Locking the Door Against Cybersecurity Attacks by Chris Trayhorn, Publisher of mThink Blue Book, May 14, 2007 Situation Overview The biggest threat today to the transmission and distribution (T&D) business cybersecurity is not necessarily a virus, worm or terrorist. While these can all be significant threats, the culprit is often the company itself. Particularly as utilities open more doors to their network automation and control systems such as by deploying more intelligent devices they can make themselves more vulnerable to any cybersecurity threat. Although utilities can mitigate vulnerabilities, these actions come at an additional cost. This paper examines recent developments in cybersecurity for network automation and control systems. First, we review how recent cost-cutting initiatives and new technologies are creating cybersecurity problems. We then look at how the North American Electric Reliability Corporations (NERC) new cybersecurity standards, CIP 002- 009, may help utilities address these problems but also create additional costs. Lastly, the report discusses how utilities can cost-effectively strengthen their cybersecurity. More Cybersecurity Problems Today most energy delivery businesses have moved beyond worrying about specific cyberattacks, which could be launched by almost anyone from kids in a basement to a company insider. Instead many are now concerned about how cost-cutting efforts and the introduction of new technologies could increase their vulnerability to any attack, no matter where it originates. There are two key corporate efforts that can raise significant cyber-security issues: Obtaining greater real-time visibility of and access to remote assets; and Implementing more open, standardized real-time systems. Greater Visibility and More A ccess Points From intelligent grid initiatives for better visualizing and reacting to real-time events to cost-cutting efforts, utilities continue to open more doors to their control networks (see Figure 1). Specific efforts that could create cybersecurity problems include: More points of access to the grid: Many utilities are using more intelligent electronic devices (IEDs), smart meters and sensors to connect with the field better an important part of a fast-reacting intelligent network. Furthermore, utilities are allowing more remote access to their delivery system networks by telecommuters and third-party contractors. These efforts dont just open more connections to system; they also let in remote parties that may not have sufficient cybersecurity systems of their own in place. More standard communication networks: Although IP-enabled SCADA and wireless networks offer many benefits, they also create problems. On the positive side, an IP-enabled SCADA system provides a low-cost alternative to a proprietary SCADA system. It also allows for better deployment of intelligent grid technologies through easier integration. Intelligent grid efforts are also pushing utilities to use more wireless communications (e.g., WiFi, WiMAX and GPRS). The problem with these communications methods is that they spread out standard communication channels into the service area, creating more ways for cyberthreats to enter the system. More integration with corporate networks: To support data-sharing and decision support and, in some cases, to reduce costs, more utilities are integrating their control networks with the corporate network. This is troublesome because it allows even more traffic on and accessibility to the corporate network, which means a greater possibility of cyberthreats entering the network automation and control system. Greater reliance on commonly used platforms: It is becoming increasingly difficult for IT departments to find professionals competent on platforms such as Unix, the traditional operating system for network automation and control systems. These platforms have substantially longer learning curves and require a costlier workforce. As a result, many utilities are turning to more commonplace platforms instead. Standardizing on platforms such as Microsoft Windows offers many benefits, but such platforms are also common targets for cyberattacks. Vendors have not made cybersecurity a top priority: Today many utilities rely on standardized commercial applications rather than pay for expensive customized systems. This creates vulnerabilities because many network automation and control vendors have not built adequate cybersecurity measures to protect those applications and attackers can readily obtain information about how to crack them. New Regulations Will Now Force Utilities to Take Action Although the initiatives discussed above create cybersecurity problems, utilities can address them by implementing some additional procedures. Aside from the direct operational benefits that come from greater cybersecurity, todays utilities have an even stronger incentive to take action. NERC and the Federal Energy Regulatory Commission (FERC) released the Critical Infrastructure Protection (CIP) standards for cybersecurity, which went into effect on June 1, 2006. Because most utilities are familiar with CIP 002-009, this paper focuses on a few key problems these standards will likely create for utilities. Defining and Interpreting a Critical Cyber Asset Todays CIP standards provide a more detailed critical cyber asset (CCA) definition than previous versions. The standards require utilities first to define their critical assets and then to identify CCAs that are essential to their function (see Figure 2). However, according to the NERC, CCAs can now also include any cyber asset that uses a routable protocol to communicate outside the electronic security perimeter; or uses a routable protocol within a control center; or is dial-up accessible. For example, modems that contractors use to access the network automation and control system connected to an otherwise noncritical cyber asset could now qualify as a CCA. This brings us to another problem with the new CCA definition. Although the definition is now more specific, there are still varying interpretations of its meaning. For example, although one utility recently identified 300 CCAs, another comparably sized utility found approximately three times as many. This more detailed CCA definition opens up the possibility that a cyber asset not essential for a critical asset to function will be subject to these regulations, simply because it has a routable protocol or dial-up modem. As discussed earlier, more and more utilities are implementing IPenabled technologies, such as IP-enabled SCADA. Therefore, more of those assets may be subject to the regulations, which wouldnt be the case if utilities went with older technologies. Furthermore, even some older technologies, such as dial-up modems, may now count as CCAs. Ultimately, more assets subjected to these standards means more effort and cost for utilities to secure those assets. Future Outlook Some of the greatest challenges for utilities stem from the fact that demand for these cost-cutting and new technology initiatives are unlikely to go away. As the need increases for better grid visibility and improved response times to delivery system events, utilities will demand even more intelligent grid technologies such as IP-enabled SCADA systems, smart meters and grid-friendly appliances that will allow for more and more access to delivery assets, i.e., more open networks. Another challenge on the horizon, as more and more workers retire, is that utilities will turn to automation to offset the loss of staff. Well see a greater number of initiatives such as the use of standardized applications and more commonly used platforms and corporate networks as companies use information technology to reduce costs and increase efficiency and also to replace their retiring workforces. At the same time, the new CIP standards will continue to evolve, and the broader NERC reliability standards will further complicate a utilitys ability to meet cybersecurity standards. Given the rapidly changing cybersecurity environment and the age of CIP 002-009 standards, these regulations will likely change. Moreover, CIP 002-009 is just a piece of the NERC reliability standards. These extensive standards cover a broad range of issues, from resource and demand balancing to personnel performance, training and qualifications. These broader regulations will put a squeeze on the resources utilities can devote to cybersecurity. Future Adoption Patterns Although some utilities have complied with voluntary cybersecurity standards, the CIP standards will force many more to reconsider seriously their cybersecurity system. As a result, utilities will: Have larger cybersecurity budgets. Despite the demands of the broader NERC reliability standards, CIP 002-009 means that many utilities will have to step up their cybersecurity efforts and spending to become compliant. Be more aware of cybersecurity costs and risks. Now that utilities must comply with regulations and deal with the varying interpretations of the CCA definition, they will take into greater consideration the cybersecurity costs associated with new projects. But even as utilities expand their budgets, they will not be able to afford every single cybersecurity measure available for their network automation and control systems. Instead theyll take a risk management approach that weighs the probability and extent of risks events that would cause problems for their network automation and control systems. They wont have resources to answer every risk, so theyll prioritize their cybersecurity efforts to address the most critical risks (e.g., risks that may be unlikely to occur but would be catastrophic to the system). Demand more third-party assistance. Utilities will need more products and services such as vulnerability assessments and security software packages as they improve their cybersecurity. Theyll turn not only to cybersecurity vendors but also to industry-specific vendors to strengthen one anothers solutions. Essential Guidance Popping in a security software program or setting up a firewall is not adequate to protect a utilitys network automation and control system. And new technologies and cost-cutting efforts will continue to expose the network automation and control system to cyberthreats. Therefore utilities must weigh their cost-reduction and intelligent grid initiatives against the need for greater security. Utilities should not necessarily avoid newer technologies or cost reductions out of cybersecurity fear. They will, however, need to determine up front what changes to network automation and control systems will cost in terms of cybersecurity compliance. A new, more efficient technology isnt really less expensive if it requires additional investments in cybersecurity measures than an older technology would. More generally, to protect increasingly vulnerable network automation and control systems, utilities need to consider: Ongoing vulnerability assessments. Before a utility can secure its network automation and control system, it needs to understand its system vulnerabilities. Determining cybersecurity needs requires an initial evaluation and then, after developing and implementing initial cybersecurity strategies, utilities must continue re-evaluating their systems. Vigilant monitoring of the network automation and control systems. Utilities should monitor systems on an ongoing basis to establish a baseline for normal activities. By knowing its baseline, a utility will be better able to identify unusual activity. Enterprise effort. With growing connections between business units, cybersecurity does not just impact network automation and control systems. Utilities should be working across business units to develop a broader, more comprehensive approach to cybersecurity that addresses both control networks and the corporate network itself. Cybersecurity is more than just software. Although there are effective cybersecurity applications on the market, utilities must research additional ways of mitigating cyberthreats, from knowing their users to improving their physical infrastructure. Thinking outside the regulatory box. The new CIP standards provide a good start for cybersecurity, but they cannot adequately address all related issues. Utilities should take the time to evaluate additional cybersecurity recommendations, such as the ISO 17799 Security Standard. Effective solutions for today and tomorrow. Because many cybersecurity measures are narrowly focused, utilities should implement solutions that work with their existing technologies and can also adapt to meet future technological needs. Filed under: White Papers Tagged under: Utilities About the Author Chris Trayhorn, Publisher of mThink Blue Book Chris Trayhorn is the Chairman of the Performance Marketing Industry Blue Ribbon Panel and the CEO of mThink.com, a leading online and content marketing agency. He has founded four successful marketing companies in London and San Francisco in the last 15 years, and is currently the founder and publisher of Revenue+Performance magazine, the magazine of the performance marketing industry since 2002.