Last week, I was in London, presenting at SMI’s European Smart Grid Cyber Security conference. It was great. I love seeing so many intelligent people in one room, all working to keep our grids and consumers safe.
My talk focused on what cyber security threats for utilities look like nowadays, and what we should be doing about it. Specific strategies will depend on individual systems and circumstances, but here are five broad steps for utilities to take to protect their networks.
1 – Train up
Cybersecurity requires good technology and the right people to use it. Utilities need people that understand and can build secure architectures, intrusion detection capabilities and incident response capabilities.
Unfortunately, good cyber security people are in high demand. Utilities will have a tough task recruiting all the skills they need, so training the people they already have to be more cyber-aware should be a key priority. Online courses, hands-on sessions, ‘war games’ style training – all of it can help train up existing staff to lessen the cyber threat.
It’s also crucial that they have somewhere to learn and practice – a cyber-gym to train in. It’s never a good idea to learn live in the field with real systems, better to replicate these in a lab environment to simulate threats.
At ENCS, we share knowledge and expertise throughout our membership network and run a number of training programmes to help utilities do just this. Our Red Team/Blue Team training is extremely popular!
2 – Get governance right
Good news – this is one that more and more companies are getting right. Whereas before, cyber security was an afterthought or something for the IT team to worry about, it’s increasingly being seen as a business-threat worthy of C-suite attention.
Rigorous, enterprise wide risk and vulnerability assessment, followed up with robust security monitoring and threat intelligence, has to be the norm. It’s good to see a lot of utilities taking this on board and embracing security by design.
3 – Take control of technology
There’s no escaping it. Getting cyber security onto the governance agenda and training up people are essential, but there’s no avoiding the need to roll up sleeves and get stuck into the tech.
First up – architectures. Utilities should set up a zonal network architecture that protects the interface between IT and OT systems. OT systems should then be subdivided into different zones based on their risk levels. Communication between zones needs to be authenticated and encrypted, and access control protocols need to be defined. With physical infrastructure, it’s essential to have specific strategies for secure field maintenance access to infrastructure.
Then there’s system and component security. From security requirements during procurement, through validating and adopting reliable and efficient processes for software and firmware upgrades – every aspect of the system and components needs to be secure. Similarly to the overall architecture, it’s worth considering zoning physical components to ensure secure separation.
One of our core roles at ENCS is helping to coordinate and produce standards that ensure security is embedded at every step of the procurement process. For example, look at our work with ENEXIS on distribution automation equipment.
4 – Validate
With everything in place, it’s vital to test the security systems on an ongoing basis, both in theory and in practice.
Start by analysing the documentation to ensure the relevant requirements are fulfilled. Then, do some functional security testing to make sure the functionality listed is indeed implemented. Then start really pushing it, test the quality of the implementation of the network stack with robustness testing, then move to penetration testing to probe vulnerabilities in more detail and discover new attack angles.
And keep doing it – security is never a one time thing!
This can be done in-house, using an internal testing environment, or by using third party experts (such as ENCS).
5 – Team up!
A problem shared is a problem halved – so imagine the fractions involved if you join a pan-European cyber security network like ENCS!
Seriously though, collaboration is essential. For a start, there’s a real shortage of cyber security talent out there, and it’s tough to sell working at a utility to a person dreaming of Amazon or Google. As an industry, we need to share knowledge: academic, real-world and of specific threats. We also need to share resources: incident response capabilities, best-practice architectures and requirements and combined training efforts.
That, fundamentally, is why ENCS was created. Cyber security is too tough to be able go it alone, and too important to risk it. Looking back at the audience in London last week, I think they agreed – and that’s encouraging.