Cybersecurity is a growing concern for utility executives and their companies, especially given the uptick in cyber threat activity during the coronavirus (COVID-19) pandemic. Since January, experts say, more than 6,000 new malicious servers referring to COVID-19 known to have an association or affiliation with bad actors, whether nation-state or organized-crime actors, have popped up on the internet.
“An old well-used phrase is applicable — never let a good crisis go to waste,” says Jim Guinn, global cybersecurity lead for energy, utilities, chemicals and mining at Accenture Security in Houston. “And criminals are the best at that.”
The size as well as the number of utility cyber threats have continued to grow during the pandemic, says Mike Kosonog, a Detroit-based Deloitte Risk and Financial Advisory partner in cyber and strategic risk. Areas of particular concern: industrial control systems and supply chain security, he says.
In May, President Donald Trump issued an executive order declaring threats by foreign adversaries to America’s bulk-power system (BPS) a national emergency and establishing a task force to develop a set of energy-infrastructure procurement policies and procedures for agencies.
In July, the U.S. National Security Agency (NSA) and Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an alert that U.S. critical infrastructure — entities providing electricity, gas and water — is being targeted by hackers, which are exploiting internet-accessible operational technology (OT) assets. “Due to the increase in adversary capabilities and activity, the criticality to U.S. national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to do harm to U.S. interests or retaliate for perceived U.S. aggression,” the alert states.
But threats aren’t the only reason that cybersecurity is top of mind for utilities. Of late, industry regulation and standards addressing the need for strong and tested cyber controls have evolved, prompting utilities to reexamine their cyber risk-management programs.
The Utility Sector as a Target
Michael Kelly, senior research analyst — energy at Guidehouse, an advisory, consulting, outsourcing and technology services companies headquartered in Chicago, says the utility sector has been disproportionally targeted by threat actors for three reasons: a reliance on critical infrastructure, weak endpoints at the grid edge, and a growing surface area for attack.
“The proliferation of the smart grid and Internet of Things (IoT) has led to the deployment of billions of networked sensing devices, increasingly further out to the grid edge,” he says. “While this paradigm shift has led to unprecedented data collection, network visibility and situational awareness, it has also drastically increased the surface area for attack — defined as the different nodal points at which an unauthorized user can enter the network or extract data.”
Kosonog, who leads Deloitte’s cyber risk services practice for the energy, resources and industrials industry, says, “(Utilities are) affected by threats in securing not only the IT environment, but also the network of physical plants and lines where there’s potential for disruption of operations and health and safety of employees and customers. Often, ‘headline’ cyber threats are focused on safe and reliable power delivery. But, in today’s environment, utilities are also concerned with cyber threats like ransomware and protecting customer data.”
Doug Westlund, senior vice president and principal consultant at AESI, an engineering and management consulting firm in Milton, Ontario, says the greatest risks typically impacting utilities are (1) insiders like staff and (2) the supply chain and third parties.
Threat actors have been efficient in exploiting insiders to be able to provide access to the systems for financial gain, ransomware or operational misuse or other reasons, he says. The increase in remote working conditions due to the pandemic has expanded the attack surface and points of vulnerability, he says.
Email phishing attacks, which have become increasingly sophisticated and hard to detect, are another access point.
A typical mode of attack, particularly during the pandemic, has been through emails that appear from a trusted source and, Guinn says, prey on a common trait of human nature: the desire to help others. For example, an employee receives an email about social aid programs or pandemic relief checks purported to be from the U.S. government, and in an altruistic impulse, clicks the embedded link. “People always try to do the right thing, but sometimes the right thing is to do nothing,” Guinn says.
Supply chain risk is a growing concern. The number of third parties associated with a utility’s supply chain — suppliers, lower-tier suppliers, subcontractors and other third parties — means the potential of a large set of attack vectors, or paths by which a threat actor can gain unauthorized access to the systems, Westlund says.
According to the National Institute of Standards and Technology (NIST), a non-regulatory agency that is part of the U.S. Department of Commerce, “(c)yber supply chain risks touch sourcing, vendor management, supply chain continuity and quality, transportation security and many other functions across the enterprise.”
Mitigating Cybersecurity Risk
Cybersecurity is not an information technology (IT) issue, Westlund notes. “It’s a risk-management issue and should be addressed as such,” he says. “(Due to that), the threat landscape is ever-changing, pervasive and challenging. A utility or any entity, based on its threat landscape, should increase its cyber maturity to become more resilient,” he says.
Among the key measures and technologies utilities can implement are training and education, physical security, protocol and transport defense, perimeter defense, network segmentation and antivirus solutions, Kelly says.
For insider risk and phishing threats, the No. 1 initiative should be awareness training that is applied, on a regular basis and with tracking, to everyone in the organization, Westlund says. “This is a low-hanging fruit initiative, which doesn’t cost a lot but is very impactful,” he says, adding that it should be made a priority. “Major structural changes and technology implementation can take more time and cost more money, but awareness training can typically be done immediately and effectively,” he says.
Another strategy: restricting external email access to reduce the attack surface. “Does everyone in an organization need to have (external) inbound and outbound, routable email? No,” Guinn says. “Certain job functions require employees to communicate internally but not externally, so there is no need for external inbound email to come to them.”
Continuously honing cybersecurity programs also can make a difference, Kosonog says: “For example, performing cyber war games is one way to let utilities test and renew their incident response and crisis-management plans, so various teams are trained to collaborate closely when an incident occurs.”
When setting up a risk-management program to combat cybersecurity threats, Westlund recommends that utility companies develop a cross-functional team headed by a cyber-program manager who takes the perspective of a risk manager, “because you want to have input across information technology (IT), operations, customer service, human resources, legal, executive and board,” he says. “Every one of those entities is a key stakeholder with different perspectives.” Executive team support and board oversight are critical, he adds. The team then sets up a process, which includes regular reviews and identification of risks, as well as management of initiatives.
Among other cybersecurity investments utilities can make are antivirus software, network and device resilience, embedded device security and software patch management, especially for control networks, Kelly says. Higher-level risk mitigation trends include security by design, defense in depth, zero-trust architectures, predictive analytics and hybrid security measures, he adds.
Utilities are increasingly looking at the bigger picture and realizing the need for more comprehensive cybersecurity strategies, he notes: “The market is moving beyond one-off, point-to-point solutions and toward more integrated, harmonious solutions. Looking forward, the market for cybersecurity solutions is expected to show healthy growth as the related markets for automation, communications, and smart devices continue to mature.”
Keeping Up with Guidelines and Regulations
Ten or more years ago, few utilities felt their networks were susceptible to cyber threat attacks. “While it’s taken some time for the old guard to admit that systems are vulnerable, a paradigm shift has occurred,” Guinn says. And in recent years, long before the pandemic occurred, government agencies, utility associations and regulatory bodies — independently of each other — began developing standards and regulations around supply chain cyber risks.
Among the regulations and standards:
- An amendment of the Federal Acquisition Regulation (FAR) to implement Section 889 of the 2019 National Defense Authorization Act (NDAA). This interim regulation, the second part of which went into effect in August, pertains to prohibitions on contracting for certain telecommunications and video surveillance services or equipment.
- North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP). NERC is a not-for-profit international regulatory authority. NERC CIP covers the generation and transmission aspects of the U.S. bulk electricity system (BES). NERC CIP-013-1, which came into effect July 1, calls for electric utilities to develop and implement supply chain cybersecurity risk-management plans. “The new standards are commensurate with the risk associated with third parties and supply chain. This has created a lot of focus on the supply chain from a cybersecurity and operational risk perspective,” Westlund says.
- NIST framework for improving critical infrastructure cybersecurity, which details standards, guidelines and best practices. It is being evolved to integrate cybersecurity and enterprise risk management. The NIST framework is typically used by non-BES utilities in North America, says Westlund, who calls it the “de facto international standard for critical infrastructure cybersecurity.” Italy and Japan are among the countries that have adopted it as an all-encompassing national standard for cybersecurity, he says.
“There are now regulations that impact who can work with the U.S. government, including utilities, as well as where utilities are responsible for third parties and where their vulnerabilities exist,” Guinn says. “It’s pivoting. It’s no longer a conversation about the possibility. It is a conversation about how utilities must take action.”
Bad actors taking advantage of the pandemic through increased cyberattacks have raised awareness of the vulnerability of critical infrastructure. To handle these and future threats, whether due to a global crisis or not, utilities must reduce their risk landscapes — their attack surfaces — while still maintaining the proper reliability controls around bulk energy systems and distribution transmission networks, he says.
“In today’s cyber environment, threats aren’t an ‘if’ but a ‘when,’” Kosonog says. “So, a continuous focus on being able to respond effectively when an event occurs is critically important.”