Last month, the Biden administration announced the roll out of a 100-day plan aimed at improving cybersecurity protections around the nation’s electrical grid.
In a statement, the White House said that the plan, which is a coordinated effort between the Department of Energy, private utility operators and the Cybersecurity and Infrastructure Security Agency (CISA), will include “aggressive but achievable milestones” and will help the industry when it comes to enhancing cyber detection, mitigation, and forensic capabilities.
Details about the plan remain scant but cybersecurity experts believe it is certainly a step in the right direction.
“The 100-day sprint is meant to accomplish two things: 1) establish public trust in our electric grid; 2) create a roadmap for a more robust plan,” explains Bryson Bort, CEO of adversary emulation platform provider SCYTHE. “The first is showing the government is aware of the challenges and is doing something. The longer-term benefit which will accrue is increased detection capabilities which will reinforce that trust over the longer term."
While previous administrations have been made aware of the threats facing the grid, few have taken concrete steps to address these systemic challenges, however; according to Damon Small, MSc.IA, CISSP, Technical Director of Security Consulting at NCC Group North America, the fact that the Biden administration is requesting information from utilities about cybersecurity vulnerabilities as opposed to making blanket directives is a good thing.
“The administration is asking for input from the power generators themselves, so I think that is a positive sign. Rather than just using an executive order to say, ‘hey, protect our infrastructure,’ the administration is soliciting comments from the generator themselves, so hopefully this will be a more collaborative approach than previous efforts, although it is still ambitious,” Small explains.
Among the biggest threats facing the grid currently, according to Small, are unauthorized users and malicious software, particularly ransomware which has become an increasingly popular tool for cyber criminals to extort a wide range of industries. Of greater concern, though, are targeted attacks against infrastructure, such as those carried out by sophisticated cyber-attackers or nation-state actors à la the Stuxnet worm that targeted supervisory control and data acquisition (SCADA) systems to cripple Iranian nuclear ambitions a decade ago.
Ironically, today’s desire by organizations to leverage data from all sources at their disposal that has given rise to the Internet of Things (IoT) has also meant that industrial controls systems – once completely separated from the internet and corporate networks – are now being increasingly interfaced with information technology systems and thus giving them greater exposure to attack.
“That allows for the possibility of attacks to come from another network, specifically the internet. We didn’t have that 20 years ago,” Small explains. “The threat landscape has changed, but in some cases our technical defenses have not.”
What the Plan Misses
While the current plan takes the generation and transmission of bulk power into consideration, Small says one thing it fails to account for is the third part of the nation’s electrical grid which is distribution. Of course, this is done on a more local level through states and municipalities, but Small explains that it is still a big part of the overall equation when it comes to securing the grid.
In addition, Small says the OEMs that supply industrial control systems must be a part of this conversation as well.
“A lot of the problems energy producers have in protecting these critical assets is because there is out of date software, old equipment that is no longer supported and so on and so forth,” Small says. “You can fix these problems with mitigating controls and there are lots of things you can do, but the producers can’t go it alone. There are only so many suppliers they can buy control systems from and I think the manufacturers of those products need to be part of the conversation as well.”
The Role of Utilities
Regardless of what best practice recommendations or regulatory standards come out of the administration’s 100-day sprint, Small says that, ultimately, it will be up to the private entities that own and operate power generation facilities to take the steps necessary to cyber-secure this infrastructure and that will begin with changing how they view security in general.
“Private industries need to realize that security is not just a giant cost center that they are spending money on. By protecting information assets, that allows the business to consume information coming from the control systems in a more meaningful way and therefore, make well-informed decisions, improve operational efficiency and all of those things, particularly operational efficiency, can add to the bottom line,” he adds. “It’s not that I or any other security professional is saying, ‘hey, you have to buy more technology to protect your other technology.’ It is also a recognition that that will facilitate these other beneficial things from the business perspective.”
Bringing OT and IT Together
Additionally, Small says that there needs to be increased collaboration between operational technology (OT) and IT departments with each learning how the other thinks and operates.
“IT needs to learn a lot about how control systems function and how they are maintained in contrast to how IT systems are maintained, and OT also needs to recognize that, in terms of implementing and maintaining technical controls that can protect these information assets, IT has a lot of experiencing doing exactly that sort of thing,” Small explains. “Rather than doing the usual security awareness training, I would say from a people angle, organizationally OT and IT need to get closer together and when I say closer together, I mean part of the same org chart, having meetings in the same room and sharing challenges and figuring out ways that one can help the other.”
About the Author:
Joel Griffin is the Editor of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].
