 |
|
|
|
|
|
|
|
|
|
|
|
January 1, 2004
Cyber Security Makes Good Sense, Public Power Magazine, Jan.-Feb. 2004
| For More Information |
Tim Blodgett
Hometown Connections
303-526-4515
tblodgett@hometownconnections.com
|
Hometown Connections
Due to a dependence on interconnected and often vulnerable information systems, the electric utility sector of the American economy is focusing on the issue of cyber security. Federal officials are beginning the process of establishing guidelines and possible regulation. More importantly, the risks presented by today’s hackers, criminals, terrorists, and even disgruntled employees require utilities of all sizes and structures to implement a cyber security program.
Attacks on the computing resources of U.S. industry continue. The San Francisco office of the Federal Bureau of Investigation and the Computer Security Institute conduct an annual survey on the prevalence of computer crime in the United States and the financial impact of computer crime. In the 2003 survey, 67 percent of responding organizations reported one or more security incidents while 16 percent of the responding organizations reported between 11 and 30 incidents. More disturbing is the continued trend toward insider abuse of networks—80 percent of respondents reported insider abuse of network access and 45 percent reported unauthorized access by insiders. The prevalence of Internet connections also appears to be undermining the cyber security of organizations with 78 percent of respondents reporting the Internet connection as the source of attack over internal and remote dial-in systems. Energy industry executives must take these statistics into account in considering the requirement for appropriate cyber security measures.
As one of 13 critical industry sectors identified by the federal government, the energy industry may expect regulatory oversight to increase in the months and years ahead.
Furthermore, in today’s era of homeland security, the energy industry faces new physical and computer-oriented threats. As part of the United States’ critical infrastructure, the energy industry has new federal oversight to insure the nation’s energy infrastructure is protected and reliable. The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets reports that homeland security requires “coordinated action on the part of federal, state, and local governments; the private sector; and concerned citizens across the country.” As one of 13 critical industry sectors identified by the federal government, the energy industry may expect regulatory oversight to increase in the months and years ahead.
Balance of risk, cost is vital
Investment in cyber-security programs is often justified through the tried-and-true tactics of fear, uncertainty and doubt. A significant amount of technology is evaluated, deployed, and managed without a clear understanding of the business value and whether the deployed technologies meet cyber-security objectives. Public power utilities have a responsibility to the communities they serve to consider efficient ways to protect the reliability of the electric system without adding significant costs. Proper balance between risk management and implementation costs is critical to the success of the program.
It is common for organizations to dismiss or minimize the need for cyber security based upon the size or geographical location of their operations. For example, utilities in sparsely populated regions of the country or smaller utilities may consider themselves less of a target than large, well-known entities. As a result, they may consider themselves immune from the threats that face the larger industry. Unfortunately, the interconnected nature of the industry’s generation, transmission and distribution infrastructure makes all energy participants, no matter how small, critically responsible for the safety and reliability of the national energy system.
The majority of threats to a utility’s information technology infrastructure may result from either unintentional activities, such as system configuration errors, or actions taken by disgruntled employees—such incidents are not limited to large companies. In fact, the CSI and FBI survey notes that disgruntled employees are seen as the most likely source of an attack by 86 percent of respondents—ahead of independent hackers, competitors or foreign entities as a threat.
Protect systems from home computer viruses
The protection of control systems has been maintained through the years by the isolation of those systems from traditional information systems such as customer information systems. Unfortunately, the tactic of isolation no longer provides a sufficient level of protection. The increasing prevalence of home computer systems and the advent of home Internet access results in new exposures to the utility. If a home-based system is compromised maliciously or infected by a virus, that system may, in turn, compromise a utility’s SCADA network when engineering or operational personnel access the network from home. Utilities must protect their systems from at-home workers. The risk increases dramatically with the advent of Internet-based SCADA systems that rely on standard network protocols. The use of standard protocols opens those systems to possible compromise and access by anyone with Internet connectivity.
The mobility of today’s information technology work force imposes risk on the utility. Information technology personnel are in high-demand and individuals that understand both IT and utility operations are rare. As a result, the utility may expect to hire and replace personnel on an ongoing basis. The access an individual has upon leaving the utility must be revoked and the background of new employees must be investigated. This is not limited to engineering and operations personnel—all employees who have access to the utility’s network may have access to sensitive systems that control utility operations as well as databases that hold customer data.
Many attacks on systems occur on computer networks that are not properly managed and whose operating environments are not up to date. Computer viruses were identified as the second most prevalent form of cyber attack in the Computer Security Institute/FBI survey. This category of attack also includes computer worms. Syntegra has worked with a number of customers who have been adversely impacted by virus and worm activities in recent months. In almost every case, the impact to the organization’s network that resulted from a virus or worm would have been prevented by proper system management practices.
The standard identifies 16 areas a utility must address to protect the bulk electric system.
On June 27, 2003, members of the North American Electric Reliability Council voted to approve Urgent Action Standard 1200 and the NERC Board of trustees adopted the standard on Aug. 13. This is based on the damage to the bulk electric system that may be caused by cyber attacks. The standard identifies 16 areas a utility must address to protect the bulk electric system. The first self-assessment to this new standard is required from control areas and reliability coordinators in the first quarter of 2004, with remaining entities to be assessed under the compliance and enforcement programs maintained by NERC regional reliability council members. Since NERC is a voluntary organization, each public power utility must address its certification requirements based on relationships with NERC and the appropriate regional reliability council. Public power utilities also should monitor the regulatory environment and be aware that further regulation is possible.
Whether or not Urgent Action Standard 1200 applies to an individual utility, it offers the framework for an effective cyber-security program. Syntegra broke the standard into six initiatives that, when taken together, allow a utility to assess its compliance. These initiatives may run in parallel and can be led by different members of the utility’s team.
Executive Oversight—Both the standard and good security practices require executive management commitment to a security program. Syntegra recommends that a utility appoint a member of the management team with clear responsibility and accountability for implementation of the cyber-security program.
Asset and Perimeter Identification—Many organizations do not have the capability to identify their critical cyber assets. As a result, it is challenging to identify the physical and electronic perimeter of the organization. The lack of accurate information on assets makes it difficult to implement the required system management procedures and to maintain systems adequately. Syntegra recommends an electric entity consider implementation of technologies that survey the organization’s networks on a regular basis and report changes very shortly after they are made.
Policies and Procedures—Syntegra recommends each utility identify all personnel, including contractors and service vendors, who are granted electronic or physical access to critical cyber assets. The utility should also update the list of personnel granted access to resources within 24 hours of any change. Background screening of personnel is required based upon the level of access they are granted.
Processes used to terminate employees often do not meet the 24-hour threshold required by the standard. Furthermore, contract personnel are often not identified and managed to the same degree as employees. Both of these items as well as the requirement for appropriate background screening and security awareness training often result in new human resource procedures. Syntegra recommends the utility’s human resource staff join the project team as active participants. HR support of the project is critical to the success of the cyber security program.
Access Control and Monitoring—The documentation of access controls is based upon the identification of the utility’s assets, physical perimeter and electronic perimeter. Many of the information technology and physical access systems used by utilities provide the required level of logging. However, the operational procedures used to maintain and the log data or video information and to audit that information against access control requirements is often inadequate. A utility should maintain appropriate log data for six months.
Incident Response and Business Continuity—Syntegra recommends that the utility create an incident response and business continuity plan. In creating the plan, the availability of key personnel is as critical as the availability of cyber assets.
System Management—A number of organizations have failed to keep pace with changes in system management. Inadequate attention is often paid to password management; authorization and review of accounts and access rights; and disabling of unauthorized, invalid, expired or unused computer accounts and access rights. The utility should disable unused network services, secure dial-up modem connections, manage firewalls, and implement intrusion detection processes. There should be firm procedures for the management of security patches for systems, installation and management (update) of anti-virus software, and retention and review of operator logs, application logs, and intrusion detection logs.
Each utility should identify the senior manager responsible for implementation of the cyber security program promptly.
Each utility should identify the senior manager responsible for implementation of the cyber security program promptly. This individual should identify current assets and determine if there are any significant vulnerabilities in the environment that require immediate action. All of this information will then support an initial self-assessment and the development of a cyber security plan.
Members of the American Public Power Association may turn to Syntegra to identify where information systems are vulnerable to sabotage or theft, and to develop strategies for improving security. Through an alliance between Syntegra and APPA’s utility services subsidiary, Hometown Connections, APPA members may purchase cyber-security education and assessment services from Syntegra at national group pricing.
Syntegra’s on-site, two-day Cyber Security Workshop provides utility executive management and information systems management with an understanding of the key cyber security issues facing the energy industry today. Syntegra’s Cyber Security Healthcheck service provides an in-depth operational and technical assessment of the utility’s existing cyber security measures, including a review of the utility’s policies and operational procedures, an assessment of the utility’s network infrastructure with regard to common vulnerabilities and exposure—including electronic testing of the network connections between the utility and the Internet, and a review of information technology management procedures with regard to possible cyber security risks—including the interrelated aspects of multi-service utilities (gas, electric, water).
The nature of today’s computers and interconnected networks renders all utilities of all sizes vulnerable. And the consequences of not being prepared are major ones, including customers outraged over outages, customer service representatives unable to pull up account histories, voters unhappy with local government officials who were caught unaware, and lost revenues.
Rather than standing by until federal rules require compliance, public power utilities should recognize that cyber dangers exist, take immediate action, and provide leadership in this area to the entire electric utility industry.
Written by Robert Booker, Vice President for Security Solutions for Syntegra in the United States.
Click below for more on cyber security in public power.
• Hometown Connections Web Site
• Syntegra Web Site
|
|
|
|
|
|
|
|
|
|
|
|
|
