The Energy and Utility sector like so many other industries have been improving operations and meeting their markets’ demand by way of advancing their technology. Smart grids, smart meters, etc., all enhance the flow of operations and can maximize service reliability. However, one of the downsides to these industry advancements are the vulnerabilities that come along with having cyber assets.
Vulnerabilities that can be exploited by malicious actors, who unfortunately are gaining sophistication as fast as cyber technology advances. These cybercriminals could have the potential to expose weaknesses in an entity’s infrastructure.
What does it take for a hacker to infiltrate a control system?
If a hacker was able to get into any of the I/O networks such as Ethernet IP, PROFINET, or Modbus TCP they could easily change variables within the controller and open it up to unauthorized connections as well as malicious code injections.
The cybercriminal could then interfere with operational functions, for example, by stopping and starting drives, turning valves on or off, or even worse.
Each entity has hundreds and in some cases thousands of people who already have access to their I/O networks, beyond their own staff which includes — but not limited to — vendors, IoT technicians, and other contractors.
All it takes is for one unsecured device to be connected to the responsible entity’s network for a determined hacker to gain access.
The United States has 3 power grids and the count of Energy & Utility companies are estimated at over 3,300, with around 200 of them providing power to the majority of ratepayers. Needless to say, with an estimated number of 818,486 of energy and utility employees. (2017). That’s a lot of grid access!
Whereas, the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards go into great depth to prevent this sort of infiltration by providing the industry with critical cybersecurity standards.
For instance, and very simply put, the energy compliance standards cover protocols for the following:
● Endpoint authorization — For example, each registered device knows the device it’s communicating with and vice versa.
● Message authentication — Where transmissions that are generated from a device are validated and verified by the receiving device.
● Integrity — This means that the signals transmitted between the origin device and the receiving device were not altered or changed during transmission.
● Confidentiality — That data and messages transmitted between devices stay within the appropriate authorization and access confines of said responsible entity.
The above-mentioned standards are just a small fraction of preventative requirements and standards of operation that NERC CIP compliance addresses. From password creation, device authorization, vendor access protocols to the documenting of all tasks, activities and so much more, which can be found in this 2356 page compliance document. Nevertheless, the standards are only as effective as the responsible entity that implements, applies, and executes them.
In the case of March 5, 2019, a Utility company reported the first-ever recorded disruptive cyber event on the U.S. power grid. Although the event didn’t demonstrate that the hacker was targeting the power grid according to the expert who assessed the event. Stating that it was most likely a script kiddy using an automated bot seeking vulnerable internet-facing devices.
Nevertheless, the incident does warrant alarm — had the cyber intruder realized the magnitude of their intrusion they, they would have had the ability to cause major outages for that region or worse.
In this case, the malicious actor was able to force reboots and expose a vulnerability within the entity’s firewall interface which allowed an unauthenticated user to access and cause glitches across the particular grid.
The firewall interface was internet-facing which made it easier for a hacker to exploit. According to what was reported, we can assume that this is a result of a poor software patch management program, and most importantly that the entity neglected to comply with NERC standards. The entity will likely be penalized and can expect to undergo major scrutiny in the months ahead. However, could this have been prevented if they had properly implemented CIP standards? Could the security protocols required by NERC such as Patch Management prevent the company from being penalized?
What is patch management for the energy sector?
NERC-CIP compliance requires Bulk Power System or BPS operators to know their patch sources and the tools that they utilize to monitor for new security patches. NERC-CIP Reliability Standard CIP-007–6 states that an entity must manage system security by specifying select technical, operational, and procedural requirements in support of protecting Bulk Electric System (BES) Cyber Systems against compromise that could lead to misoperation or instability in the BES. Within which focuses on energy and utility entities monitoring their networks for vulnerabilities as well as maintaining a documented patch management process. This standard ensures that entity Bulk Power System (BPS) operators, whether the assets are a standalone cyber system or one that can be accessed remotely, they maintain a level of conscious security of the grid.
For more information about how to solve the cybersecurity challenges faced by the energy and utilities industry view this webcast. The webcast demonstrates an overview on managing cyber asset patching across IT, OT, and IoT infrastructures for effective risk mitigation as well as NERC CIP-007 compliance with BES Cyber System by a leading software vendor of compliance management systems in the energy sector.
As grid technology continues to advance, we can safely assume that so does the sophistication of malicious actors and hackers alike. Nevertheless, having a set of strong internal controls in place is vital for compliance, cybersecurity, and reliable operation. When these internal controls are developed and implemented correctly, NERC standards won’t hinder but support your core business objectives.