The digitization of the power sector has resulted in a vibrant ecosystem that spans from exploration to distribution. Made of the sum of its parts, this system carries vast amounts of data round the clock, fed by IT enabled devices monitoring all manner of events. However, anywhere along that line, any vulnerability that’s open to malicious intent risks devastating effects.
While major cyber attacks to the energy sector are not a daily occurrence, just one incident can take down a national grid for unacceptable lengths of time, impact thousands of users, amount to millions in lost business, and full recovery is no quick fix. One example is the malware attack which affected three electric power distribution companies, and some 225,000 customers, in the Ukraine’s Ivano-Frankivsk region. While the power was restored to most areas fairly swiftly, the impacted sites had to run under ‘constrained operations’ for some weeks after the initial hit.
Security in this sector is a serious business that demands a collaborative, combative effort at every stage. A study published in October 2016, entitled ‘Cyber Security Strategy for the Energy Sector’ – commissioned by European Parliament’s Committee on Industry, Research and Energy – provides an assessment of existing European policies and legislation, making recommendations for additional policies if necessary. Its priority recommendation is to “appoint a central authority with the power and capability to implement all the other recommendations effectively.”
The study makes further prioritized recommendations, including: mandatory reporting of security incidents, provisions to require relevant information sharing, alignment of cyber security activities across all critical infrastructure (to include ICS-SCADA solutions and operations), development of security standards for energy systems, and the establishment of a certification board.
In 2014, President Obama instructed a Task Force to conduct a Quadrennial Energy Review (QER). This report reviews areas including: the Federal energy policy in the context of economic, environmental, occupational, security, and health and safety priorities. Also, the adequacy of existing executive and legislative actions, with recommendations where appropriate; prioritizing recommendations for R&D programs to support key energy innovations; and identifying the analytical tools and data needed to support further policy development and implementation.
Challenges facing the Nation’s energy infrastructures were addressed in the first installment of the QER soon after it was commissioned. The second installment of the report (released January 2017) carried the recommendation of amending Federal Power Act authorities to clarify and affirm that the electricity system – from bulk power right through to distribution – is a national security asset, making its protection a federal responsibility. It also proposes grants for smaller utilities facing cyber threats (among others), and recommends accounting for emerging threats in reliability planning.
From an operational perspective, Industrial Control Systems Cyber Emergency Response Team* (ICS-CERT) offers mitigation strategies to the industry, including: the implementation of information resources, management best practices such as: the procurement and licensing of trusted hardware and software systems, and knowing who and what is on the network through hardware and software asset management automation. It also advises on time patching of systems, and application white-listing to help detect and prevent malware being uploaded.
Rather than relying on signature detection, cyber security technology can help to scan and recognize malicious software before it’s identified as a threat. Oak Ridge National Laboratory’s (at the Department of Energy) Hyperion software does exactly this by looking for patterns in bytes for suspicious behavior.
Another example of development in security includes Solid State Disks (SSD), which have long been used in industrial settings. The growth of machine data analysis and the IIoT (Industrial Internet of Things) has prompted provider companies to offer added levels of security at the collection source, such as device authentication and data encryption. One provider, Virtium, suggests on its website that, ‘IIoT SSDs should ideally provide pre-book authentication and hardware-based Advanced Encryption Standard (AES) protection to offer ‘data-at-rest security’.
But before taking any defensive measures, ICS-CERT reminds organizations to perform proper impact analysis and risk assessments. To help with this, it offers a set of recommended practices for control systems, including: Improving Industrial Control Systems Cyber Security with Defense-in-Depth Strategies, and Seven Steps to Effectively Defend Industrial Control Systems.
The Office of Electricity Delivery and Energy Reliability also offers guidance to help establish or refine existing cyber security risk management programs, as well as advice to help meet the objectives of the Cyber Security Framework that was released by the National Institutes of Standards and Technology, in the US.
— By Rachael Corry, Energy writer
* Operates within the Department of Homeland Security’s Office of Cybersecurity and Communications