The advent and proliferation of control and process equipment in the 20th century typically did not have a focus outside of performance, reliability and safety. Security, and the impact of security, was mostly observed via physical protections and access to the equipment and facilities. As the new century has become more connected, these systems often contain mainstream hardware and widely available software and are connected with the larger IT infrastructure. This transition offers greater flexibility in system design and integration, but it also creates some unique challenges that today highlight the importance of cybersecurity, especially regarding critical infrastructure such as chemical, critical manufacturing and energy and utilities.
Historically, the equipment had proprietary designs with limited shared technologies outside of hardware like cabling, processors/chipsets and memory cards. Over the last few decades, there has been a significant increase of “shared technology” like control hardware operating systems, open source and commercial software, including common communication specifications for interoperability.
Manufacturers and system operators and installers are now faced with securing platforms built from and on software that is just as readily accessible to bad actors as it is to the industry. As expected, this scenario creates a cat-and-mouse environment, which means cybersecurity needs to remain a top priority to help ensure continued preparedness and continue to drive the innovation for this century. This helps to explain why 71 percent of respondents in Utility Dive’s 2017 State of the Electric Utility Survey Report listed cyber and physical security as “important” or “very important.” Fortunately, by learning from past experiences and taking internal actions with the resources you already have, it is possible to be better prepared when facing the new challenges and potential vulnerabilities that exist in today’s connected world.
Five Important Lessons
In December 2015, the Ukrainian power grid was hit by a major cyberattack that led to 225,000 people losing power for several hours. The hackers — now suspected to be Russian, based on several leading cybersecurity firms’ assessments even disabled the uninterruptible power supply at each of the three substations that were hacked. In December of the following year, the capital city of Kiev was hit by another attack, likely from the same group of hackers, that led to several hours of a blackout.
The Electricity Information Sharing and Analysis Center (E-ISAC) conducted a detailed study of these events and established five lessons to be learned from the successful nature of the attacks:
- Early Activity is an Indicator – The hackers that attacked Ukrainian entities gained “reconnaissance” style access to the system several months in advance of the actual event. With larger scale attacks, this is common and, if you continue to actively monitor the activity in your system, discovering these events can prove valuable whether it occurs during the event or afterwards.
- Every Minute Counts – In Ukraine, the attacks occurred minutes apart. Those minutes presented a unique opportunity for defenders to take the upper hand.
- Broad Protection – Though specific malware may be mentioned regarding an attack, it is not smart to focus too heavily on that particular method as there are typically numerous approaches that could lead to a successful system breach.
- Coverage for All Systems – When cyberattacks were first beginning to take shape, they were often targeting a specific operating system. Today, a single attack can cover all systems, meaning every system should be guarded equally.
- Information Sharing – Intellectual property is important to all companies, but sharing intelligence regarding potential security breaches can help the larger industry better guard against potential attacks that could be widespread and damaging.
Plan Now to Plan Ahead
It is possible to take action today and help improve supply chain security and the security of your overall system. It is true that security software and/or a dedicated cyber preparedness team can prove extremely beneficial and, if feasible, may need to be considered; however, even if these avenues are pursued, taking a proactive stance to securing yourself and your systems is invaluable.
How can you become prepared? It all starts with your internal procedures, and includes — most importantly — your employees, and can be accomplished with the resources you already have on hand.
- Establish Robust Guidelines and Evaluations – The place to start when strengthening cybersecurity is your internal procedures for selecting software/components. These guidelines set the tone for your overall approach to cybersecurity. If you already have internal procedures and specifications, consider revisiting them regularly to ensure they still apply as technology is quickly changing. If you have not yet formalized a procedure, it can often be accomplished with the collaboration of internal resources.
In short, formal documentation should detail the requirements for acceptable third-party equipment, software and components. Ideally, these guidelines can be shared with vendors during the quoting process to aide in pre-selection. When evaluating potential software solutions, a third-party review such as UL’s Cybersecurity Assurance Program (UL CAP) can also prove helpful. Based on the UL 2900 series of standards, UL CAP can help assess potential vulnerabilities and offer peace of mind as you search for a secure supply chain.
- Do Not Forget the Vendors – Product claims and guarantees catch the eye, but the vendors themselves should also be thoroughly vetted according to your internal requirements to help ensure adequate safeguards are in place. In addition to the initial evaluation, a vendor compliance policy detailing clear consequences for non-compliance should be distributed to all suppliers. Ultimately, you want a supply chain comprised of vendors who respect cybersecurity as much as you do, and a compliance policy helps guarantee that all vendors maintain that focus. Review historical public data about any breaches to vendors’ equipment and services, their responses and time to solution. How a vendor handled equipment and software attacks in the past is a good indication of future responses.
- Develop a Routine – After carefully evaluating your vendors and the products they supply, establish a routine for regular inspections and follow-ups. In addition to initial testing where possible, all software should be “cyber-tested” regularly to monitor continued functionality. Part of this effort involves regularly updating the software by remaining aware of available updates and patch releases. Typically, these tests and updates can be automated. Additional and regular testing of equipment and software for cyber issues can appear prohibitive. However, establishing some baseline simple tests that are required before applying upgrades and patches, and which can slowly expand over time, can help assess risks prior to installation on a live system.
Similarly, vendor follow-up inspections help you remain confident in your supply chain. If vendors remain committed to security and support, it gives you peace of mind regarding the products you use.
- Train – Employee training is critical. Human error is often exploited as a system weakness, but regular training can decrease this risk. This means everyone with access to any system should be trained on proper use of all systems and made aware of the procedure for reporting potentially malicious activity. Limiting access on a need to know basis also proves beneficial.
At the end of the day, it’s always best to be prepared for every possible situation. As bad actors that wish to exploit technology will remain diligent in their attempts to gain system access, manufacturers and individuals alike need to remain similarly dedicated. By maintaining a regular focus on cyber risks that could affect your business, it is possible to do just that.
Ken Modeste is Director of Connected Technologies at UL.