The Department of Energy (DOE) in March 2018 released a 52-page report outlining its multi-year strategy to improve cybersecurity. In the report's introduction, Assistant Secretary Bruce J. Walker noted that bad actors are increasingly targeting critical operations.
News broke that same month–through an alert issued by the Department of Homeland Security (DHS) and the FBI–that Russian government hackers had been targeting the energy sector with a "multi-stage intrusion campaign" since 2016. In fact, according to the DOE report, the largest percentage of cyber incidents reported to the DHS's Industrial Control Systems Cyber Emergency Response Team came from the energy sector during the three years prior.
The DOE's sense of urgency with regard to cybersecurity operations and maintenance is warranted. It represents part of increasing public awareness, evidenced by upticks in media coverage and funding for operational technology (OT)-focused cyber companies, about the growing threat landscape. To that end, the report declared three key priorities: strengthening preparedness through information-sharing and risk management; improving incident response; and accelerating research and development (R&D), with the DOE announcing $25 million in R&D funding the month after publishing its multi-year plan.
But the reality is that threats continue to outrun the energy sector's security evolution, primarily because organizations are increasingly connecting OT, such as supervisory control and data acquisition (SCADA) systems and industrial control systems (ICS), to their information technology (IT) networks. While such innovation can translate to cost savings, improved functionality, and new big data insights for energy organizations, many OT systems weren't designed to be connected to the internet. The blurred boundary between OT and IT also translates to a larger attack surface. Bad actors can disrupt critical infrastructure simply by targeting users with trusted access to sensitive information.
Securing the Boundary
In order for the energy sector to continue evolving its cyber readiness, organizations that are blurring the lines between IT and OT need to embrace a cross-domain solution to keep the two networks separate and safe. In 2017, the energy sector had the largest number of ICS vulnerabilities, according to a Kaspersky Lab report (Figure 1). Indeed, the DOE acknowledged that bi-directional, real-time, machine-to-machine preparedness–or cross-domain security–is a core component of the report's first priority.
1. A Kaspersky Lab report in 2017 said the energy sector had the largest number of industrial control systems vulnerable to cyberattacks. Cyber threats are moving faster than energy sector security measures can keep up, and power generators need to implement cybersecurity measures to keep control rooms safe. Source: Shutterstock
A cross-domain security approach allows information that would otherwise be kept separate to move across networks while providing insight into what that information is doing as it passes between boundaries. Put another way, instead of seeking to identify specific "bad" traffic–things that shouldn't be passing between the two networks–cross-domain solutions allow only known "good" data to move beyond boundaries. By inspecting the data at the application layer, a cross-domain solution can make transfer decisions at a more granular level than a firewall.
Such rigor needs to quickly become the new normal in order for the energy sector to sufficiently protect its critical infrastructure and data. Securing the OT/IT boundary balances the need for connectivity and information sharing against the need to protect data itself and the agency as a whole. In the end, cross-domain solutions ensure files and information arrive quickly at their destinations free of malware, without hampering employees' ability to do their jobs or bogging down security analysts with millions of threat alerts and false alarms.
Securing the Human
The DOE report noted that people can end up in harm's way when critical infrastructure is compromised, including through vulnerabilities in the OT/IT boundary. But it failed to mention that infrastructure is often targeted through people in the first place. Once data is shared between networks, it ends up in the hands of employees and contractors. As the energy sector bolsters its technological defenses, with initiatives like those outlined in the multi-year plan, bad actors are more likely to circumvent them and approach such softer targets.
2. Disgruntled employees can cause data breaches, acting with malicious intent. But outside threats may be more prevalent, as hackers try to compromise worker credentials to gain access to a control system. Courtesy: Forcepoint / Pixabay
Consider this example: last summer, a disgruntled Tesla employee broke into the company's computer system, made direct code changes to the operating system, and sent sensitive data to third parties, according to a memo from CEO Elon Musk. A malicious insider isn't always the cause of such breaches, though (Figure 2). Compromised employee credentials can also wreak havoc, especially at a power plant where damage to the electrical grid can cause chaos and disrupt the lives of millions.
Gathering a network's baseline of "normal" behavior across users, machines, and accounts translates to greater situational awareness of network activity. This allows security experts to identify anomalies more quickly and respond to cyber incidents before they become massively disruptive and costly.
This process is known as user behavior analysis. It's a complement to cross-domain solutions that cannot be overlooked. With user behavior analysis, power plant managers can monitor how employees interact with sensitive data and information, and apply behavioral analysis to detect anomalies, which could be potential threats. By leveraging user behavior analysis and applying that to risk adaptive security, dynamic security enforcements can be made at the individual level.
More specifically, an employee's role and credentials, the information they commonly interact with, and how they generally behave can be aggregated to give each user a risk score that dictates monitoring and control. Someone with a high score shouldn't be able to move data onto a USB drive, for example. This also prevents users from being slowed by unnecessary controls, which can lead to the creation of unsafe workarounds.
Securing the Supply Chain
A third and equally crucial component of strengthening preparedness is securing the supply chain. Many bad actors won't just work their way down to the human level to attempt to infiltrate a network; they'll do so by working down the supply chain, assuming the level of defense will decline the further down they go. Why go after the hardened target when they could focus on lower-tier contractors, less-equipped for protecting intellectual property or sensitive information? But such lower-level compromises could still take out a grid (Figure 3).
3. The power grid can be vulnerable to both physical and cyber threats. Defending the grid includes adapting to risks that could come by way of third-party suppliers, and it's critical for power generators to monitor how data about their systems is being used. Courtesy: Forcepoint / Pixabay
A risk-adaptive approach must be applied to suppliers, too. It's crucial to monitor how users interact with data on a daily basis to identify bad actions, and to block leaks and espionage before they happen. And it's crucial for suppliers to employ bi-directional security as well. The DOE should stipulate that power plants and utility companies take a page out of the Department of Defense's (DOD) playbook. The DOD has initiated a series of programs, including the Defense Federal Acquisition Regulation Supplement (DFARS), to ensure it only purchases from suppliers that follow its own rigid security guidelines.
Course of Action
The bottom line is that the risk to the energy sector is very real, and protecting America's power plants and energy generators from cyberattacks is of critical importance. Whether the concern is about compromised credentials and possible malicious insiders or increased connectivity between OT and IT networks, power companies are at a crossroads where the time to act is now.
Energy Secretary Rick Perry last year echoed many of the report's same sentiments about the sector's growing threat landscape, noting that cyberattacks continue to grow in sophistication, scope, and number–all while getting easier to carry out. But fear-mongering isn't the goal. Instead, good risk management asks how the energy sector can best balance risk and cost. And the answer, and thus course of action, is relatively simple: secure the boundary between networks, and employ a risk-adaptive approach across the organization, across the supply chain, and across the sector. ■
–George Kamis is the chief technology officer for government markets at Forcepoint, a cybersecurity solutions company.