Notes from remarks at the 2018 Western Area Power Administration (WAPA) Technology Security Symposium.
Regional electric utilities and cooperatives help form the “front line” to cyber threats against electric power. Threats directed at electric power may spend time, possibly years, gaining access, watching, learning, and testing ideas against smaller utilities before considering larger utilities and power companies. The reason is simple: if there is a mistake, the results are smaller, and possibly less detectable, which keeps operations secret longer. It provides an invaluable training ground. Therefore, localized attacks (even unintentional or accidental) against regional utilities are more likely than a larger “country-wide” disruption commonly imagined because they present less risk to an adversary’s operations, an accidental disruption is possible, and the outcome is likely as useful as a more considerable disruption.
This means electric power-focused cyber threat identification requires attention on all locations, including regional facilities and electric cooperatives, and not just the largest and most prominent. All electric utilities need to focus on four items right now:
- ACT NOW: The cyber threat to electric power is real, active, and expanding, but the threats are still few and maturing slowly. Asset owners and operators have time to create defensible operational technology (OT) and SCADA environments. This is good news as few enterprises get an opportunity to see the future and act now.
- PRIORITIZE VISIBILITY: The first step should be achieving OT/SCADA asset and network visibility, not for process management, but for cybersecurity threat detection.
- REIMAGINE THE THREAT: Focusing strictly on threat detection is insufficient. Not only do the threats Dragos tracks disrupt operations, but adversaries also take specific measures to maximize downtime. Therefore, restoration plans must consider threats that directly attack response as well. Organizations must collect and organize telemetry so they can conduct root-cause analysis to respond effectively and leverage OT-centric response playbooks. Importantly, organizations must also have the information necessary to decide whether safe restoration is possible.
- WORK TOGETHER: Security budget constraints are real; budget-conscious organizations should share costs to achieve the necessary visibility on cyber threats. An example: deploy sensors individually but centralize monitoring and detection for several utilities. Caveat: the monitoring function must be OT-knowledgeable because an IT-focused security operations center (SOC) would not be able to interpret and communicate detection to industrial control asset operators effectively.
The threat is real; our work must start now. But, we’re lucky enough to see far enough into the future to act now and create defensible OT/SCADA environments. We can’t rely on imagination to guide our security decisions. We must use the breadth of threat intelligence to fundamentally understand these threats to electric utilities and react accordingly, otherwise, we risk wasting already-constrained budgets. Work together, understand the threat, and act now – this is how we will defend our networks and our customers.