19 June 2015

Sharon Chand

Ways to Protect the U.S. Grid from Cyberattacks

Judging by the number and type of cyber incidents reported to the U.S. Department of Homeland Security (DHS), attackers appear to be stepping up efforts to access or otherwise harm the electrical grid.

During fiscal year 2014, DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to 245 cyber incidents targeting various companies’ industrial control systems, according to a bulletin released March 2015. In the energy sector, which reported the most incidents, industrial control systems monitor and control nuclear power facilities, wastewater collection and treatment plants, oil and gas pipelines, and the generation, transmission and distribution of electricity.

The cyber incidents that energy and other sectors reported encompassed a wide range of attacks, including unauthorized access to Internet-facing industrial control and SCADA (supervisory control and data acquisition) devices, exploitation of zero-day vulnerabilities in those devices, malware, and network scanning and probing.

As hacktivists, insiders, nation states and other actors step up their cyber surveillance of the grid, President Barack Obama and lawmakers are urging utilities to respond accordingly and better protect the critical infrastructure they operate. Consequently, some utilities are beginning to adopt a Secure.Vigilant.Resilient.™ approach to addressing the mercurial threat landscape and managing cyber risks. The following six activities cover each of the three tenets of Secure.Vigilant.Resilient.™ and represent major focus areas for electric utilities:

Secure: Balance compliance and risk. The National Institute of Standards and Technology’s cyber security framework and the North American Electric Reliability Corporation’s (NERC) critical infrastructure protection (CIP) regulation serve as essential references for protecting the bulk electric system (BES) from known cyberthreats and risks. To get ahead of emerging threats, nothing takes the place of a risk-based program that focuses on areas of greatest business impact while addressing an organization’s unique conditions, environment and resource constraints (whether financial or people). Business leaders require sufficient understanding of the threat landscape and their risk profile to make sound decisions about the structure and purpose of the cyber risk program and related investments.

Secure: Integrate it into BES operations. IT security should not be an afterthought in the BES environment or simply comprise a set of technology-based controls. It should be an integral part of design, operations and ongoing maintenance. Utilities should scrutinize which employees (and potentially third parties) have access to BES-related resources and confirm that only those individuals who absolutely need access have it. They should also implement a disciplined process for upgrading BES devices that includes careful change management controls and pre-tested configuration standards.

Vigilant: Share cyber threat information. Most major cyberattacks don’t occur as a single event but as a string of incidents that take place over time. Viewing incidents in isolation makes seeing broader attack campaigns very difficult. By sharing information on cyberthreats, utilities can better detect systemic threats and also learn from their peers what anomalies to look for on their networks. Utilities can share cyber threat information with local law enforcement offices, select peers and organizations like the Electricity Sector Information and Analysis Center (ES-ISAC) or ICS-CERT.

Vigilant: Enhance monitoring capabilities. Many organizations maintain disparate monitoring capabilities that provide visibility into particular types of devices, but few have capabilities that integrate both physical and IT monitoring. Systems that correlate activity across different domains are also relatively rare. Without “a single pane of glass” and the ability to associate seemingly disconnected events and activities, utilities may overlook important symptoms or patterns of threat activity before it’s too late to prevent major damage.

Vigilant: Increase the organization’s cyber awareness. Since attackers often breach corporate networks by duping people through phishing and social engineering schemes, employees at all levels should remain alert to suspicious activity and be mindful of their part in protecting the utility and the services it delivers to the public. At the executive level, IT leaders traditionally in charge of cyber security must demystify the subject for the business leaders who ultimately need to guide risk assessment, investment and incident response. A cyber aware workforce takes time to develop, so get started now.

Resilient: Rehearse incident response plans. Most utilities have crisis response plans, but their scope may prove inadequate for dealing with cyberthreats to the grid. Response plans specifically geared toward cyber incidents are essential, and rehearsing them through cyber war gaming activities is a demonstrated way to educate leaders and stimulate collaboration across an organization. Executives shouldn’t view a rehearsal as a one-time pass/fail event, but rather as an opportunity to identify and remediate weaknesses in technology, processes, communication and collaboration.

While full-blown malicious attacks on the U.S. electrical grid have been rare, the complexity of the technical and business environment in which utilities operate—combined with geopolitical volatility—make some form of cyberattack virtually inevitable. Utilities can strive to apply security controls consistently and methodically, enhance their ability to detect early-stage threats, and improve their preparedness and responsiveness. Protecting the grid is no longer about security alone; it’s about vigilance and resilience, too.

—By Sharon Chand, a Deloitte Advisory director at Deloitte & Touche LLP; Steve Livingston, a Deloitte Advisory principal at Deloitte & Touche LLP; and David Nowak, a Deloitte Advisory senior manager at Deloitte & Touche LLP

No comments: