Who Holds the Almighty and Powerful Ring? 13 Steps for Utility Cyber Security Protection
May 13, 2014 posted by Eric Christensen
Who Holds the Almighty and Powerful Ring in the Cyber World?
Thirteen Steps for Utility Cybersecurity Protection
By Eric Christensen, Partner Gordon Thomas Honeywell and Maj. Gen. (Ret.) Tim Lowenberg, Vice President Gordon Thomas Honeywell Governmental AffairsWhile computer and internet technology create enormous benefits for twenty-first century utilities, they also expose utilities to new and sinister cyber threats. For utility managers, entering the cyber world can feel like entering J.R.R. Tolkien's "Middle Earth", a strange land filled with treacherous creatures like orcs, ring-wraiths, and wargs. Like Middle Earth, the cyber world is inhabited by peculiar and threatening forces ranging from amateur hackers to organized criminal enterprises searching for valuable financial information to politically motivated actors and nation-states capable of using malicious computer codes as weapons systems. And like Gollum, the hobbit twisted beyond all recognition by the power of the One Ring, threats in the cyber world often go undetected, arise from nebulous but nefarious motives and can unleash powerful, destructive effects beyond all expectation. In light of the near-universal consensus among defense analysts, policy makers and computer experts that the electric utility sector is among the most vulnerable of sectors to cyber-attacks, how should utility managers address these threats? We recommend the following thirteen steps that all utilities, regardless of size, should take to mitigate risk in the complex and ever changing world of cyber-security. Step 1: NIST Cybersecurity Framework On February 12, 2014, the National Institute of Standards and Technology ("NIST") released the first version of its Framework for Improving Critical Infrastructure Cybersecurity. The Framework, issued in response to President Obama's Executive Order No. 13636, is intended to create common, voluntary industry standards and best practices for addressing cyber-security threats. The Framework provides a standardized approach for identifying cyber-security threats and protecting organizations against those threats through technological fixes and education of management and front-line operators. While the Framework is an ongoing and evolving document, it is a useful starting point for developing a cyber security strategy. The steps we recommend here are consistent with the NIST Framework. Step 2: NERC CIP Standards Because they are mandatory and violations can lead to substantial penalties, NERC Reliability Standards are, of course, of primary concern to electric utilities. NERC's Critical Infrastructure Protection ("CIP") standards define utility obligations to address threats in the cyber-security realm and should therefore be a prime focus of every utility. After a long period of flux, the Federal Energy Regulatory Commission ("FERC") in November 2013 adopted Version 5 of the CIP standards, with certain reservations. Utilities with "High and Medium Impact" assets (as defined in NERC's "BES Cyber Asset" definition) must come into compliance with Version 5 by April 2016 and those with "Low Impact" assets must come into compliance by April 2017. Utility managers should therefore pay careful attention to these standards, as well as refinements to the standards now under development in response to FERC's November 2013 order. In addition, NERC is conducting a pilot program with results due in the near future that should provide useful information for utility compliance managers. Utility managers should also pay close attention to physical security standards. In reaction to damage caused by a sophisticated physical attack on the Metcalf Substation in California's Silicon Valley, FERC on March 7 ordered NERC to develop standards to secure key electrical facilities against physical attack. Compliance with these standards could be extremely expensive. In raising this concern, FERC Commissioner John Norris recently noted that just three utilities reported to him they may have to spend more than $500 million for physical security enhancements in the wake of the Metcalf incident. As is also obvious, under-reaction could prove even more costly for the utility and for our national security. Step 3: Develop a Cyber-Security Strategy In compliance with the NIST Framework and CIP standards, utility management should develop a cyber-security strategy that identifies cyber-risks, provides clear guidance and training to utility employees to effectively address those risks, and ensures the strategy is carried out and documented through continuous feedback to utility managers. As discussed below, it is important that the strategy include coordination with affected municipal and state governments, first responders, and Federal Information Sharing and Analysis Centers ("ISACs"). Step 4: CEO Briefings The Cyber-Security Strategy developed in Step 3 should include a requirement for regular briefings of the utility's chief executive officer and relevant senior management by cyber security personnel, including updates on newly-identified cyber threats, progress in implementing CIP standards and other mitigation measures, and adaptations to the Strategy to address new threats, vulnerabilities and emerging challenges. Such briefings demonstrate the importance of cyber-security to the rest of the organization and ensure senior management is aware of cyber-related issues. Full awareness of cyber threats should, in turn, help assure the organization is devoting adequate resources to addressing those threats, and build the "culture of compliance" NERC looks for in assessing adherence to Reliability Standards. Step 5: Legal Review of IT Contracts The utility should conduct a legal review of its IT equipment and services contracts to ensure compliance with CIP standards, the Security Development Lifecyle guidelines discussed below, the utility's internal Cyber-Security Strategy, and other relevant requirements. Step 6: Review IT Procurement The utility should also ensure it is procuring computer software and hardware in a "secure" manner in conformity with Security Development Lifecycle ("SDL") processes and other best practices. Such procurement practices guard against incorporation or introduction of unsafe equipment and malicious software into the utility's computer systems. Step 7: Procurement Staff Training Consistent with Steps 5 and 6, the utility's procurement and acquisition staff, as well as its IT security staff, should receive training on SDL and other requirements relevant to IT acquisition and should be given resources sufficient to ensure effective cyber security provisions are incorporated into all IT acquisition contracts. Step 8: Verify Implementation of Cyber-Related Contract Requirements To ensure the measures discussed in Steps 5 through 7 are properly implemented, the utility should review its contractual relationships with third party IT service providers to verify that security-related requirements of IT contracts are actually being carried out in conformity with contractual and industry standards. Substandard computer installations and non-conforming contract services can give hackers, cyber-criminals, and cyber-attackers access to critical computer-controlled infrastructure. Step 9: Use Information Sharing and Analysis Centers ("ISACs") ISACs (mentioned in Step 3 above) are sector-specific organizations developed voluntarily in cooperation with the Department of Homeland Security to facilitate detection and prevention of cyber-intrusions, vulnerability scanning, penetration testing, and training and education services. The Department of Homeland Security coordinates the flow of information to, from and among fifteen national ISACs. Utility managers and security officials should pay particular attention to ES-ISAC, the ISAC for the electricity sector. Information from other ISACs may also enhance awareness of cyber-threats as well as the tactics, techniques and procedures employed by nefarious actors. These collateral sources include the Multi-State ISAC, which provides cyber threat information and cyber response assistance to state and local governments including utility commissions; the Supply Chain ISAC, which focuses on threats identified in the acquisition/procurement process; the Water ISAC, which provides useful information for water utilities; the Nuclear Energy ISAC, which covers nuclear energy cyber issues; and the Financial Services ISAC, which has information helpful to protecting the financial information of utility customers as well as the utility's own financial information. Step 10: Develop Disaster Recovery Plans Most utilities have extensive business continuity and recovery plans that describe how the utility will deal with natural disasters such as earthquakes and major storms. Disaster preparedness also requires development of plans to assure the utility's recovery from a major cyber-attack or series of attacks. The threat of such attacks is so real that a cyber mitigation, response and recovery plan should be the subject of a separate, detailed Annex to the utility's continuity plan. NARUC's Cybersecurity for State Regulators 2.0 (February 2014) provides a comprehensive set of criteria and recommended actions (from a wide variety of sources) for utility commissions to use as assessment tools. These sources and others are helpful in developing an effective Cyber Annex to the utility continuity and recovery plan. Step 11: Build a Relationship With Law Enforcement Federal, state and local law enforcement agencies and some state military departments have important roles in identifying cyber intrusions, developing coordinated responses to such intrusions, apprehending or assisting in the apprehension of cyber criminals and recovering from major cyber incidents. Utilities should strive to build strong relationships with these agencies. To be effective, the utility must pre-identify the specific law enforcement officials it will contact in case of a suspected terrorist attack or cyber intrusion. The utility should go beyond the minimum requirement of compiling a contact list to create active, ongoing relationships with the law enforcement officials it will need to rely on in the event of a major cyber-attack. Step 12: Practice Cyber Incident Responses As with most utility functions, the adage "practice makes perfect" applies to cyber incident preparedness and cyber incident response. Fortunately, the Department of Homeland Security's "Cyber Storm" program offers excellent opportunities for utilities to participate in a realistic simulation of a major cyber-attack. The Cyber Storm exercise series provides an opportunity for more than 1,000 local entities to participate in a coordinated, week-long national cyber exercise, the results of which are used to develop other progressively challenging exercises and enhance the nation's cyber response systems. Washington utilities such as Snohomish County PUD played an active role in the 2013 Cyber Storm exercise. The next Cyber Storm exercise is scheduled for 2015. Step 13: Support Your Local Emergency Response Plan Finally, the utility should determine if its state government has developed a cyber response plan. If a plan exists, the utility at a minimum should become thoroughly familiar with it and, even more important, should offer to participate in the development and continuous testing and refinement of the plan. The State of Washington, for example, leverages its "cyber security centers of excellence" and lessons learned from Cyber Storm exercises to integrate cyber security planning by state agencies ranging from the Washington Military Department (including its civilian State Emergency Operations Center and Air and Army National Guard cyber operations units) to the Office of the State Chief Information Officer, the Washington State Patrol, the Washington State Fusion Center, the Utilities and Transportation Commission, state universities, municipalities such as the City of Seattle, aerial and maritime port authorities and public utilities. These and other stakeholders, participating as members of a Washington State Cyber Integrated Project Team, have contributed to development, testing and refinement of a Washington State Cyber Incident Annex that is based on the National Cyber Incident Response Plan. The Washington Cyber Incident Annex includes provisions for convening a Cyber Unified Coordination Group to oversee cyber incident responses, which representatives from utilities and other critical infrastructure sectors that could be subject to cyber attack. CONCLUSION The conflict between good and evil in Middle Earth was finally resolved when Gollum, still madly clutching the One Ring, falls into the fire at the Cracks of Doom. With the malevolent force of the Ring destroyed, the forces of evil were shorn of their power and collapsed, allowing the hobbits and other peaceful residents of Middle Earth to return to normal life. The moment when the forces of evil in the cyber world will be shorn of their power is a long way off. Until that time comes, dealing with malevolent forces in the cyber domain will be an omnipresent and growing challenge. Because electric power is so critical to the functioning of our modern society, utilities are, willingly or not, thrust into the role of front-line players in the battle for control of cyberspace. The thirteen steps described above, if implemented, will help utilities protect their own assets, and help secure the nation against potentially crippling cyber attacks.