7 July 2020

Keep the lights on: Three things power companies need to do to harden cybersecurity defenses

by Veronica Combs

IoT device makers and the US government need to collaborate with the industry to make sure digital transformation closes security gaps instead of opening new ones.

Power companies need help from the US government, cybersecurity experts, and supply chain partners to defend against the increasing security risks to public power grids. Dragos hosted a conversation on Tuesday with the World Economic Forum's Head of Centre for Cybersecurity, William Dixon, and four experts on security and the power industry. 

Dragos CEO and co-founder Rob Lee discussed the threat landscape with Annessa McKenzie, vice president of IT and chief security officer at power generation company Calpine, and Dmitri Alperovitch, executive chairman at Silverado Policy Accelerator and the co-founder and former chief technology officer at CrowdStrike.

Security risks for power companies and the electric grid in general are increasing due to adversaries who are getting more sophisticated and aggressive as well as the introduction of more IoT devices into power plants and other industrial processes.

Alperovitch said that bad actors have been focused on coordinated and continuous intrusions into the operational technology networks that run oil and gas companies and electricity generation plants. The fact that attacks have been few and far between may give a false sense of security. 


"They have been collecting intelligence so that in the future if they decide to cross that threshold, they are prepared to do so because they know what the systems look like and how to accomplish their objectives," he said.

McKenzie said that although the energy sector as a whole has made significant investments in cybersecurity, the electrical industry is 10 to 15 years behind the oil and gas industry in this area.

Lee said one of his biggest concerns is the risk that criminals will start copying tactics that only state actors are using currently.

"If we keep on poking and prodding at networks, you're creating a blueprint for non-state actors to do the same thing," he said.

The group identified three steps the industry and the US government can take to harden the perimeter around public infrastructure and increase collaboration inside the power industry and with cybersecurity experts.
Shifting the security mindset

One of the challenges in protecting operational technology is that it's a mistake to simply apply solutions that work in an IT environment. 

"At the broadest level, the difference with OT is that you have all the stuff we have in IT plus physics," he said, adding that security breaches in this setting can cause environmental damage, injure people working in the plants, and even cause a national security incident.

Lee said that another difference is the nature of attacks in industrial environments.

"In the OT environment, there are more-high impact low-frequency attacks, while the traditional security mindset is high-frequency low impact," he said.

This difference in mission and risk to the physical environment means security teams need to do a different type of analysis, Lee said.

Alperovitch said that security teams need to learn the language of operators and combine an understanding of the threat landscape with this understanding of how the industrial systems work.

Lee also said that power plant operators should consider the threats they are facing and build an appropriate cyber defense instead of assembling a standard arsenal of tools.

"There's too little focus on what the attack is going to look like and to do root cause analysis," he said. "We need to work backwards from the end state we need to be in and build a security strategy around those requirements."

The US government's Consequence-driven Cyber-informed Engineering program is a good example of this approach to security, Lee said.
Working with IoT device manufacturers 

Chertoff said a lack of transparency around IoT devices is an area of high risk for power generators.

"We are dramatically increasing the surface area for attacks but we have no way to certify and validate that these products meet minimum requirements," he said.

MacKenzie said power plant operators need to have better relationships with the manufacturers of IoT devices.

"They need to start giving us a bill of goods and to certify that we can rely on their supply chain's security," she said.

MacKenzie said that power plant operators also should do more proactive testing by hiring white hat hackers to find vulnerabilities in internal networks. 
Improving national and international collaboration

Dixon asked the panelists how the coronavirus pandemic has changed the international dynamics around OT security. Chertoff said an obviou lesson was that there is a set of challenges that cannot be handled at the national/state level and critical public infrastructure falls into that category.

"This works in the financial sector because even the Russians and the Chinese understand that the destruction of the financial sector would destroy them and us too," he said.

Chertoff said that the US should go to allies and rivals to make a pitch for collective action on infrastructure security, a challenging task that is even more difficult at a time when suspicion among nation states is "higher than it was during the Cold War."

Alperovitch listed three areas where the US federal government can help to improve OT security in industrial settings:
Increase deterrence and hold nation states and criminal groups accountable for bad behavior
Strengthen regulation of private industries to make sure they take security seriously

Set standards to improve data sharing and understanding of the risks

McKenzie suggested that the federal government focus on sharing training with power industry professionals. 

"Several years ago I sent my threat hunters to be trained by the same government training institutions at Quantico so they could see what military training looks like and it was invaluable for them to be trained by people in a different setting," she said.

Lee said it was important for the US federal government to clarify its cybersecurity roles and responsibilities and develop one consistent message across all federal agencies.

No comments: