in November 2013 with modifications, is set to take effect in April 2016 and the industry is now considering how they will comply with future versions.
CIP is not enough
Unfortunately, many electric utilities have gotten lost in the weeds, as they are putting a lot of their effort into complying with standards which are regularly being tightened and made more stringent. It is important to keep in mind that these standards simply provide a layer of defense aimed at protecting critical assets in electric utilities against cyber threats - they do not cover the whole business.
Going above and beyond what is expected by the regulators is critical as hackers are becoming more devious and comprehensive in their efforts. A big, newsworthy breach to an energy company could be catastrophic.
The biggest cause for concern is that many utilities have a false sense of security and mistakenly believing that they are invincible to cyber-attacks.
The strategy defined
For utilities to bolster their cyber defense, they will need to adopt a holistic cyber strategy across their businesses.
To do so, an important step for electric utilities to take is ensuring that proper effective corporate governance over cyber exists, with Lowe recommending that an executive in the C-suite be charged with this responsibility.
Put in place a cross-functional cybersecurity team across functions including information technology and the operations side of the business to scan the horizon for change and understanding the threats facing the organization in real time.
Closely examine the human element as- unbeknownst to many- it is often the weakest link in a corporation. It is critical to validate and check the people being recruited and to continually monitor them once they are in the company.
There is also a huge challenge for procurement so companies need to make sure cyber requirements are built into the supply chain. Cyber attacks are increasingly coming in to organizations more and more through vendors and support services so it is critical to make sure they are secure before they enter.
Also of vital importance is regularly exercising and testing a company’s overall cybersecurity protection. Techniques such as penetration testing have been used for some time to check the technology being used. Firms should be also validating the human aspects of their cyber defense. As well as conducting social engineering campaigns on samples of the company; a great way of raising awareness is to focus on specific individuals, who are likely to be targeted by hackers. Another highly effective way of helping people to understand the true risks is showing employees how a hacker can obtain their personal and work information and what they can do with that information once they have it in hand.
In educating and making employees aware of the risks, it is best not to overload them. For example, many companies’ cybersecurity awareness campaigns will consist of 20 things not to do, but most people will just remember one or two of those points, so the takeaway here is to keep it simple and continuous.
Time is truly of the essence as electric utilities are rapidly undergoing a digital transformation to become what PA Consulting has dubbed, The Next Generation Utility. As utilities put more intelligent devices on the network and those communications become smarter and interconnected, securing those devices, which do not necessarily fall under NERC and CIP regulations, will be challenging.
In a bid to make power networks more reliable, utilities are deploying smart technologies to manage the networks better. The end result could be that reliability is adversely impacted as the solutions may make them unknowingly more susceptible to cyber events.
The mindset right now among many electric utilities is that they are building a smarter network and that network needs to be in compliance. The most prudent course of action is for a system to be secure by design, meaning that when it is being created, the utility needs to understand the risks, perform a risk assessment and make the system secure as the utility is being designed.
Creating the Next Generation Utility
Although many utilities are currently focusing on developing smarter and more reliable power networks, Next Generation Utilities will undergo a digital revolution to transform their relationships with customers. A robust approach to cyber security will be essential to protect the customer and maintain consumer confidence.
Chip Scott, Justin Lowe and Amanda Levin are energy experts at PA Consulting Group