High security

Energy companies face ongoing threats from many sources around the world, with their communications infrastructure being particularly vulnerable. Gary Layton of Black & Veatch, Panos Anastassiadis of Cyveillance, Inc. and Marcel van Helten of GE Fanuc examine the issue and look at potential solutions.

“An emerging threat fr many utilities is the increasing presence of cyber extortionists”
-Panos Anastassiadis, Cyveillance, Inc.

P&E. How has more reliance on the internet and commercial off-the-shelf software brought new vulnerabilities to our wireless systems?
GL. Electric energy companies face many unique challenges in securing their infrastructure to meet the NERC CIP standards. Disparate facility locations make system-wide changes a daunting logistical challenge. Real-time systems make patch application, validation, and user authentication difficult. The ‘layering’ of new technology on top of existing communication backbones, the many ‘gateways’ necessary to collect SCADA data and to transmit and/or receive wireless transmissions, these all become potential points where systems can be compromised.

Cyber Security presents an unusually daunting challenge for utilities because addressing it requires a toolset and knowledge base that is traditionally not located within the same experience pool that understands and manages the day-to-day operations of a power grid. Implementation of technology to provide solutions is traditionally difficult, at best. Even the ‘baseline’ task of assessing all of the possible points of vulnerability, and assessing the potential threats is a significant task.

PA. As with most new technologies, security is often an afterthought. Users are often so enthused with new capabilities, that they ignore the potential security threats that come with new machines. With the increased reliance on the Internet and commercial software, there is a “bigger playing field” for hackers to find and attack vulnerabilities. In older systems, hackers were forced to attack many devices in order to get to their target, but through wireless technology the number of vulnerabilities and hacker opportunities increases significantly.

MvH. Energy companies are increasingly using the Internet and wireless systems to improve real-time decision-making, gain cost savings and improve functionality. For example, companies are enabling Internet viewing and control for field employees & operators to expedite responses, drive down operational costs and improve labor effectiveness. As companies do this they are transitioning from secure SCADA networks, visible to only an operator to control and information networks, to ones that expand beyond the secure domain. This potentially introduces vulnerabilities for access thru the Internet, hub or the intercept of wireless communications.

It is important to implement the right policies, processes and systems, and to find the correct balance of spend to reduce one’s risk. Many companies are turning to their software vendors to reduce their risks because of the vendor’s intense focus on providing flexible software. This drives much more comprehensive evaluation, development and testing plans from both a stability and security perspective. That in conjunction with the software markets relentless adoption of new technologies and long-term support plans is reducing the system’s existing and new vulnerabilities.

P&E. What specific threats are posed to the energy and utility sector by increased terrorist activity and hacking attempts launched from foreign countries?
PA. An emerging threat for many utilities is the increasing presence of cyber extortionists, who threaten to reveal its targets’ vulnerabilities unless the organization pays for their silence. Due to the sensitive nature of the data they possess, many organizations often give into to these criminal’s demands and pay them off, rather than reveal the vulnerabilities to the public and face the catastrophic reactions. While these criminals have historically targeted pornography and gambling Web sites, many are now targeting traditional organizations with these types of threats. With the downturn in the economy, many of these criminals are targeting industries and markets where the money is, which right now is the energy sector.

Organizations must also be aware of Web delivered malware, which uses employees as their key target. When employees open infected sites from their Web browser, they unknowingly download malware onto their computers, putting them and their organization at risk for intrusion, social engineering, data breaches and worse.

MvH. Specific threats posed from foreign countries center around Internet-based hacking attempts. These can be as simple as a packet flood attack, which is typically referred to as a denial of service (DoS) attack. This type of attack impedes software’s ability to respond to legitimate remote requests from either clients or other connected systems. This threat has the potential to affect the overall system in the event other critical elements of the system rely on timely responses over the same channel. A more complex attack is one that attempts to gain legitimate software-level access, which enables remote-operator-based functions. When remote control is accessed and given enough time, the intruder could impact the system by shutting down its main field-based components. A lot of attention, both ongoing and at time of design, is given to this vulnerability, and most have precautions placed at both the software & hardware levels to reduce one’s ability to perform intentional destructive actions such as surges, explosions or overloading.

GL. As part of the nation’s critical infrastructure, utilities play a vital role in the country’s ability to sustain itself. We certainly understand the strategic importance of the electric grid to both military and civilian activities, and understand how even the simplest activities of a modern life are impacted without electricity. And there have been an unusual number of hacking attempts that could possibly be being orchestrated by nations we might someday face in a conflict. As such, appropriate security measures must be taken to keep utilities up and running regardless of whether the threat comes from employees or foreign nations or agents.

Risk can be defined as the intersection of a threat agent and vulnerability. Once a viable threat agent and an exploitable vulnerability have been identified, the next step is to make an assessment of the impact and likelihood of an occurrence. The degree of risk is determined by analyzing the likelihood of occurrence and the organizational impact of an exploit. One of the key deliverables of a consulting engagement is an analysis that provides the client with the risk level for the system based on the likelihood and impact, and balanced against the existing countermeasures. The assessment also specifies recommendations for further mitigation of all identified vulnerabilities. Meeting NERC guidelines is required, but beyond that, utilities must balance the potential for an event against the cost of securing the asset.

P&E. SCADA systems are a vital part of the infrastructure that keeps our electricity grid running, but they can also be open to attack. What can companies do to deal with this particular vulnerability?
MvH. The most important actions are to deploy security-based policies, processes and systems into the existing systems and update the new system specs. These items would center on detecting breaches in real time, the pre-emptive avoidance of attacks, and informing the appropriate personnel when they occur. A well-implemented SCADA system can actually be a tool to detect and inform about any potential vulnerability in real time; and when balanced with the correct level of hardware elements, it protects against commands with destructive intent. Additionally, built-in SCADA industrial workflows can help operators follow the right processes in case of an event and reduce the time to reverse or correct the actions taken by attackers. Companies also should consider their supplier selection as one with experience in the industry and enough critical mass allowing them to work closely with operating system providers to continuously enhance their systems and keep ahead from a security perspective.

GL. Black & Veatch’s significant presence in both the utility market as an EPC contractor, and in the telecommunications business through our telecom division was a unique intersection of talents. Today, as utilities focus on automation to enable asset management, improve operational efficiency and improve system reliability, a disciplined review of all of the SCADA collection points to assess the vulnerability of each is required to understand the threat. The broad exposure of security consultants brings knowledge of how other utilities systems have been attacked, and what countermeasures seem to be effective to a client utility.  

PA. While many organizations in the energy sector are aware of the vulnerabilities associated with the SCADA systems, most are not evaluating or correcting these security gaps. The first step in guarding against outsider threats is to do a thorough audit of the systems and recognizing that they do have flaws.

There are several additional actions that companies can take to strengthen their systems, including:
• Access control should regularly evolve
• Ensure the security of all control systems
• Align systems with national NERC (North American Electric Reliability Corporation) standards
• Continuously monitor for security updates and patches
• Incorporate spam blocking software
• Follow and closely monitor malware blocking feeds for potential threats
• Create an open line of communication with security vendors

Because of the current economic climate, many companies are struggling to put the resources in place to counteract any security threats and vulnerabilities. As a result, it is critical that organizations place an emphasis on educating their employees on these threats. For instance, if people know about the danger of using risky P2P tools such as Kazaa or BearShare, they would be less likely to use these tools and expose potential vulnerabilities of their systems. As part of this education process, organizations need to implement clearly defined policies that label risks for employees and deter them from leaking sensitive information.

P&E. What tools are available to help companies keep their communications infrastructures safe?
PA. Beyond traditional software and hardware, the most important tool to keep communications infrastructures safe is “wetware” - the people that manage systems and protect documents. These managers should receive collected and analyzed data to determine the greatest threats to the infrastructure. These managers should also be charged with implementing information technology standards in the organization, including employee blog usage, social networking sites and Internet content sharing applications.

Companies must take a multi-layered approach to secure communications by having an open dialog with ISPs and proactive standards established for their employees. Secure systems are built through shared communications. If companies don’t create an open, information sharing atmosphere with their customers, employees, partners and even competitors, there will always be vulnerabilities that exist to put communications infrastructures at risk.

GL. Vendors have brought ‘gateway’ products to market that meet some of the NERC CIP requirements. They are only part of the solution though, leaving many of the NERC requirements unmet and left for the utility to solve. And the unique profile of each utility, and the mix of technologies they have employed makes this a highly tailored exercise.

MvH. Some key technical elements to safeguarding communication systems are secure routers, data encryption, virus/malware scanners and firewalls – with all running the latest firmware and definition files. Another technical element that helps secure the infrastructure is the network communications design, whereby the critical system communications operate on a separate, isolated, highly secured network and are not susceptible to attackers. It is also important to regulate the level of access to a system, both from the operator and programming standpoints. When biometric elements are integrated into the control system, it limits specific functions that operators can perform via finger scans and when programming change control systems are in place one cannot access or alter the device programs without authorization. These types of access restrictions significantly reduce the possibility of a hacker performing the same operations remotely – reducing the potential impact in the event of a system breach.

Gary Layton is the Director of Marketing for Black & Veatch's Enterprise Management Solutions (EMS) consulting division. He is part of the management team that worked to help Black & Veatch establish a management consulting business within one of the most respected engineering and construction firms in the world. Layton has helped establish the division as one of the thought leaders in the industry and has overseen the growth of the division to its current 300 Professionals. His professional background includes 21 years with one of the world's largest computer enterprise infrastructure software providers where he was involved in enterprise security, asset management, and business continuity products and services.

Panos Anastassiadis is Chairman, CEO and President of Cyveillance Inc. He oversees all business aspects of the company and has more than 25 years of technology experience. Previously, Anastassiadis served as Executive Vice President at Merant, a leading e-business software solutions company. Anastassiadis also serves on the Board of Directors for the NVTC, Teoco and ADF Solutions.

As the Global Industry Director for GE Fanuc Intelligent Platform’s Infrastructure market Marcel van Helten is responsible for driving innovative solutions into the market. GE Fanuc’s Infrastructure market includes water, oil & gas and power. Marcel has been in the automation industry for 20 years the last 10 years with GE Fanuc Intelligent Platforms. He held different sales and marketing positions.