Accelerating Critical Infrastructure Security in The Energy Sector
by Chuck Brooks, President, Brooks Consulting International
Critical energy infrastructure has been under siege by threat actors. The May 7, 2021, cyberattack against Colonial Pipeline is illustrative of the growing impact of cyberthreats on the energy sector and the need to prioritize cyber-defenses.
“Senators Maggie Hassan (D-N.H.) and Ben Sasse (R-Neb.) recently introduced legislation called The National Risk Management Act that is intended to protect critical infrastructure from cyber-attacks and other national security threats.”
The recent announcement of The Department of Energy’s (DOE) ‘100-day Plan to Accelerate Cybersecurity Detection, Mitigation, and Response Capabilities Across Electric Utilities’ calls attention to the importance of securing the nation’s power grid. DOE will be working in coordination with The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) to address “persistent and sophisticated threats” to the nation’s electric grid, including a “voluntary industry effort” to deploy technologies to secure Industrial Control Systems (ICS) and Operational Technology (OT).
“The initiative modernizes cybersecurity defenses and:
• Encourages owners and operators to implement measures or technology that enhance their detection, mitigation, and forensic capabilities.
• Includes concrete milestones over the next 100 days for owners and operators to identify and deploy technologies and systems that enable near real-time situational awareness and response capabilities in critical ICS and OT networks.
• Reinforces and enhances the cybersecurity posture of critical infrastructure Information Technology (IT) networks; and
• Includes a voluntary industry effort to deploy technologies to increase visibility of threats in ICS and OT systems.”
The initiative is one of the first cybersecurity actions from the new Administration. It is a continuing effort built on past Administration Executive Orders and activities dedicated toward bolstering critical infrastructure protection. Across other government institutions, including Congress, securing critical infrastructure has been a priority topic. Senators Maggie Hassan (D-N.H.) and Ben Sasse (R-Neb.) recently introduced legislation called The National Risk Management Act that is intended to protect critical infrastructure from cyber-attacks and other national security threats. The act would require CISA to conduct a five-year national risk management cycle, which would involve CISA identifying and compiling the major risks to critical infrastructure in a report sent to the President and Congress.
The intelligence community has also highlighted the fact that protecting critical infrastructure is a top national security imperative. The 2021 Annual Threat Assessment of the U.S. Intelligence Community assembled by the Director of National Intelligence concluded that “cyber threats from nation states and their surrogates will remain acute” as countries with nefarious aims “use cyber operations to steal information, influence populations, and damage industry, including physical and digital critical infrastructure.”
“Although an increasing number of countries and non-state actors have these capabilities, we remain most concerned about Russia, China, Iran, and North Korea,” the assessment said. “Many skilled foreign cybercriminals targeting the United States maintain mutually beneficial relationships with these and other countries that offer them a safe haven or benefit from their activity”.
The United States is not the only target. The 2020 World Economic Forum’s (WEF) Global Risks Report listed cyberattacks on global Critical Infrastructure (CI) as a top concern. WEF noted that “attacks on critical infrastructure have become the new normal across sectors such as energy, healthcare, and transportation.”
The U.S. critical infrastructure is the engine of our industrial economy. The new reality is that almost all critical infrastructures operate in a digital environment, including the health care, transportation, communications, financial, and energy industries. While the information technology landscape has greatly evolved, so have the vulnerabilities. Energy assets and The Grid are especially vulnerable to attacks, both physical and cyber related.
“Because of the aging infrastructure, and combinations of meshed industrial control system networks, it is not surprising that threat actors would be engaged in mapping and targeting energy facility networks.”
It is not a new phenomenon that energy assets have been continually tested by adversaries. Over the past decade, nuclear and electric grid facilities have been subjected to attacks by state threat actors, criminals, terrorists, and others. Cyber-attacks have been the preferred modus operandi of adversaries.
The energy sector stands out as being particularly vulnerable among critical infrastructures. This energy ecosystem includes power plants, utilities, nuclear plants, and The Grid. Protecting critical Industrial Control Systems (ICS), Operational Technology (OT), and Information Technology (IT) systems from cybersecurity threats is a difficult endeavor. They all have unique operational frameworks, access points, and a variety of legacy systems and emerging technologies.
Because of the aging infrastructure, and combinations of meshed industrial control system networks, it is not surprising that threat actors would be engaged in mapping and targeting energy facility networks. Much of the equipment that comprises the electric Grid infrastructure is antiquated and needs updating. The Grid itself is critical infrastructure comprising a network of more than 7,650 power plants, which are integrated via 450,000 miles of high-voltage transmission lines. Estimates are that The Grid includes 70,000 transformer power substations and thousands of power generating units. The Grid is mostly dependent on legacy technologies: 70% of transmission lines are at least 25 years old and approaching the end of their lifecycle, and 60% of the circuit breakers are more than 30 years old, compared to useful lives of 20 years.
State threat actors do pose significant threats. Admiral Mike Rogers, former head of the National Security Agency and U.S. Cyber Command, has stated that at least two or three countries could launch a cyber-attack that could shut down the entire U.S. power grid and other critical infrastructure. Additional threats can also come from rogue extremist states such as North Korea and Iran.
There are a variety of challenges to stopping breaches, and the biggest one is the growing sophistication and resources of the attackers. We are seeing an increasing level of sophistication from our adversaries – including the use of exploiting supply chains, such as the recent Solar Winds breach. The types of tools they use include phishing scams, bots, ransomware, and taking advantage of malware and software holes that leave vulnerabilities in networks. There are also threats from physical incursions (access control), terrorism, and potential hostile insiders to contend and mitigate.
The integrated makeup of The Grid is also challenging for security. The electric utility networks are comprised of ICS (both OT and IT) that are constituted by both physical and digital connectivity. The severity of any industrial control system cyber-attack depends on whether hackers managed to breach not only its traditional OT computer systems, but also the connected IT internet-connected systems that manipulate its physical equipment. The convergence of OT and IT networks expands the attack surface and is being used by adversaries to exploit vulnerabilities from the connectivity. And what works in Cybersecurity IT may pose risk to OT Cybersecurity. For example, patching may not be an option as updates disrupt real-time system operations.
Information Technology (IT), Operational Technology (OT) and the Industrial Control Systems (ICS) supply chains in CI can be particularly vulnerable as they cross-pollinate and offer attackers many points of entry. Older Legacy OT systems were not designed to protect against cyber-attacks. There is often a visibility problem of the lack of telemetry data. Many organizations do not know if an attack has occurred, nor do they have the systems to monitor or detect breaches in control systems used in energy infrastructure.
Another factor is the growing sophistication of attackers. One of the reasons why the sector has become more vulnerable is that hackers have gained a deeper knowledge of control systems and the converged OT and IT architectures, how they can be attacked, and how they can employ weaponized malware against power stations and other energy related assets.
In July 2020, an investigation highlighted how an attacker could get into critical U.S. infrastructure via unsecured ICS. They claimed it could be done by attackers using search engines and tools dedicated to scanning all open ports and remotely taking control. Senior Researcher Edvardas Mikalauskas of CyberNews summarized: “Our research has previously highlighted that many ICS panels in the U.S. are critically unprotected and easily accessible to threat actors. The most vulnerable infrastructure appears to belong in the energy and water sector.”
The National Security Agency (NSA) recently released a Cybersecurity Advisory on this exact issue of integration and connectivity of OT and IT systems. The advisory details “how to evaluate risks to systems and improve the security of connections between OT and enterprise networks. Information Technology (IT) exploitation can serve as a pivot point for OT exploitation, so carefully evaluating the risk of connectivity between IT and OT systems is necessary to ensure unique cybersecurity requirements are met.”
“In addition to ports on IT and OT networks, process sensors on energy have been one of the most preferred and easiest methods for breaches.”
“Each IT-OT connection increases the potential attack surface. To prevent dangerous results from OT exploitation, OT operators and IT system administrators should ensure only the most imperative IT-OT connections are allowed, and that these are hardened to the greatest extent possible. An example of this type of threat includes recent adversarial exploitation of IT management software and its supply chain in the SolarWinds compromise with publicly documented impacts to OT, including U.S. critical infrastructure”.
“NSA recommends taking steps to improve cybersecurity for OT networks when IT-OT connectivity is mission critical, as appropriate to their unique needs. For IT-OT connections deemed necessary, steps should be taken to mitigate risks of IT-OT exploitation pathways. These mitigations include fully managing all IT-OT connections, limiting access, actively monitoring and logging all access attempts, and cryptographically protecting remote access vectors.”
In addition to ports on IT and OT networks, process sensors on energy have been one of the most preferred and easiest methods for breaches. “Process sensor issues have been directly involved in many of the more than 1,300 actual control system cyber incidents to date that have killed people and caused more than $80B in direct damage. Russia, China, and Iran are aware of the cybersecurity gaps in these devices and in some cases are currently exploiting the lack of sensor authentication.
Process sensors are assumed to be secure, authenticated, and correct. Those assumptions at the very least depart from the IT principle of “zero trust”. Process sensor data are the input to process control, safety systems, OT networks, predictive maintenance programs, historians, etc. Compromising process sensors (or not recognizing sensor deviations) can circumvent cybersecurity mitigation as well as engineering safeguard protections. However, there is minimal cybersecurity in the process sensor ecosystem. Worse, there are built-in vulnerabilities that cannot be bypassed.”
In addition to cyber-attacks, the Grid is vulnerable to other assorted malicious actions that need to be included in any threat matrix. This includes: Physical (terrorism, explosives, electro-magnetic attacks – EMP), Weather Events (lightening), Electric and Geo-magnetic super-storm (Carrington Event 1859), Solar Flares, Cascading power (over usage), and Human error blackouts. Attacks via digital means are most likely and should be prioritized; however, protecting critical infrastructure needs to be a holistic and comprehensive approach.
How can we better protect the critical infrastructure and networks? While the threats to nuclear facilities and power plants are complex, there are several themes and safeguards to adhere to mitigate risk. These include:
• Be prepared and have a framework. It is necessary to continually analyze and game the energy cyber-threat landscape, as the methods, means and malware variants are constantly morphing. Emerging technologies are changing both the defensive and offensive cyber and physical security landscapes.
• Energize Public-Private Partnerships. It is vital to share and communicate cybersecurity information between the public and private sectors. DOE’s 100-day Plan is based on the premises of collective defense in cybersecurity and a collaborative approach that recognizes the value of threat information sharing. However, there are still significant gaps in information sharing by the government with the private sector. DHS CISA has made public-private partnerships for protecting critical infrastructure a top focus. Government and industry are currently using pilot programs including the Cybersecurity Risk Information Sharing Program and the Trusted Automated Exchange of Indicator Information to facilitate rapid sharing of security information. DHS CISA has established active and successful programs in this area.
• Upgrade and follow industry protocols, especially those related to Supervisory Control and Data Acquisition (SCADA). Power companies use SCADA networks to control their industrial systems, and many of these networks need to be updated and hardened to meet growing cybersecurity threats. Standards should include NIST, IEC 62443, and ISO 27001. The energy industry also needs to know the National Institute of Standards and Technology, North American Electric Reliability Corporation, Federal Energy Regulatory Commissionand S. Nuclear Energy Regulatory Commission cybersecurity protocols.
• Access Control is Key. Who has privileged access to networks, sensors, equipment, and devices and are they monitored? It is important to maintain robust access management control and cyber incident response programs.
• Emerging Technologies are arriving. The technology landscape is evolving, and it is important to invest in next-generation security controls and cybersecurity technologies. Procurement of automation tools such as Artificial Intelligence (AI) and Machine Learning are especially needed. Also, energy providers should invest in hardening targets, both from physical and cyber-incursion.
• Risk Management. Ultimately, the most effective way to address these challenges is by utilizing a strategy of comprehensive risk management. There are a variety of risk frameworks to consider. This includes “Security by Design” – build agile systems with operational cyber-fusion to be able to monitor, recognize, and respond to emerging threats. Install Intrusion Prevention Systems (IPS) or Intrusion Detection Systems (IDS) to monitor malicious activity on your industrial network. Also, enable security settings on energy system networks. And “Defense-in –Depth” that includes layer cybersecurity technologies, processes, air-gapping, hardening, encryption of data flowing from sensors and segmentation of OT and IT. The newest framework is “Zero Trust” a term for an evolving set of cybersecurity paradigms that move defenses from static, network- based perimeters to focus on users, assets, and resources. A Zero-Trust Architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows. Protecting ICS used by utilities from both physical and cybersecurity threats is really a component of the dynamic threat environment using all approaches.
In July of 2020, at the G20 Summit, an international forum for economic cooperation on energy security, the importance of Security by Design was stressed. The G20 members countries were told that cyber-attacks are always evolving when it comes to capabilities and tactics and that state actors, “hacktivists” and other attackers homing in on energy critical infrastructure have become more technologically sophisticated. It was noted that the scale and frequency of attacks are alarming and that protecting critical energy infrastructure from cyber-attacks requires Security by Design. Finally, it was summarized that energy security now necessitates building agile systems with operational cyber-fusion to be able to monitor, recognize and respond to emerging threats. G20 member countries account for approximately 80 percent of the world’s economic output, 75 percent of international trade and two-thirds of the world population.
Because of the modernization of critical infrastructure and replacement of legacy OT and IT systems, there may be opportunities to implement the Security by Design and Zero Trust strategies. Awareness of the threat is half the battle. The ‘100-day Plan to Accelerate Cybersecurity Detection, Mitigation, and Response Capabilities Across Electric Utilities’ is certainly a right step in the direction for energy security.