As security threats multiply for critical infrastructure such as the power grid, IBM has presented security best-practices for the energy and utilities sector
At an event featuring leaders from various parts of the electric power ecosystem in Washington, D.C., IBM opened up the floor for discussion about cyber security in the electric power sector, proposing that there are practical ways to improve management and execution of enterprise-wide cyber security.
Change begins at the top
Indeed, Andy Bochman, security energy leader for IBM Security, said one of the core best practices or recommendations IBM has for electric power organisations regarding cyber security is that they understand that change begins at the top.
“The best way for a utility to introduce cyber security into its infrastructure is to go in with a high-ranking executive to own the cyber security risk for the enterprise,” Bochman said.
An IBM paper on the subject said, “IBM believes that no other single action will do more to galvanise a new approach to security in an organisation than the appointment and empowerment of a Chief Security Officer (CSO) responsible for enterprise-wide cyber security and compliance.
The CSO must have ultimate control and responsibility for securing IT and OT [operational technology] across all lines of business, and as needed, into the extended supply chain…”
Michael Kuberski, Chief Information Security Officer (CISO) at Pepco Holdings, said his role does exactly that. Pepco Holdings is the primary utility company in the Washington, DC area. Pepco Holdings is one of the largest energy delivery companies in the Mid-Atlantic region, serving about 2 million customers in Delaware, the District of Columbia, Maryland and New Jersey.
Kuberski told eWEEK he just earned his new title this year, as he was formerly Pepco’s manager of enterprise architecture and now in the newly minted role of CISO where he looks at cyber security from an enterprise view.
Kuberski makes no bones about the need for fastidious security at Pepco. “We see ourselves as a clear target being near the White House,” he said. “So we look at cyber security across the enterprise.”
IBM notes that as the planet becomes smarter and increasingly interconnected, critical infrastructure systems that were previously isolated from other networks are now connected with both critical and non-critical systems – many of which are not under the direct control of infrastructure operators.
This interconnectedness can enable many new efficiencies and conveniences. But it also means that, while every business must continue to refine and improve its security capabilities, critical infrastructure industries – like electric utilities and associated providers of technology and services – must adopt best practices in policy and controls.
“For as long as the electric grid is going to rely on digital infrastructure to operate, we’re going to be concerned about cyber security,” said Scott Aaronson, director of government affairs at Edison Electric Institute (EEI), the association of shareholder-owned electric companies.
To be sure, whether motivated by international competition, corporate espionage, nation-state sponsored espionage, political ideology, organised crime, a grudge against an employer or even idealism, malicious hacking continues to expand.
The proliferation of “how to hack” materials online does not help matters. Nor do the free or affordable high-powered tools make things any easy for security professionals. Social networking also makes sharing both information and successful techniques just as easy for these hackers as for anyone else.
The combination of complex network connections that no one fully owns, a largely opaque software supply chain and the vulnerabilities inherent with human operators provide a ripe environment for hackers and those with malicious intent, IBM said.
Dynamic production and delivery systems
Moreover, traditionally, a single-direction flow of power and data on isolated systems was the norm. Yet, that is now giving way to more dynamic and integrated electricity production and delivery systems along with advanced metering infrastructure, IBM said.
Sensitive operations and personal data are now moving over common or integrated communications infrastructure, flowing in multiple directions within a dense, multi-nodal system. And, by definition, a smart grid has more access points and multiple networked systems, which open the door to more potential cyber security breaches.
To address this, a host of industry and government standards and regulations, such as the North American Electric Reliability Corporation – Critical Infrastructure Protection (NERC-CIP) standards, have been developed.
IBM says policy-making bodies are increasingly interested in several challenges electric power companies face, including:
- Integrating information technology (IT) and operational technology (OT) networks due to grid modernisation and other business initiatives
- Exposing both IT/OT networks to the Internet – either directly or indirectly, whether intended or not
- Mitigating threats to IT and OT systems from the widespread use of mobile devices, social media and easily portable USB drives, and lack of governance for the use of these tools in critical environments
- Eliminating internal threats posed by disgruntled employees and human error by authorised technicians
“I’ve been working in utilities for 25 years and I have never observed as much scrutiny about cyber security as I have in the last 18 to 24 months,” said David Batz, director of Cyber & Infrastructure Security at EEI.
There are increased expectations for the reporting of compliance with security and privacy directives.
Scrutiny by federal agencies such as the Federal Energy Regulatory Commission (FERC), the North American Electric Reliability Corporation (NERC), and the Department of Energy (DOE) is likely to expand, IBM said. Future versions of the NERC-CIP standards promise to expand the scope and depth of utility compliance requirements. There is also a sustained and targeted effort from the regulatory and policy-making communities in key markets around the world to push the industry toward full preparedness.
Viewing security as risk management
Meanwhile, in addition to making change start at the top, other recommendations IBM has for energy and utility companies include viewing security as risk management, creating a fully integrated security enterprise, implementing security by design and using business-oriented security metrics and measurement.
Kuberski said utilities can gain better visibility into the effectiveness of security strategy by applying the risk management principles that have worked well for managing the traditional risks faced by electric utilities.
IBM’s Bochman noted that management needs a framework with which to establish a baseline for current security programmes to understand the context and critical interdependencies and to set priorities accordingly.
The framework applied needs to ensure that security metrics are easy to understand and share throughout the organisation.
Such a framework is in development, sponsored by the US Department of Energy (DoE) with help from Carnegie Mellon University – the Electricity Subsector Cybersecurity Capability Management Maturity Model (ES-C2M2) initiative. The Carnegie Mellon Software Engineering Institute (SEI) is advancing maturity models.
The SEI, in support of the DoE, fosters the adoption of the Smart Grid Maturity Model (SGMM) by electric utilities and service providers and works to advance smart grid software engineering.
“The idea of a maturity model is to define levels of maturity for the industry,” said Austin Montgomery, energy sector programme lead at Carnegie Mellon University.
“The SGMM is an effort to identify what it means to modernise the grid. The industry has been very good at coming together on things. There’s been a lot of lip service about public-private partnerships, but I think this is a true one,” Montgomery added referring to the effort between DoE and the private sector.
“We use the SEI maturity model,” Kuberski said. “It’s about creating awareness. We know we can’t do it all by ourselves. We promote things like threat information sharing.”
Meanwhile, for his part, Allan Schurr, vice president of strategy and development for IBM Energy & Utilities, said he has been working in the area of smart grids for about 10 years and in the early days, “Security was an add-on patch. Now the design includes security at the initial phases. We started seeing that three to four years ago and now it’s a standard.”
In addition, Pepco’s Kuberski said that although the risk is now greater for cyber security threats, “With risk comes benefit.” He said the smart grid enables companies like Pepco to push automation out to customers and provide services that promote efficiency and cut costs for consumers.
He added that it is a delicate balancing act of assessing risks involved and applying security measures as need to allay the threat of breaches to various systems based on their level of exposure.
Are you a security pro? Try our quiz!
Originally published on eWeek.