There's no questioning how vulnerable the energy sector and its electric segment are to cyber attacks.
Still, it is a valuable discussion to have, as technology is rapidly gaining a larger role in critical infrastructure operations. As security professionals, we all know that quickly advancing technology has a double-edged effect, providing increased computing power and opportunity for the good guys, and an expanded attack surface for the bad guys.
President Obama's recent cyber security executive order caused waves in the critical infrastructure space when it turned a spotlight on energy suppliers. The order urged them to modernize their security defenses to better protect themselves against evolving threats. It also directed all federal agencies to report security information about organizations that comprise national infrastructures.
Although the electric segment is a rapidly expanding target, it is important to understand how real today's threats are. From a global standpoint, a handful of documented intentional attacks have had an impact on supervisory control and data acquisition (SCADA) systems, but there is little evidence that any intentional attacks have had a significant impact on actual systems.
Contrary to the often exaggerated and alarmist claims, and in comparison to other industries such as finance, the energy sector has experienced inconsequential levels of infrastructure damage or denial–of-service (DoS)-type business disruptions from state-sponsored APT groups, hackers, and hacktivist organizations.
However, just because a devastating attack has not yet occurred does not mean the electric segment should not carefully examine vulnerabilities that exist in the entire supply chain of services.
Vulnerable web-based applications, used to control and access IP-connected technology such as smart meters and market trading systems, could serve as entry points for criminals looking to disrupt the sector, as they open avenues that could be used to directly or indirectly interact with behind-the-fence SCADA systems. Unfortunately, over-focusing on the espionage issues involving China has de-emphasized the need to address the vulnerabilities of such seemingly mundane applications.
So, what needs to be done?
The question that legislators and regulators need to ask themselves is, "Are we enabling and encouraging security professionals charged with protecting the electric segment to do their job effectively, and are we making it easy for technology providers to bring effective defensive technologies to market?"
Unfortunately, we have seen in the past that over-emphasis on regulations and financial penalties – and not enough emphasis on encouraging critical infrastructures and private industry to collaborate and set standards – has led to a substandard security environment. Luckily, this may be changing.
As a good initial step, the executive order taps the National Institute of Standards and Technology (NIST) to lead the development of a cyber security framework to reduce the risk of attacks. Furthermore, sector-specific agencies, such as the Department of Energy (DOE), have reacted quickly to the administration's and NIST's calls for increased cyber security safeguards.
A total of $20 million has been allocated toward grants to fund research and development, and demonstrate the effectiveness of existing or proposed technologies to protect the energy infrastructure and its interconnected parts, such as smart grid, SCADA, and distributed control systems and technologies. The grants fund specific areas, including verification of the integrity of energy delivery control system software and firmware, business resumption through sustaining energy delivery while in the midst of responding to a cyber attack, and secure remote access to networks.
The areas covered suggest that the industry is adopting an effective, multi-tiered approach to mitigating the potentially devastating impact of an attack. Prevention and containment are key strategies that must be implemented in developing a framework to address both reduction of attack vectors and segmentation of damage to ensure minimal impact to the supply of energy or other resources.
A multi-faceted, layered approach to risk mitigation should include security awareness, malware and vulnerability detection, strong authentication, frequent patching and encryption of sensitive information.
The executive order has brought the security of the critical infrastructure to the forefront of the cyber dialogue, and the possible collaboration between critical infrastructures and private industry is closer than ever before to establishing a defense framework.
These actions are well timed, as we face ever-evolving threats that are increasingly directed at such targets as the energy sector. However, although the threats are real, it must be remembered that a balanced and realistic response should be undertaken as additional safeguards are considered.