Here’s a thoughtful piece from three IBM security experts that presents a little-known danger. Along with all the other challenges from our grid security inadequacies, some insurance companies are now refusing to insure utilities against cyberattacks.
But this article is about much more than the uninsurable risk. It lays out a path to a “convergence of all things security” that I believe is an essential step to a more secure grid. – Jesse Berst
By Diana Kelley, Pete Allor and Craig Heilmann
Why the smart grid needs “security intelligence”
BBC News recently posted a thought-provoking piece explaining why many energy companies (including power and utilities) are being turned down for insurance policies to cover cyber-attacks. The net: audits of existing defense and protection strategies “concluded that protections were inadequate.”
Given that we’re talking about the entities that supply power to governments, cities and consumers around the globe, the knowledge that their protections from cyber-attacks aren’t even considered adequate is fairly alarming. This doesn’t mean that a Die Hard-style takedown of the United States’ power-grid is imminent. However, it does point to a few key facts that security professionals working with energy and utilities have been discussing for a few years now.
One point that often comes up is the convergence of networks, operations, communications and information technology. As the technology converges, so too must the way we monitor and manage security across them. The old way is no longer effective, and a new, more intelligent security paradigm is required.
Where we were – the not-so-smart grid
Not too long ago, the operations technology (OT) side of the energy house was operated separately from the information technology (IT) side. On the OT side Industrial Control System (ICS) devices, substations and other gear were managed with the use of telecommunications, rather than IP based networks. OT Technologies like supervisory control and data acquisition (SCADA) systems use proprietary protocols such as DNP3 or Modbus, over networks that were closed-loop and the software was rarely updated.
Back-end business software lived on the IT side and supported activities like billing and customer management. And when the Internet rose to prominence, IT got connected and adopted emerging security controls like firewalls, anti-malware and intrusion detection systems (IDS). Automatic software updates and patching later became commonplace.
Front-end OT stayed locked down and managed by a small number of administrators. The primary remit of OT is to keep the operations running smoothly and without interruption – reliability of the system was paramount. Security controls like IDS weren’t deemed ready for OT and software updates were made very cautiously and slowly, and then only after approval by the OT Vendor and installation.
Where we are – the smarter grid
A number of priorities in energy changed the old, very separate model and ushered in an era of convergence between OT and IT. The need to remotely manage and control systems on the OT network has led to IP enablement and Internet connectivity for those systems. This remote need was for both using fewer people resources and to allow infrequent vendor updates while maintaining the reliability of systems. And often, to ensure the legacy is accessible, a web front end is put in front to support browser-based access to simplify this management.
Next generation energy systems and the smart grid have also driven convergence. Smart grids improve efficiency and reliability by joining information from multiple suppliers and their consumers. Additionally, bringing that data together requires aggregation not only from partners but also from traditional IT systems.
Smart and advanced meters and smart houses are blurring the lines between IT and OT even more. Further, all of this technology is going mobile in one form other another -whether it’s a customer application to monitor energy usage at a solar-powered house that’s selling excess energy back to the grid, or an energy employee reading meters with a handheld device, or data sent via telecom means to a central data repository.
Where we need to go – the intelligent grid
That just leaves, where are we today? Today we are in a place where insurers deem current protections inadequate. This is not necessarily because the protections were inadequate, but due to the recent convergence activity and changes in how energy companies are doing business with their partners and customers in the smart grid age.
One point that wasn’t raised in the BBC article is the lack of actuarial data for the insurers to determine risk models and construct tables with. Without actuarial data, it’s impossible for the companies to estimate the real costs of a cyber-breach nor to assure reserves for any breaches or to set policy premiums. In fact, this in an area needing more work if you follow the Executive Order 13636 to Security Critical Infrastructures.
So what can we do? Take a fresh look at the protections in the new converged OT/IT world and implement intelligent security controls and processes that understand and support the “convergence of all things security.” Traditionally siloed function areas such as telecom and physical security are now connected to IT, OT and business applications (like SAP Transactions). They must be managed in a unified and intelligent way.
The importance of sensors
All of the above should be instruments with sensors. Monitoring and network forensics tools can be used to capture data from the sensors about events and intrusions that can be leveraged for use in risk models. Traditional IT security controls like security information and event management (SIEM) and identity and access management (IAM) can be used on converged energy networks to provide improved analysis and better protection. Finally, the findings can be rolled up to GRC tools for consistent execution of governance, risk management and compliance across domains.
Some traditional IT security software may be ready for the converged energy networks today. For example, access control to a web-connected legacy system or application security testing for vulnerabilities in that web interface. Others, like SIEM, may require some tweaks to parse OT protocols like modbus and DNP3, and new rule sets to capture activity on those networks.
The importance of a framework
Another key to getting to a protected intelligent grid is the recently released NIST Framework for Improving Critical Infrastructure Cybersecurity and taking it to a Risk Management and Strategy approach across both IT and OT networks and then incorporating it into Enterprise risk. The framework “provides organization and structure to today’s multiple approaches to cybersecurity by assembling standards, guidelines, and practices that are working effectively in industry today.” As energy companies begin the journey, the NIST Framework is an excellent starting point and encompasses all of the areas – hardware, software, communications, people, data and infrastructure – that need to be addressed to build a cohesive solution.
For a framework to have value, it must be put into action. The first function in the framework is Identify. That includes “Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.”
Bringing energy companies, up to insurable “speed” isn’t going to happen overnight. It’s going to require a lot of work on all sides – including the security vendors that supply solutions and the insurers that need to amass the actuarial data.
But nothing will happen if someone doesn’t start the conversation. To do this requires assessing where we are now along with future goals and strategies. We’re ready to get started – are you?
Diana Kelley is a security strategist for IBM Security Systems. She is an internationally recognized security expert with 25 years of IT security experience.
Craig Heilmann is an Associate Partner within IBM’s Global Technology Services organization and practice leader for Industrial Control Systems Security services. His career summary spans twenty years of technical, professional, managerial and entrepreneurial experience specifically applied in areas of information security, controls and governance.
Peter Allor is a Security Strategist in IBM’s Critical Infrastructure Group, assisting in guiding the company’s overall security initiatives and participation in enterprise and government implementation strategies. He is responsible for security strategies, especially as they intersect with critical infrastructures and Central Government Operations / Strategy.