This article was co-authored by Peter Herdman, ICS Security Capability Lead at Capgemini
In August 2017, the UK government proposed plans to implement the Security of Network and Information Systems (NIS) Directive. The aim of the directive is to improve the security of the UK’s essential services including utilities. With penalties of up to £17 million for not being up to standard, energy and water providers must take action to prevent disruption to their services.
The challenges of convergence
In the past, utilities have largely relied on the separation of their business systems from their Industrial Control Systems (ICS) or Operational Technology (OT) to provide security. This meant air-gapping communications and control networks with no links to external networks.
Today, the drive for operational efficiencies means utilities are forced to deploy digital solutions leveraging Industrial Internet of Things (IIoT) to integrate their operational systems and networks with internal business systems and external systems such as data analytic services.
Utilities are also under competitive pressures to monetize their data in creative ways. All of this means a weakening of the separation of the customer, operational, and corporate networks that previously existed. The security air gaps are being closed. The nationwide roll out of smart meters is a great example, and one that is recognized as a significant risk to the country’s critical infrastructure, if not secured properly.
Applying the right tools to the right technologies
Industrial networks and systems are set to undergo the digital transformation that commercial businesses underwent many years ago. This transformation will bring new threats and risks as well as exacerbating existing ones. The potential for industrial cyber incidents to occur at a frequency we have become accustomed to in commercial enterprise is also real.
If industrial cybersecurity is not properly addressed within the utility sector, we are open to the familiar risks of data breaches but also unfamiliar risks to the availability of energy and water supplies at a local and national level. In some areas, there would be no second chances. Terrorism levels of destruction could be inflicted and public health put at significant risk. Even low-level, opportunistic cyber vandalism has the potential to cause disruption (or annoyance and distraction at a minimum). These risks are escalating quickly given the growing digitization of asset management, automation, and process control.
Utility companies must make sure they are prepared to deal with the emerging cyber challenges to industrial systems. This means improving security processes and capabilities while maintaining the ability to improve operational efficiency and achieve business objectives.
Many utility companies do not have the experience or expertise to address ICS or OT security. Some organizations make the mistake of trying to apply an enterprise security model in an industrial environment or believe technology will solve the problem. This enterprise security view fails to recognize the fundamentals of control systems and the challenges associated with operating industrial plant. It is therefore prudent for utilities to learn the lessons and appreciate the insights from other organizations that operate critical national infrastructure.
The priorities in industrial environments are not the same as they are for business. Safety, availability, integrity, and confidentiality is typically the order of priority across industrial systems. As an example, a change made by enterprise IT on a manufacturing system can bring production to a complete standstill. But if this is a safety critical system in a utility company, the outcome may threaten public safety.
Understanding who, what, and how
If they have not already done so, utility companies should act now to protect their industrial infrastructure. There are many security activities utility companies can start today using existing resources. These ICS/OT security basics are fundamental to developing the foundations of a robust ICS/OT security program. Start by forming a multi-disciplined working group to address ICS/OT security. It is imperative that senior leadership from both Information Security and Engineering are part of this group. Technical personnel are also key participants.
Engineering teams should begin to document all ICS/OT cyber assets starting with what they believe are the critical ones. These would include networked controls, systems, and devices that if compromised may impact health and safety, or the availability of the plant. High-level diagrams and design documentation of the ICS/OT network is also essential, not only as an aide to assessing the risk and implementing appropriate technical controls but also to facilitate investigation and recovery when an incident occurs. Often this documentation does not exist and must be created.
The supply chain is a primary attack vector that is often overlooked. With many small and specialist vendors supplying utility companies this avenue of attack may be an easy route through the defenses of an ICS/OT network. By compromising a supplier first, an attacker can exploit the trust and access smaller specialist suppliers often have. Implementing a comprehensive supplier security assurance program is essential to mitigate this risk.
A risk assessment should be undertaken in parallel. This should be followed by a report documenting recommendations for improvements and an ICS/OT security road-map. Experience has shown that the risk assessment and report should be performed by ICS/OT security specialists.
From possible fines, through safety impacts, and reputational damage the reasons to give cybersecurity due investment and attention become clear. It will be the level of integration with wider industrial and technical development that will be a key factor in how effective and efficient the implementation will be.