As we close out 2016 and collectively look forward to a breath of fresh air in 2017, it seems appropriate to pause a moment and provide some grid security predictions for the new year. Predictions based on trends, insight and knowledge can arm security programs with the advanced understanding needed to wisely upgrade policies, test systems and appropriately spend money on future mitigations. Physical and cybersecurity investments for the power grid are not going away anytime soon, so let’s break out the crystal ball and dig a little deeper into where theutility industry is headed.
While most people were watching the Olympics this past summer, monitoring 24-hour news channels for political updates this fall and canvasing the malls of America during the holidays, utility professionals were hard at work readying their North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) programs for compliance.
With an effective date of July 1, 2016 to meet the latest version of the NERC CIP standards, utilities across North America had a significant challenge. The adoption of these new standards are a change in direction using a risk based approach of identifying assets into High, Medium, and Low impact. The purpose of the risk identification levels are to clearly define the impact each level could have on overall grid reliability. For High and Medium Impact risk assets, utilities were required to meet mandatory compliance for the cyber systems that operate our nation’s power grid. The requirements range from establishing electronic boundaries to patch management, physical security measures to configuration management, and other mandatory compliance regulations to better protect cyber assets.
It was a chaotic summer.
In addition to preparing for the updated cyber standards, utilities were completing their CIP-014 physical security standard upgrades to transmission substations and control centers to protect critical sites from attack. If that wasn’t enough, industry is now consumed with creating a cybersecurity supply chain management standard requiring entities to have supply chain controls in place to better protect industrial control systems (ICS). This must be submitted to the Federal Energy Regulatory Commission (FERC) within one year of the order. Needless to say, industry is busy “burning the midnight oil.”
A fresh new year is an opportunity to reflect on the path recently traveled, and to strategize on how to navigate the road in front of us. While a new presidential administration will certainly dictate philosophies and set the regulatory course, it is safe to say that no administration will tolerate a prolonged blackout due to a security event. In order to keep the confidence of the new President and American people, the utility industry must keep its foot on the gas pedal and make the needed investments and upgrades to their physical and cybersecurity programs. As we finalize capital budgets and acquire resources for the new year, here are a few considerations utility security professionals should consider.
- April 1, 2017, is the effective date that Low Impact Assets are required to meet compliance. Over 1,000 new entities will be required to comply with the new CIP-003 requirement that mandates policies in cyber security awareness, physical access controls, electronics access controls and cyber security incident response. Most of these entities have never had to comply with NERC CIP and will have a lot of work ahead of them to build and formalize such a program. Each of these requirements, although simple, requires specific implementation to ensure the programs and policies are actually in effect. Simply having a program and not implementing it will be trouble come audit time.
- Employees, contractors and vendor partners will become more aware that the data on their computers and mobile devices are valuable and vulnerable. Automating a cybersecurity awareness program will not only help you meet compliance, but has a direct benefit to youroverall security posture as an organization. Auditors willtake notice of great programs and other effective controls in place to help prevent cyber-attacks and ensure the reliability of the grid.
- Utilities will focus on the prevention and active monitoring of ransomware. If you are not familiar with ransomware, it is a type of malicious software that holds your computer system ransom by encrypting your data. The ransomware requires a sum of money to be paid in order to gain access back to the computer system. Ransomware is becoming one of the most popular and effective ways for hackers to quickly attain their goals and reap the rewards of their attacks.
- Removable media will continue its slow painful death. The NERC standards will require all High and Medium impact assets to create a Removable Media Management Program. This will require removable media used in the organization to be identified and authorized. The requirement also covers malicious code mitigation. This will be a difficult challenge for all organizations that use removable media in their operating environment. For ICS environments, this is one of the highest risks associated with cyber-attacks. As a Low Impact asset, there is no formal NERC CIP compliance requirement to manage removable media. However, this doesn’t mean that such a program shouldn’t exist. Any organization that uses removable media should ensure the proper use of removable media and secure authorized usage. We will continue to see malware become more advanced as we move into 2017 and a quick connection of a USB device into an ICS network can introduce major threats.
- While the NERC CIP-014 physical security standard will target approximately 1,000-1,500 critical substations across North America, protections to critical transmission sites will continue to be a focus for the industry. As new substations are built and introduced into the bulk power system, security protections will be implemented as a forethought; and not a “bolt on” after the fact. The utility industry must understand that any substation, high voltage transformer or other equipment being shot at or subject to physical attack will be propelled into media scrutiny and a utility’s reputational risk could be altered. As a result, substations that don’t meet the criteria for CIP-014 compliance, but are system or business critical, will start to receive threat and vulnerability assessments and added security mitigation measures designed to deter, detect and delay potential attackers.
- Unmanned Aerial Systems (UAS) will continue to provide useful situational awareness information during response and recovery operations after storms, earthquakes and floods. Unfortunately, with the good comes the bad. Security professionals are mindful of the nefarious scenarios where a drone could be the vehicle to drop a pipe bomb or other explosive device into a substation or generating plant. As quality drones become cheaper, more common and increase their payload lift ability, these “tools” could be used to inflict damage on critical infrastructure. [Editor’s note: See the recent Homeland Security Today report, Unmanned Understanding: UAS Threat Requires Active Solutions from Leadership]
- Utilities have begun to address the potential threat by deploying frequency jamming security systems. Currently, owners and operators of infrastructure sites don’t own the airspace above, so when a “hobbyists” drone is driven into the ground by anti-drone technology, the utility will likely be liable for damages. Utilities should monitor and be mindful of local drone laws and Federal Aviation Administration (FAA) operator rules.
- The discussion begins about better protecting non-nuclear generation plants from physical attack. In the event thata fossil or hydro plant is attacked in the United States, a major knee-jerk reaction would be felt throughout the country and new legislation would be introduced. Given the reaction after a 2013 substation shooting in California, where FERC mandated a physical security standard (CIP-014) be created, it can be reasonably assumed that similar rules would be forced onto the industry if a major attack occurs at a power generation station. In the aftermath of such an attack, very difficult questions will be directed towards industry executives as to why utilities do not have current physical security standards in place.
- A stronger push towards security convergence and the integration of all security disciplines. Convergence can be defined as the integration of logical security, information security, operational security, physical security and business continuity. Considering the various types of security threats (terrorism, identity theft, data breaches, insider threats, etc.) one side of the security spectrum simply cannot protect an organization to its greatest potential. While utilities remain effective at addressing traditional threats such as severe weather, vegetation management and routine transmission disruptions, the evolving nature of physical, cyber and OT security is creating challenges that many companies are grappling with to ensure the resilience of their operations. An interconnected grid that incorporates computing, communications, markets and physical assets unfortunately presents potential attackers with opportunities that require a holistic approach to security.
- Investor owned utilities (IOU), with help from industry trade associations, will push the industry towards greater physical security protections at critical sites. As smaller municipal utilities and rural cooperatives see the protections being put in place by larger utilities, it will naturally force these utilities to invest in similar protections. These smaller utilities have security in place, but they struggle to bring the same amount of resources or a comparable security budget to the table. Soon, all utilities will be discussing the implementation of concrete perimeter walls, ballistic protections, and gunshot detection systems and not just a select few. After all, a rising tide lifts all boats.
2017 will be a busy year for the electric utility industry. Utilities are seeing a growth in regulations, along with an increased inherent risk profile. Hackers are not just looking for credit cards and bank accounts anymore, but instead eyeing other attack methods to impact reputational damage and embarrass companies or governments. They will play off of reputational risk and the fear of damages to get what they want. We know threat actors are coming! Success will be determined by how we proactively look at these threats and defend against them.
Brian Harrell, CPP is Director of Security and Risk Management at Navigant Consulting, Inc. and a former security executive at the North American Electric Reliability Corporation (NERC).
Nick Santora, CISSP, CISA, is Chief Executive Officer at Curricula, a cybersecurity awareness training company and is a former cybersecurity professional at NERC.