In December 2015, with temperatures struggling to stay above freezing, Ukraine experienced an unprecedented cyber attack on its energy grid. The assault left nearly a quarter of a million people without electricity for up to six hours. It demonstrates the very real threat of an attack cutting off the supply of electricity to our homes, schools, hospitals and factories, with potentially catastrophic results. It is believed the hackers had managed to infiltrate the security of three substations with spear phishing emails, hiding their so-called BlackEnergy malware in fake Microsoft Office attachments.
Incidents such as the attack in Ukraine demonstrate that electricity grid faces a tangible threat. If we have learned a lesson, it is that cyber security requires a holistic approach that incorporates not only technology, but also processes and especially people.
“People going about their normal operational duties are the biggest threat,” says IEC cyber security expert Frances Cleveland. “It’s important to realize that even when you have cyber security implemented and training, you still have to worry about the insider and, in particular, the disgruntled employee. She or he has knowledge of the company, passwords and so forth.”
It is with this threat in mind that a new IEC Technology Report outlines five critical concepts for achieving cyber security. The report is the work of a team of leading international cyber security experts brought together by the IEC Systems Committee on Smart Energy and led by Ms Cleveland.
The new report recommends prioritizing cyber resilience over traditional cyber defence approaches. Achieving resilience is largely about understanding and mitigating risks in order to apply the right protection at the appropriate points in the system, while paying attention to safety, security and the reliability of processes. It is vital that this process is closely aligned with organizational goals because mitigation decisions can have a serious impact on operations. “Resilience is not just a technical issue,” warns the report, “but must involve an overall business approach that combines cyber security techniques with system engineering and operations to prepare for and adapt to changing conditions, and to withstand and recover rapidly from disruptions.”
2. Security by design
The report identifies security by design as the most cost-effective approach, which means designing security into systems and operations from the beginning, rather than applying them after the systems have been implemented. The thinking is that when trouble strikes, it is already too late. According to a report by Deloitte, “security needs to become embedded into the DNA of operational programs to enable organizations to have great products and have peace of mind”.
3. IT and OT are similar but different
The growth of connected devices has accelerated the convergence of the once separate domains of information technology (IT) and operational technology (OT), resulting in industrial IoT (IIOT). The IEC Technology Report suggests that cyber security is too often understood only in terms of IT, while the operational constraints in sectors such as energy, manufacturing, healthcare or transport, are frequently overlooked. Cyber security, it says, needs to address both. First, though, it is necessary to understand the differences between IT and OT.
The primary focus of IT is data and its ability to flow freely and securely. It exists in the virtual world, where data is stored, retrieved, transmitted and manipulated. IT is fluid and has many moving parts and gateways, rendering it vulnerable to, and offering a large basis for, a wide variety of constantly evolving attacks. Defending against attacks is about safeguarding every layer as well as continuously identifying and correcting weaknesses so as to keep data confidential. In fact, the primary action of IT to an attack is to turn off the offending computer systems to protect the data.
OT, in contrast, belongs to the physical world. While IT has to safeguard every layer of the system, OT is about maintaining control of systems: on or off, closed or open. OT ensures the correct execution of all actions. Everything in OT is geared to the physical movement and control of devices and processes to keep systems working as intended, with a primary focus on security and increased efficiency. For example, OT helps ensure that a generator comes online when there is an increase in electricity demand or that an overflow valve opens when a chemical tank is full, so as to avoid hazardous substances spilling. In the OT world, it could be dangerous to turn off computer systems in response to a security problem.
In the past IT and OT had separate roles. OT teams were used to working with closed systems that relied heavily on physical security mechanisms to ensure integrity. With the emergence of IIoT and the integration of physical machines with networked sensors and software, the lines between the two are blurring. As more and more objects connect, communicate and interact with each other, there has been a surge in the number of endpoints and of potential ways for cyber criminals to gain access to networks and infrastructure systems.
4. Risk assessment, risk mitigation and continuous update of processes are fundamental to improving security
A key concept of defence-in-depth is that security requires a set of coordinated measures. Chief among these are the need to understand the system and know what is most valuable and needs the most protection. The report says that a risk-based approach to cyber security is the most effective, especially when based on an assessment of existing or potential internal vulnerabilities and external threats. It is important that any solutions implemented are monitored over time to ensure their continued effectiveness and to ascertain whether possible attacks have potentially overcome the control solutions.
5. Cyber security standards and best practice guidelines
The new IEC Technology Report recommends the use of international cyber security standards for energy sector environments to support the risk management process and establish security programs and policies. Just as doctors prescribe medicines with proven benefits to their patients, it is wise to base cyber security measures on best practices. Using the right standards for the right purposes at the right time, says the report, will improve resilience, security and interoperability throughout the energy environment.
IEC Technology Report
Protecting our critical infrastructure is essential. Such is our reliance on the efficient supply of power that any loss of electricity would carry heavy implications for a wide range of vital services. The new IEC report advocates using a risk-based systems approach founded on best practices, as well as the ability to demonstrate the effective and efficient implementation of the security measures. This means combining the right international standards with conformity assessment to assess the components of the system, the competencies of the people designing, operating and maintaining it, and the processes and procedures used to run it. In a world where cyber threats are becoming increasingly common, being able to apply a specific set of international standards combined with a dedicated and worldwide certification programme, is a proven and highly effective approach to ensuring long-term cyber resilience.
It may appear as the third concept in the report but the fundamental advice, which arguably underpins everything else, is that, in order to be effective, security measures must encompass both IT and OT — information and operational technologies. Cleveland puts it more succinctly: “Cyber is very tightly intertwined with engineering. They shouldn’t be viewed as separate.”
You can download your free copy of the IEC Technology Report here.