The Culture of Security

Security, Physical and Cyber, Depends on Cultivating a Culture of Security

For more than a century, the electric utility operations mantra has focused on two goals—reliability and safety. This focus, along with innovation, ingenuity and resiliency, has helped the U.S. become a leader on the global stage. However, the modern electric utility in the U.S. is a target for many who see an opportunity to destabilize the American economy or harm American citizens via malicious attacks on utility assets. Therefore, physical security in the electric sector is a critical component of our national security strategy.

And physical security threats are not just hypothetical threats. In April 2013, unidentified assailants used semiautomatic weapons to shoot at multiple transformers at a key substation in a West Coast utility’s service territory. What made this event particularly unnerving was the level of sophistication employed in the attack—the assailants had scoped out and were able to target security system and equipment locations.

Thankfully, the utility was resilient enough to reroute power and avoid any outages. This event reminded the electric sector of the importance of security to ensure that electricity service to millions of homes and businesses in the country continues. As Kevin Wailes, president and CEO of Lincoln Electric System in Nebraska, said, the electricity sector must embrace a “culture of security” just like it has embraced a “culture of safety” in the past.

This security culture must be embraced throughout an organization, with emphasis on employees and technologies.

Discussions around any industrial control systems (ICS), such as supervisory and control data acquisition (SCADA) systems, often focus on how vulnerable the systems are.

A key aspect of President Obama’s information sharing acts have been designed to encourage threat sharing to help protect the organizations and networks involved in critical infrastructure. However, while there are many advancements that still need to be made, there are strengths these networks have that can give defenders a strong footing.

One of these strengths is unique knowledge of the systems. A significant portion of adversaries’ efforts against victims has always focused around information gathering and reconnaissance. In critical infrastructure, this is particularly true as adversaries need to understand precisely how to impact these systems to have their desired outcomes. ICS networks often contain unique assets, or at least unique configurations, that increase the time and effort required by adversaries.

This is not to say that the lone-person or terrorist organization is not a threat to highly vulnerable systems, such as those directly connected to the Internet, but it does mean that with proper security fundamentals even advanced adversaries can be fought against.

Once an ICS network is properly architected to remove the low-hanging fruit, the unique knowledge that OT (operations technology) personnel have gives them a head start on the adversary. Defenders who understand what assets they have and understand what constitutes normal network communications in these smaller and more static environments pose a significant challenge to adversaries who want to remain unnoticed.

Millennials, our future workforce, already realize the importance of personal security; you would be hard-pressed to find someone under the age of 21 who does not have a passcode lock on their smartphone, even if it’s just to shield information from nosy parents. Most of them know how to remotely wipe their devices should they lose them, and the same goes for their email, Twitter and Instagram accounts. Millennials may not know it yet, but they’re being trained for today’s workforce, which is dominated by passwords, be it for timesheets, insurance benefits or complex electric utility operating systems.

But we have a greater challenge with embedding this security culture—the one that millennials seem to be born with—in the current workforce. How can the utility industry accomplish this? It boils down to two things: the human element and the technological element.

The human element

Strong procedures, protocols and plans: Utilities must review the security posture of their organization and implement controls that limit accessibility to sensitive systems and information. Procedures are key to effective security. A lock on a car is only helpful if the driver remembers to lock it. Utilities also must develop intrusion response plans that can be immediately activated if a physical security breach should occur.

Security briefings: Just as utilities require employees to attend monthly or quarterly safety briefings, they should hold meetings to tell employees about physical and cybersecurity. For example, employees should be warned about the implications of using USB devices picked up from conferences and should be reminded to lock doors or shut down computers when they leave work. The key is to help employees understand the potential consequences of their actions for the utility, customers and the electric grid.

Exercises: Most utilities conduct exercises to prepare for a possible hurricane, earthquake, or other natural disaster. Why not do the same for a cyber or physical event? The Department of Homeland Security offers a host of information for active shooter preparedness online, for example.

Relationship building: Utilities should develop relationships with local FBI offices in case a physical security breach happens and specialized assistance is needed. In the event of a breach, utilities should also notify the Electricity Sector Information Sharing and Analysis Center (ES-ISAC), which provides situational awareness, incident management, and coordination and communication capabilities for the electricity sector. On the national level, electric utilities, along with trade associations such as the American Public Power Association, meet with Departments of Energy and Homeland Security personnel through the Electricity Subsector Coordinating Council on a regular basis to improve industry-government coordination and communication on large-scale incidents, whether they are man-made or natural.

Senior management involvement: Emphasis on security must come from the very top. General managers and CEOs need to practice what they preach. APPA President and CEO Sue Kelly has made cybersecurity a top priority at the association, and she commissioned a cybersecurity audit.

The tech element

Automatic locks/monitoring: For critical substations, utilities should look into automatic doors or locks. An example is gates that automatically close after a vehicle drives through. Advanced locking systems can also log who has had access to the substation and for how long.

Remote monitoring: There’s a wealth of out-of-the-box equipment and products that help to monitor substations and systems. If there’s one thing that history has shown us, it’s that while vegetation can improve the aesthetics of a substation, it can also make it easier for potential attackers to hide from monitoring systems. Therefore, utilities must balance vegetation management programs with monitoring technologies.

Intrusion deterrent technologies: Years ago, potential car thefts were deterred with a steering wheel lock/club. Then came car alarms and loud sirens. Today, some cars can automatically contact the police in the event of forced entry. The same principles of deterrent technologies can be applied to substations. Utilities can install tall fences, strong locks, sirens and strobe lights to help prevent a potential break in.

Continued R&D: Security (physical or cyber) is not a destination but a journey. Utilities must continually evaluate their physical security and be on the lookout for new technologies that can help secure their assets from future threats. Agencies like the Departments of Energy, Homeland Security and Defense can partner with the electric utility industry to collaborate on researching advanced security and resiliency technologies. These agencies and industry can work together to determine the potential impact of a yet-to-be-seen electromagnetic pulse (EMP) or a little-known-about geomagnetic disturbance (GMD). Protecting utility assets against EMP or GMD is really an engineering problem.

Secure these technologies: Technologies for monitoring and sensing physical security threats are improving constantly, but can make a utility vulnerable if they are not managed properly. For example, if substation security cameras are connected to a corporate intranet, a disgruntled employee can access the camera’s video feed to learn when the substation is the most vulnerable. It is important to limit access to security systems and log who views security camera feeds, etc.

At the end of the day, there is no silver bullet for physical security and it simply would not be practical to turn every one of the more than 55,000 substations in North America into a mini Fort Knox. A more sensible approach is to develop a risk-management strategy: determine critical nodes within the utility’s service territory and evaluate and deploy risk-mitigation strategies. The deployment of those strategies will hinge on employees and technologies, not one or the other.

However, faced with a consistent and real threat today, the ICS community is largely starting to take matters into their own hands. As the ICS security community continues to grow and its members become more innovative with tools and strategies – it is apparent that taking advantage of the community’s strength does actually mean that defense is doable. Attacks can come in different forms and cannot be stopped. But with the proper mindset and protections in place—and with an eye on evolving these protections as new types of threats emerge—utilities can go a long way in keeping systems secure and reliable.

Posted in Compliance, Content, Cybersecurity, Governent Oversight, Incident Response, Insider Threats, Layered Defense, Regulatory, Risk Management
Tags: , , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Visit Us On TwitterVisit Us On FacebookVisit Us On LinkedinVisit Us On Google Plus

Keep Current with What’s New in Cybersecurity

Email Address:

Name:


Cybersecurity News Daily

Provides a daily summary of what's news in Cybersecurity

Archives

Recent Tweets

Categories

Follow

Get every new post delivered to your Inbox

Join other followers: