Suppose a computer virus disrupts the distribution of natural gas across a region, which leads to a considerable reduction in electrical power generation, which leads to the forced shutdown of the computerized controls and communication governing road traffic, air traffic, rail transportation, and emergency services.
The cascading effect of a breach to a nation's critical infrastructure is a huge risk to any security operation. As a result, to paraphrase an ASIS Utilities Council white paper, security and risk are not just peripheral concerns to a utility—they are fundamental. The interlinked capabilities of the critical infrastructure can make companies and nations more efficient and stronger. But, as every security professional knows, they also make them more vulnerable to physical and cyber disruptions to a complex system with myriad potential points of failure.
The following authors and speakers explore how sectors of the critical infrastructure assess risks and implement security solutions with the goal of future stability for all stakeholders. Their experiences and conclusions are relevant to any security environment.
Crown Publishers, NY 2015
Author: Ted Koppel
Tuesday's Keynote speaker at the ASIS 62nd Annual Seminar and Exhibits this September, Ted Koppel is scathing in his analysis of the potential risks and response to a terrorist attack on the United States electrical grid. In his 265+ page book, Koppel separates his thoughts into three parts: a cyber attack, a nation unprepared, and surviving the aftermath. He admits that such an attack would "require painstaking preparation, a sophisticated understanding of how the system works and where its vulnerabilities lie." Nonetheless, "several nations have that expertise…and criminal and terrorist organizations are acquiring it." This excerpt includes the following points:
- For the grid to remain fully operational, the supply and demand of electricity have to be kept in perfect balance.
- The Internet provides instant access to the computerized systems that maintain that equilibrium.
- Despite high-level warnings, federal agencies bundle the presumed consequences of a cyber attack on the grid in the same category as blizzards, floods, hurricanes, and earthquakes.
Lights Out will be available at the ASIS Security Store in the Orange County Convention Center during the seminar and exhibits.
Utility Security Risk Management: Security Program Fundamentals
White Paper, 2013
ASIS Utilities Security Council
The eight sections of this paper provide a comprehensive view of security risk for utilities. Initially, risk is defined through the equation R + P x C: risk equals probability multiplied by consequences.
A comprehensive risk assessment leads to effective mitigation planning, which needs to be conducted in layers. The layers include the following:
- Liability issues that arise out of inadequate or outdated risk assessments
- The potential for business losses, societal impacts, environmental damage, and loss of reputation.
- Compliance with government regulations, standards, frameworks and guidelines.
- Differences in IT and physical security threat and vulnerability assessments.
To achieve the desired outcome, a number or risk management tools can be used, including those in standards and commercially available products. However, an unstructured and fragmented utility asset plan only makes framing risk management more difficult. One solution would entail providing a consolidated and comprehensive security risk management program as a guide to the industry. Several options leading to this goal are provided.
NERC Grid Security and Emergency Response Exercise
North American Electric Reliability Corporation (NERC)
NERC is a not-for-profit international regulatory authority that assures the reliability of the bulk power system in North America. NERC's jurisdiction includes the users, owners, and operators of the bulk power system, which
serves more than 334 million people in eight regions. On November 18-19, 2015, NERC conducted its third grid security and emergency response exercise, GridEx III. Participants represented industry, law enforcement, and U.S. and Canadian government agencies as well as NERC regions. The exercise was divided into two parts: a play exercise and an executive tabletop discussion on the second day. As the exercise unfolded, utility players began to experience unusual control system operations and received reports of substation break-ins and UAV surveillance. Further complications included an escalation in malware intrusions and physical attacks, copycat attacks, and inaccurate social media reports. During the subsequent tabletop, senior leaders discussed the policies, decisions, and actions needed to respond to a major grid disruption. These comments were among their conclusions:
- Industry and government need to have a unified message when sharing information with each other and the public, especially via social media.
- Industry's capability to analyze malware is limited and requires expertise from software suppliers, control system vendors, or government resources.
- Unprecedented levels of financial resources will be needed to restore facilities and resume normal operations during a large-scale event.
- Legal and regulatory requirements may delay or prevent restoration should a major grid disruption occur.
Protecting North America's Electric Grid from Physical Attack
Webinar, Recorded April 27, 2016
Speakers: Brian Harrell, CPP, Director of Security and Risk Management, Navigant
Travis Moran, Senior Physical Security Specialist, North American Electric Reliability
Following a list of common threats to the electrical grid, the speakers look into how information is shared, concluding that the lack of security clearances in the industry can mean processes are bogged down by red tape.
They urge their counterparts to consider compliance with industry standards as a baseline on which to implement a robust risk management program and give examples of where to locate tools, best practices, and opportunities for improvement. They advocate a site-specific layered approach to deter, detect, delay, then minimize the impact of a incident. Specific to delay, they discuss the need for spacing and distance—stand-off zones that keep personnel safe while first responders assess the effects of the incident. They predict the following for the future:
- Smaller coordinated attacks are a current trend in both domestic and international environments.
- Drones can be used for the surveillance of remote utility locations, but model aircraft operators are a primary threat needing regulation by the FAA and state legislatures.
- Security cannot assume that a threat is only grid specific; it includes collateral damage to a business's reputation and community partners, including stadiums, theaters, and shopping malls.
"Cyber Pulls the Plug"
Security Management, May 2016
Author: Megan Gates, Assistant Editor
While detailing December 2015 events that resulted in the partial shutdown of Ukraine's power grid, the author investigates how such an event occurred and whether it can be replicated elsewhere. Researchers have been able to ascertain that attackers sent phishing e-mails to employees with an Excel spreadsheet embedded with malware. Despite warnings, employees were tricked into opening the attachment, which installed the malware on the electrical department's networks. A follow-up security report concluded that "what made the attach possible was that many of Ukraine's electric power facilities are connected to the Internet." Conclusions on who initiated the attack are less specific. But, "this time, they wanted to do sabotage on top of just espionage," according to a senior malware researcher. In response, experts give the following advice on how to prevent the next attack:
- Follow typical cybersecurity protocols to patch systems, educate employees, and use security software and anti-malware solutions.
- Adhere to NERC standards that require industry control systems be separate from corporate networks in Canada, the U.S., and Mexico.
- The lack of standards in other critical infrastructure sectors should not deter companies from moving toward a more secure cybersecurity posture.
The success of the Ukraine attack is clear evidence that a cyberattack can take down an electrical grid. How quickly it's found and how quickly a utility can recover is going to make a huge difference for 21st century citizens, the article concludes.
"The Power of Physical Security"
Security Management, May 2015
Author: Megan Gates, Assistant Editor
An concerted emphasis on the physical security of the electric grid was spurred by two April 2013 incidents in northern California: attackers snuck into an underground vault near a freeway in and cut several phone lines; 30 minutes later, snipers shot at an electrical substation for almost 20 minutes, knocking out 17 transformers. In response, the Federal Energy Regulatory Commission directed NERC to develop a standard requiring owners and operators of the bulk-power system to address critical infrastructure protection (CIP). The result, CIP-014, requires owners to perform risks assessments of their systems and implement a security plan to address these risks. (The standard, however, only applies to some transmission substations and their control centers.) Owners must follow the steps in six requirements, many that require third-party verification. In Requirement 4, for example, owners must evaluate the potential threats and vulnerabilities of a physical attack to each of their transmission stations, substations, and primary control centers. According to industry experts, the resulting physical security plans should have been implemented last spring. They also say the standard has had the following effect on the industry:
- Emergency communication and response by substation personnel has increased, resulting in the ability to get back online quicker should an incident occur.
- CIP-014 has given companies guidance on increasing their physical security even though it lacks penalties for not complying.
- Because of the California incidents, utilities are finding it easier to justify security improvements via rate increases.
Critical Infrastructure Protection: Security Dependencies and Trends
White Paper, 2013
ASIS Utilities Security Council
This comprehensive paper includes discussions on the reliability of the electricity grid, increased cyber security concerns, and critical infrastructure (CI) protection models.
It asserts that a fully integrated approach to critical infrastructure protection includes people, technology, and processes in both the physical and cyber domains, which form a system of interdependencies. While cyber attacks are a high priority for grid protection, basic physical attacks can cripple a segment of the grid. The best tools for countering such attacks are nimble and light-speed integrated IT and OT systems. The paper also points out the following gaps related to CI protection:
- CI protection seems to have become a specialty and not a program of widespread awareness and involvement.
- New skills and education for the security practitioner have not caught up with the expansion of IT and OT throughout infrastructure architecture.
- Extensive upgrades to legacy systems are required for the systems to communicate, receive ongoing testing, and conform to risk monitoring.
- Privacy concerns have escalated in direct proportion to the advance of IT systems within utilities.
The paper concludes with a look at six trends that will affect the utilities security landscape for years to come.
Critical Infrastructure Protection from a Private Security Perspective
ASIS Webinar, August 20, 2014
Speaker: Keith Melo, CPP, Emergency Management Program Coordinator, George Brown College
In the opening, the speaker asserts that collaboration will be a major theme of his presentation. He encourages the audience to involve key stakeholders in emergency management planning, training, drills, and testing. He gives examples where he included EMS, fire, police, military, public works, healthcare, and NGOs (the Red Cross) in such exercises. At other times, he has included site-specific personnel, including elevator operators, the cleaning staff, parking lot attendants, contractors, tenants, and business neighbors. He concludes that the pillars of emergency preparedness depend on a team approach to identify risks and ensure a safe evacuation, if necessary. In addition, he makes the following points:
- Test the plan, not the people.
- Simulations have a profound effect on retention, far above lectures or demonstrations.
- The principles of emergency management systems are based on simplicity and flexibility.
Integrated Security Risk Management: The New Reality
Seminar Session 3116, September 2014
Speaker: Doug Powell, CPP, PSP, BC Hydro Transmission and Distribution
Shortly after the speaker joined his current employer, they began planning for the 2010 Winter Olympics in Vancouver. That process required the critical infrastructure in the region to cooperate in an integrated way. Following that experience, he realized that security risk management demanded an enterprise view of security risk. He believed that the risks inherent in information technology (IT), operational technology (OT), and physical security were interrelated and needed to be completely integrated under enterprise security risk management. After a review of IT, OT, and physical security methodologies, he concluded that the governance, risk, and compliance (GRC) model used by OT could be adapted for the other disciplines for the following reasons:
- Governance and compliance are the two legs that risk stands on.
- Loss of governance leads to the loss of compliance, which leads to increased risk.
- Risk management is derived by the ongoing assessment and measurement of governance and compliance attributes.
These concepts led to a risk matrix for enterprise risk plotting, a qualitative formula used by every department in the company. The resulting frequency and consequence ratings give executive management a consistent way to evaluate enterprise risk and allocate financial and personnel resources accordingly.
Critical Infrastructure Protection: The Way Ahead
ASIS Webinar, June, 2014
Speaker: Ron Martin, CPP, Executive Director, Open Security Exchange
The speaker begins by pointing out the many government resources available to the critical infrastructure industry, including the National Infrastructure Protection Plan and the CIP Report. He notes that efforts to set standards and regulations for the industry have been around since 1998. Recent efforts have centered on the information technology sector, which affects all other sectors that comprise the critical infrastructure. He details a cyber security framework that includes five core factors (identify, protect, detect, respond, recover/resiliency) and four tiers, a life maturity model that is repeatable and adaptive. He defines other methodologies for converged systems and a continuous monitoring through dashboard:
- Physical Security Information Management (PSIM): collection, analysis, verification, resolution, and repetition.
- Security Information and Emergency Management (SIEM): real time analysis of security alerts.
- Security Emergency Management (SEM): the centralized storage and interpretation of big data.
- Security Information Management (SIM): a central repository for trend analysis.