Cyber Threats Teaming Up To U.S. Energy Networks
Will the first major cyberattack on the U.S. energy infrastructure come as a big bang of coordinated events, or as a series of barely noticed intrusions that gradually cripple and isolate electric or gas networks?
Whatever the plausible combination of these scenarios, preparing for a cybersecure future is proving to be one of the most difficult operational and organizational challenges to U.S. infrastructure in decades. With the responsibility of keeping the lights on while confronting new cybersecurity requirements, utilities are juggling multiple priorities: managing aging operational technology (OT) and information technology (IT) systems, dealing with growing data volume and complexity from an increasingly sensored smart grid, and monitoring new physical and cyberthreats to these networks.
The level of cyberreadiness among utility operators varies widely because of the complexity of these responsibilities, but there is broad consensus that more coordinated policies, funding and actions on cybersecurity are required to safeguard utilities’ operational and information technology networks. Operators are realizing that new technologies and business practices are needed, and have started to incorporate advancements such as big data analytics, cloud computing and machine learning into their toolsets. These technologies, including approaches that merge the cyberprotection of traditionally separate OT and IT networks, are becoming essential competencies for any utility’s cybersecurity strategy.
A Cybersecurity Landscape Evolving Faster-Than-Grid Operators
Two converging factors are creating a perfect storm for grid and infrastructure operators as they strive to securely administer their OT and IT networks.
1. Rapidly growing numbers of interconnected sensors and control components-ranging from 10 to 100 million for a typical utility-that are remotely machine addressable and vulnerable to cyberattack; and,
2. Proliferating cyber actors and threats that outpace the traditional regulatory processes and standards designed for a hardware-centric world.
With the day-to-day pressure of maintaining “normal” operations, it is little surprise that many utilities and their regulators are inclined to adopt a reactive wait-and-see approach in addressing these factors. Yet the emerging landscape of cyberthreats has demonstrated that monitoring and securing both OT and IT networks with coherent policies and tools is a critical concern. As the diversity and number of OT and IT systems has increased-along with observed threat types-the operational separation of these networks has become less assured than historically assumed.
Headline-making examples of incidents and attacks have exposed the fragile nature of our operational grids: the compromised control room network at the Davis-Besse nuclear plant (2003), StuxNet (2010), the Maroochy SCADA attacks (2000), the Saudi Aramco network services blackout (2012) and the Japan Monju nuclear plant data breach (2014). BlackEnergy, HAVEX, and Sandworm are other examples of threats targeting industrial control systems, and there are undoubtedly many more unreported or unpublished incidents. Significantly, many of these incidents began through enterprise IT systems and migrated horizontally to OT systems, exploiting attack pathways not considered or protected.
How ready are electricity and gas operators to face live cyberattacks? A utility’s level of preparedness can be diagnosed by the specificity of its answers to questions such as:
Which of our IT and OT network assets are the most vulnerable to attack and require protection or updates?
Which IT and OT network components are most important to address as cybersecurity risks, due to their potential impact on our physical grid, customers, operations and public safety infrastructure?
What is the expected state of our network and its traffic at a given moment, and is the risk profile of our network assets increasing or decreasing?
What financial investments are required to achieve a necessary level of cybersecurity readiness?
What advances in software and hardware are required? Are they available now or do they need to be developed?
How much progress and return on investment is being achieved with our network cybersecurity efforts?