It’s Never Too Early to Protect Utility Assets
Dan Rueckert & Cathy Ransom May 29, 2012
Utility industry trends in regulation and spending clearly indicate a rapidly growing necessity for cyber security awareness, planning and protection of critical infrastructure. Although regulations governing electric utility operations in areas such as fossil and nuclear generation, transmission and distribution historically have been more accelerated than regulations governing the water sector, industry trends indicate an increasing focus on cyber security across all of the nation’s critical infrastructure components. As regulations are developed and enforced to compel some industry sectors to protect essential assets, the key driver for implementing a cyber security program is the avoidance of risk.
A recent U.S. Congressional Budget Office review estimated the cost of implementing the Federal Information Security Act of 2008 (FISMA), designed to improve information security throughout the federal government, at $40 million in 2009 and about $570 million over the 2009-2013 period. Similarly, January 2011 projections from technology research and advisory firm, Gartner Inc., indicate that the enterprise security market (infrastructure, software and service) will grow from $59.8 billion in 2009 to approximately $97 billion in 2014, with a compound annual growth rate (CAGR) between 8.2 and 10.9 percent (Gartner). Of that, at least $15 to $18 billion is anticipated to be spent by utilities (electric, water and natural gas) to safeguard infrastructure. It’s crucial to ensure that vital health and human services are uninterrupted.
Security Risks at a Glance
Several years ago, technology leaders from multiple industries gathered intelligence on key cyber security concerns and contributed to the list of 20 critical security controls compiled by the SANS Institute, a cooperative research and educational organization specializing in internet security training (see sidebar). The list identifies essential actions involving key areas of vulnerability that, when taken together, would cover approximately 80 percent of a company’s cyber security risks. While it is essential to remember that cyber risks are constantly evolving in form and complexity, this list provides a solid basis to begin the discussion of required protections for any industry.
The rapid growth of dependence on connected systems that has evolved over the past few years greatly increases the soft spots – the exposure of utilities’ technology infrastructure to sophisticated and motivated attacks. The effects of botnet (Internet- or network-connected computers or components that, although their owners are unaware of it, have been set up to forward potentially harmful data) intrusions are anticipated to grow as networks become more powerful and high-speed connected-data networks expand. Despite increases in funding for research, development and deployment of information assurance defenses, reports of attacks and damage to infrastructure are growing at an accelerated rate. Furthermore, the size and complexity of today’s security threats continue to intensify, leaving organizations and governments vulnerable to cyber attacks even as they are pressed for resources to fight them off.
Implications for the Utility Industry
Technology today plays a key role in the operations and organizational management of nearly every utility service provider. Interconnectivity has brought increased productivity and efficiencies but also introduced new areas of risk, especially from cyber criminals who have the capability to cause a catastrophic impact without even approaching a utility’s physical assets.
Interdependencies among utility sectors introduce further complexity in identifying straightforward solutions to cyber security risks but exponentially increase the importance of doing so. For example, electric and water utilities, which rely on services from each other to supply power and water, are subject to many of the same types of cyber risks regarding information and operational technology. Yet they do not fall under the same regulatory chain of authority or diligence of protections.
Although cyber security is an area of increased focus, utilities face many unknowns in terms of incident preparation. It is very difficult to obtain data about the true cost and impact of a security event, known as a single loss expectancy or SLE, because even leading research estimates are generalizations at best.
Companies are driven, in part, by a shortage of in-house cyber security expertise capable of determining and evaluating different types of threats, so under most scenarios they focus on fixing cyber-related issues rather than assessing and sharing the incident cost, thus limiting the accuracy of projected costs.
Information technology (IT) professionals within utility organizations are experts at managing information systems and environments. Similarly, operational technology professionals (OT) are trained to understand the intricacies and demands of industrial control systems. Both of these specialized functions exist to support a utility’s core mission: the sustainment and delivery of vital resources to the public on a 24 x 7 basis. Today, utility IT and OT professionals are challenged to address the concerns and results of cyber threats using anti-hacking protocols and defense-in-depth security postures, and to monitor and resolve the results of compliance audits across the spectrum of security concerns.
Cyber Security in the Industry
Cyber threats encompass a broad range of threat vectors, which can most simply be broken down into two areas: physical and logical breaches. Physical breaches may include vandalism-type efforts for sabotaging operations or the disruption of services due to natural or man-made catastrophes such as disastrous storms and large-scale accidents.
With physical breaches, every end point or physical connection to a system becomes a potential point of vulnerability. Logical access breaches may include a wide host of threats such as intentional hacking, inappropriate user access and the introduction of malware such as Trojan horses and zero day threats. Due to the burgeoning interdependence of operational and information technology, logical access breaches are the fastest growing concern, and for the general public may be synonymous with the term “cyber security.”
Defense-in-depth is a multi-layered approach to managing known risks that can best insulate assets from breaches in cyber security and prevent the introduction of unknown risks to the protected systems. The defense-in-depth approach ensures that an organization evaluates the physical and logical security threats, and establishes multiple layers of protection that must be penetrated simultaneously or in rapid succession to exploit any given vulnerability.
Depending on the specific objectives of the organization and their maturity along the cyber security spectrum, the following types of assessments may offer valuable information in determining essential protections that can be applied to key assets:
Program Maturity Assessment – Measures the organization’s security posture and evaluates it against overall industry position and trending.
Risk-Based Assessment – Reviews all systems potentially categorized as critical infrastructure to determine appropriate protections, the degree to which those protections have been implemented and the amount of residual risk associated with unapplied protections.
Vulnerability Assessment – Reviews systems deemed to be critical infrastructure assets and delineates potential threats along with the likelihood and impact of those threats occurring on the specific asset.
Breaches often occur due to a failure of physical and logical protections for a specific system. In some cases, the benefits of a more secure system may not justify the direct and indirect costs. It is important, however, to recognize that benefits may include more than public safety or prevention of monetary loss. For example, controls may be essential for maintaining public trust and confidence. Assessing cyber security risks may also have a significant and positive impact on other key areas of concern for utility leaders by coalescing information such as:
The justification for updating aging critical infrastructure and information technology;
Risk-based management and prioritization of capital costs;
A pro-active/pre-emptive approach to increasing regulation; and
Pre-emptive data and process management to offset aging workforce issues.
Combating cyber threats is a significant challenge for utility companies that are also wrestling with flat operations budgets, shifts in security policies, and a shortage of specifically qualified and tasked IT security staff. In implementing a cyber security plan, utility technology managers must address the dynamic nature of the cyberspace-threat environment and must align with a broad range of security and compliance directives. Meeting these objectives effectively and within budget is often a daunting task.
In the 21st century, however, the very mission of utilities depends on effective cyber security. An organization may be well served to outsource strategic cyber security services to companies whose core capabilities are the assistance and development of the utility business model.
For most, if not all utilities, it is a matter of cost vs. risk and the risks are clearly increasing. Regardless of an organization’s risk tolerance, the wisest and most forward-thinking utility industry participants are evaluating and planning for ongoing cyber security initiatives which now include risk assessment, prioritization and remediation planning. The sooner issues are identified, the sooner they can be analyzed and corrective actions applied over a planned time period.
It is clear that utility leaders have myriad operational and financial concerns to manage. Because there are many varied issues, the financially conservative view on cyber security spending may appear to be a wait-and-see approach. However, it is important to acknowledge that taking this posture tags a utility as an entity with a high tolerance for risk. In the face of such potentially disastrous and escalating risks, the real question is, “Can we afford NOT to proactively address cyber security concerns?”
Dan Rueckert is an associate vice president with Black & Veatch’s Management Consulting Division in Portland, Ore.
Cathy Ransom is a senior consultant in Black & Veatch’s Cyber Security Practice, Management Consulting Division based in Austin, Texas.
20 Critical Controls for Effective Cyber Defense
- Inventory of authorized and unauthorized devices.
- Inventory of authorized and unauthorized software.
- Secure configurations for hardware and software on laptops, workstations, and servers.
- Secure configurations for network devices such as firewalls, routers, and switches.
- Boundary defense.
- Maintenance, monitoring, and analysis of security audit logs.
- Application software security.
- Controlled use of administrative privileges.
- Controlled access based on need to know.
- Continuous vulnerability assessment and remediation.
- Account monitoring and control.
- Malware defenses.
- Limitation and control of network ports, protocols, and services.
- Wireless device control.
- Data loss prevention.
- Secure network engineering.
- Penetration tests and red team exercises.
- Incident response capability.
- Data recovery capability.
- Security skills assessment and appropriate training to fill gaps.