Tackle Your Vulnerabilities
Remember when your parents taught you to protect yourself and be aware of your surroundings when you went to the mall? They may have told you not to carry your purse where someone could snatch it, or put your wallet in your front pocket? You don’t want someone rummaging through your personal belongings, taking your driver’s license, credit card information, etc.? The same holds true for your computer.
“Cybersecurity was born, and became a challenge for Information Technology administrators and home computer users to continually explore the vulnerabilities in their computers and systems and prevent outside attacks to access their data,” said Susan Noell, director of information systems and customer affairs for the City of Bushnell.
According to Randy Hahn, manager of compliance for the City of Ocala Electric Utility (OEU), “All municipal utilities struggle with balancing the needs to keep operational costs as low as possible, but at the same time assuring extremely reliable electric service, because that is one of a municipal utility’s greatest values to its citizens.” Hahn identified that there are poor, good, better, and best practices for cybersecurity, with each having corresponding levels of financial and personnel resource commitments.
“The City of Ocala Electric Utility (OEU) seeks to deliver the best electric service we can, but if we are operationally compromised by a cyber threat, then that service level will be compromised.” Furthermore, “OEU has recognized the need to pursue better cybersecurity protocols, with a desire to implement best practices where possible. With the support of senior management, the OEU has committed to securing its operational networks, to assure reliable electric service, and provide the service value our customers deserve.”
James Howard, director of electric system compliance and Security for Lakeland Electric stated that “everything we do to secure cyber threats is an effort to protect the public’s assets, making sure that they’re going to be there when they need them, and keeping the lights on.”
Strengthen Your Security Teams
The City of Leesburg uses experienced of in-house staff to implement, manage and monitor the various facets of its security posture. “We also contract with outside entities to validate our efforts and to provide additional support on improvements and enhancements to our security related systems and procedures,” said Tino J. Anthony, information technology director for the City of Leesburg. Network Manager Mike Andrews said that, “Like most municipally-owned electric utilities, we must share IT resources with the other important municipal departments serving our citizens. “Currently OEU is dependent on external City resources to support the cybersecurity of OEU’s enterprise and operations networks,” said OEU’s Hahn. “As we move toward implementation of stronger NERC-driven cybersecurity controls, OEU is exploring options that would apply more direct cybersecurity resources within their operations. Internal staffing limitations is a major challenge for the utility; that is, it can be difficult to find the expertise to address all needs. Outsourcing, on the other hand, adds different challenges that often negate the benefits of outsourcing.
Jim Harnois, supervisory control and data acquisition (SCADA) and communications supervisor for Kissimmee Utility Authority stated that “We do a combination of things to secure KUA’s network, and over the last 15 years have spent several million dollars on cybersecurity appliances like firewalls, servers, anti-virus software, and trip-wire service, alone.“
Cybersecurity at OEU is now addressed with vendors. “Most of the vendors providing electric-specific hardware and software are already aware of the evolving NERC cyber requirements and in most cases they are adapting their products to meet that need,” said Hahn. “As our own overall cybersecurity policies continue to adapt, OEU will be adding more specific contract language addressing NERC cybersecurity requirements, for vendors providing service or equipment that impacts the operations networks.”
The City of Bushnell has partnered with a company named “Crimestoppers”, and hosts seminars for the public on keeping their data safe, and what to do if they are a victim of cyber-crime,” said Noell. “Criminals are continually finding new ways to infect computer systems, and it is a dynamic process that only grows in need as technology dependence increases in the coming years.“
Security solution experts offer utilities cybersecurity strategies. According to Denise Barton, head of marketing for N-Dimension Solutions, “When a utility contacts us it is sometimes because they think they may be experiencing issues on their network related to cybersecurity but they are unsure. In other instances, the utility just feels they want to have better visibility into what threats might be on their network.”
While most utilities already have some cybersecurity protection such as a firewall, intrusion detection system and other security devices, Barton stated that these approaches often miss identifying network threats, which is why continuous monitoring of the traffic is critical. “New threats may enter the network at any time and increasingly more threats are being launched against utilities making quick detection, identification, pinpointing of the threat source and remediation importance,” said Barton. The first step in building a strong network security posture is gaining an understanding of how and where the utility is vulnerable so appropriate steps can be taken to reduce the risk.”
To help utilities with this first step, N-Dimension offers a free trial of N-Sentinel, their continuous cybersecurity monitoring solution specifically for utilities. “A vulnerability assessment typically assesses the cybersecurity of end devices on the network, which includes servers, control systems, desktop/laptops – anything connected to the network,” said Barton. Threats that can be detected on these devices include malware/trojans, policy violations (cleartext passwords, default passwords, cleartext credit card data, etc.) and malicious files (these may be .pdf, images, dll …). In addition, a common vulnerability identified in an audit is unpatched software which can leave the end device exposed or vulnerable to threats.”
Many times such cybersecurity audits take place periodically. Annually or quarterly is common practice; however, this leaves the utility vulnerable as these audits only capture an assessment of a single point in time. Barton of N-Dimension recommends continuous vulnerability assessments to reduce the risk of cyber threats on end devices.
According to Anthony, IT director at the City of Leesburg, “Cybersecurity must remain a high priority for any organization, and even more so for utilities that provide critical services. Both the nature of these services that our citizens rely on, and the personal information that we keep about these citizens requires the utmost scrutiny and protection.”
“It is the obligation of every company to protect the sensitive information of its employees and its customers/citizens. How can you not make that a priority?“ said Noell from the City of Bushnell.
“While it is tempting for a smaller or medium-sized utility to rationalize that ‘we’re too small for anyone to care about attacking us,’ the risk is still very real,” said OEU’s Hahn. “The difference is in the impact level to the overall bulk electric system. Ignoring cybersecurity for the short-term benefit of cost savings jeopardizes that utility’s service reliability, and possibly impacts adjacent utilities.”
Nerc has recognized that not all utilities will have the same potential impact on the overall Bulk Electric System stability. According to Hahn, because of this, “not all utilities should be mandated to meet the most stringent cyber regulatory requirements. However, the vast majority of municipal utilities have recognized the importance of pursuing stronger cybersecurity methods to whatever extent fiscally possible.”
Cybersecurity needs change as threats change, and better practices are built on basic good practices. “Most utilities cannot afford to immediately implement the best cybersecurity measures, but no utility can afford to ‘wait until we have to.’ Cybersecurity is a growth process that matures as we move forward,” said Hahn.