Having always been a technologist at heart, it is comforting to see how technology continues to impact today’s Digital Energy industry. From the large scale adoption of Internet of Things devices, to private cloud adoption (with the first glimpses of public cloud), to artificial intelligence and increasingly automated systems, technology has become a staple of the industry. At the same time, the industry continues to deal with challenges such as a workforce nearing retirement, regulatory challenges, a burgeoning threat landscape, and a massive manpower and skills gap with respect to Cyber Security.
And… then, there is the ugly side of technology, where the results don’t always align with intentions and where it leads to new challenges. A few easy examples of this are nauseatingly complex networks that are full of design flaws and misconfigurations, and which invite new attack vectors.
But I’d like to focus my time and energy addressing this readership on technologies and developments relative to cyber security that are impacting the industry, and that candidly requires a call to action. Applying relevant and effective cyber security is where I see the largest gaps in understanding when it comes to CIO/CISOs. Given the critical nature of our smart grid and energy infrastructure, cyber security is an area of great impact and consequence, and without this issue being solved, we’ll likely never realize the real promise of IoT and Digitalization.
Industrial Cyber Security is Essential, Yet Scantily Addressed Today
To thrive in today’s Digital industry requires connectedness. The digitally connected enterprise identifies opportunities, assesses health and operational status, lowers the cost of materials, and accesses expertise from wherever it is around the world. This ever-connected and information rich world is driving measurable gains in a variety of examples, however the rush into new technology, connections, and mobility also adds more risk. The reality is that operational networks are more complex than ever before, putting the operational resiliency of energy systems at risk.
Meanwhile, security related incidents are on the rise. A December 2016 study conducted by Security Intelligence noted a 110 percent increase within ICS environments. Already, since that report, we’ve witnessed an even steeper increase in security events impacting operational networks. For example, WannaCry impacted at least 100K organizations across 150 countries, making it the largest and most disruptive ransomware attack ever launched. NotPetya reportedly cost two individual companies (Maersk and FedEx) more than $300 million, and now in 2018, we’ve already seen Meltdown, Spectre, and the TRITON attack, which targeted safety instrumented systems (SIS), responsible for ensuring the health and well-being of plant workers.
For some companies, these incidents often drive knee-jerk reactions such as fortified perimeter defenses and de-militarized zones (DMZs) between the corporate network and their industrial control systems networks. They reason that this will effectively block outside threats to their operations.
Unfortunately, there is new data that suggests that some of the largest cyber security risks may not be external attack vectors, but rather internal. For instance, the 2017 SANS Security ICS Report notes that the top 3 attack vectors are (in order)–1) unsecured devices and “Things” (that cannot protect themselves) being added to the network; 2) internal threats (accidental or otherwise); and 3) external threats (hacktivists or nation states).
The SANS study does a great job of pointing out where the glaring issues lie. Having met with countless companies over the last decade, I can tell you that right behind these hardened and fortified perimeters, one usually will find a quite squishy (insecure) middle inside the perimeter defenses, and this is where the systems that run our lives sit (generating, transmitting, and distributing power; producing clean water, etc.).
The bottom line is that, as an industry, our focus must shift from connectedness to secure connectedness. Ensuring risk management of our industrial plants and infrastructure is an overriding concern for everyone, and we need more understanding and leadership from CIOs and CISOs to understand the landscape, secure adequate funding, and take action.
Technologies and Services Exist that Can Help
The aforementioned cyber perimeters cannot protect against sophisticated threats or stop the carrying in of malicious software via SneakerNet. Within these operational networks, very little visibility into assets, vulnerabilities or communications exists, and operators have limited knowledge of what is normal and what is abnormal. For those ill-equipped to implement and maintain such technologies, managed services capabilities exist to deliver the same level of benefits at an optimized price point. A few high impact solutions (which are also provided as managed services) are–
- OT Asset Management– by using passively technologies to gather a detailed OT asset management, firms are able to gain visibility into what exists in their operational environments for the first time.
- Vulnerability Management–once firms achieve a level of visibility via OT Asset Management, the next logical step is to better understand what vulnerabilities exist, tied directly to the specific assets themselves. It’s important to note that while there are IT-centric tools that perform these functions in IT environments, that those are ill-equipped in OT environments, and requires passive and safe technologies.
- OT Network & Communications Monitoring-The use of real-time monitoring enables defenders to thwart intruders from establishing safe hiding places, discovering and moving through the system, as well as data exfiltration by scrutiny of on-going system communications and the identification of suspect data flows.
Might There Be Hope on Spending?
Gartner recently reported a 27 percent increase in 2018 IoT Security spending from 2017 levels. However the same study also points out that the largest inhibitor to growth is a lack of prioritization and implementation of security best practices, and that this is expected to hamper the potential spend by as much as 80 percent.
If you talk to energy plant operators, it is clear that they are not looking to add cyber security skills to their resume. However, they do desire an appropriate, cost-effective plan for managing risks (such as cyber threats) so they can remain focused on safety and energy production. That sure seems like a reasonable request, and one that largely sits with CIO/ CISO leadership to solve.