Energy providers used to be protected from cyber threats by virtue of their systems being largely air-gapped. However, as industrial control systems (ICS), operational technology (OT) and information technology (IT) become more closely intertwined and connected to the internet, understanding how to protect these networks is crucial.
A key change is that, in many energy organisations, chief information security officers (CISO) and chief information officers (CIO) are now taking responsibility for security of OT. According to Gartner, by 2021, 70% of security will be managed directly by the CIO, CISO, or chief security officer (CSO) compared with 35% today. And, by 2021, 40% of large enterprises will have a digital risk officer or equivalent role that addresses IT, OT, Internet of Things (IoT), and technology-related safety risks.
Furthermore, energy providers are adopting automation and Industrial Internet of Things, which creates additional vulnerabilities. According to Gartner's 2018 CIO Agenda: A Utility Perspective, utility companies lag behind the overall top performers in implementing and planning for most emerging digital technologies with the exception of IoT.
The sector characteristics (that is, a large amount of spatially distributed and complex assets and processes) have necessitated the development of remote monitoring and control technologies, including vertical IoT platforms. For IoT, 59% of utility CIOs said they either have already deployed it or have it in short-term planning.
With IoT on the agenda for many utilities, it is critical they understand that each automated and connected device is a potential entry point into the company network and must be treated as such.
OT threats and native ICS vulnerabilities tend to be exploited by highly-specialised cybercriminals. However, the number of attacks on ICS versus IT systems is growing in concert with the increase in identified vulnerabilities. From a handful of reported ICS vulnerabilities pre-2010, there has been a surge of reported vulnerabilities from researchers and an associated increase in the number of ICS-related cybersecurity incidents. Furthermore, visibility into OT assets is limited and full inventories don't exist. Gartner research found that lack of visibility into assets is the number one concern of CISOs.
Many of the risks facing energy providers are predominantly IT risks that can be addressed through familiar controls. This includes patching where possible, limiting access, understanding who has access and segmenting networks.
However, when it comes to protecting OT and ICS, the parameters are very different compared to traditional IT environments. With OT and ICS integrating with IT networks, it's important for energy providers to take a more targeted approach to endpoint identification, risk, and vulnerability assessment.
OT assets can be brittle when assessed by traditional security probes. This is because they're developed to fulfil a single purpose and the control platforms are usually off-the-shelf, commercial, closed-source, real-time systems. They're designed to be highly responsive and very reliable within a narrow range of parameters.
However, they're not designed to be flexible. Therefore, when probed as part of a visibility scan via a packet or port the system wasn't expecting, it can cause the systems to lock up, freeze, or degrade performance. These systems were simply never designed to experience this kind of interaction. This means using traditional IT methods to scan these systems results in the systems unable to do their jobs effectively.
Some newer ICS and OT systems are being designed with security in mind, so they're more capable of withstanding security scans. However, since replacing these systems can be a once-in-a-career event, energy providers can't rely on this to address current cyber threats.
Even as technology gets better and system engineers become savvier, cybercriminals are also ramping up their knowledge and capabilities. Arguably, threat actors are improving at a faster rate than internal security practitioners, so the threat is more likely to increase than diminish.
Given that energy providers have more connected devices than ever, and every connected device is a potential entry point, visibility is the key for energy providers to improve their cybersecurity.
This goes beyond visibility into any specific application (i.e. smart meters) where there will be some level of device visibility inherent in the system. Rather, it refers to visibility of the entire network as a whole and being able to see all devices that are connected to it.
For IT managers in charge of security, it's important to remember that the approach for ICS and OT needs to be different than the approach for IT systems. Many security professionals agree that the greatest return on investment comes from educating employees. People tend to be the weakest link in organisations, falling for phishing scams and failing to practice basic security hygiene.
However, since OT and ICS systems are effectively ‘headless' in that they don't tend to have many human operators, the education approach isn't as effective.
Instead, the investment needs to be focused on understanding the environment, gaining visibility into all devices, and implementing network segmentation. Traditionally, energy substations have led the way in physical segmentation and this same approach is significantly beneficial when it comes to securing ICS and OT systems. While air gaps are no longer viable given the interconnectedness of systems, network segmentation is a virtualised approach that can protect these systems in a similar way.
Steve Hunter is the senior director of system engineering Asia Pacific and Japan at ForeScout Technologies.