As utilities get smarter and more connected, the threat landscape for energy systems becomes vaster and more dangerous than ever before.
The ever-increasing threat of attacks against industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems makes building a strong, layered defense critically important for energy and utility companies.
A layered defense should consist of a combination of security frameworks, security technology solutions and security services designed to provide an overlapping set of controls that protect against risks.
Security Frameworks Build Strong Policies for Cyberdefenses
Security frameworks offer guidance for organizations seeking to design a comprehensive set of security controls. They provide best practices and advice that companies can customize for a specific operating environment. An excellent source for framework standards is the National Institute of Standards and Technology (NIST), a federal agency that produces cybersecurity standards for use in government and industry.
The NIST Cybersecurity Framework (CSF) is a wide-reaching set of materials that provides advice on five core activities in the cybersecurity realm. The CSF helps organizations adopt a risk-based approach that balances the costs and benefits of specific security controls.
The five activities include:
- Identify core risks to an organization’s systems, assets, data and capabilities.
- Protect systems and data to limit or contain cybersecurity incidents.
- Detect occurrences of cybersecurity events.
- Respond appropriately to detected events.
- Recover from the impact of cybersecurity incidents.
While the CSF is designed to be used across industries, NIST also provides specific guidance for energy and utility companies operating SCADA and other ICSs. “NIST Special Publication 800-82: Guide to Industrial Control Systems (ICS) Security” provides detailed information on ICS threats, vulnerabilities and security controls.
Solutions Keep Energy Sector Security Threats at Bay
SCADA and ICS cybersecurity programs use a variety of technical solutions to meet the confidentiality, integrity and availability requirements of these critical infrastructure systems. Controls include multifactor authentication, firewalls, mobile device management, anti-virus, security information and event management systems, virtual private networks and patch management technology.
Multifactor authentication adds enhanced security to access control systems. Rather than simply relying on an easily stolen password, multifactor authentication supplements “something you know” authentication with an additional requirement based on either something users possess, such as a smartphone or token (“something you have”), or user’s biometric feature, such as a fingerprint or voice (“something you are”), to verify identify. Multifactor authentication should always be used to protect access to sensitive SCADA systems, even if it’s not required to access a wider enterprise network. Firewalls segment networks from each other, carefully restricting traffic that may flow between them.
They are commonly found separating internal networks from the internet, but they can also be used internally to segment sensitive networks from general-purpose networks. Many energy and utility companies use firewalls to separate their SCADA networks from their general productivity networks.
When technology professionals use firewalls to separate networks, they must also provide authorized users access to those networks remotely. Virtual private networks (VPNs) provide an ideal solution. Authorized users employ a VPN client to create a secure, encrypted connection to the SCADA network, where they may access infrastructure. VPN access is typically restricted using multifactor authentication.
Both SCADA systems and the workstations that engineers use to access those systems must have carefully monitored configurations. Patch and configuration management solutions allow cybersecurity professionals to ensure all devices on SCADA/ ICS networks are configured according to the organization’s security standards, and that patches are up to date.
If users access SCADA systems using smartphones, tablets or other mobile devices, specialized configuration management is often required. Mobile device management (MDM) or enterprise mobility management (EMM) solutions allow administrators to manage configurations, security patches, applications and other settings on devices, and also remotely lock or wipe devices reported as lost or stolen.
Anti-virus software is standard on almost every enterprise system, from laptops to servers, and that should also be true in a SCADA environment. Devices capable of running anti-malware software should run it at all times and be configured to receive automatic signature updates on a daily basis, if not more frequently.
Finally, organizations should prepare for the eventuality that they may experience a security incident on their SCADA/ICS networks. Security information and event management (SIEM) solutions act as a collection and correlation point for log and event information from every cybersecurity technology deployed systemwide. Security professionals use SIEM as a centralized monitoring dashboard and the jumping-off point for security incident investigations.
As organizations design their SCADA security programs, they may wish to begin with industry standard frameworks, such as those available from NIST. Those frameworks offer guidance to help energy and utility companies select the security technology that best meets their needs.
Services Bolster Internal Defenses with Outside Support
In addition to building a strong set of cybersecurity technology controls, energy and utility companies should also consider security services from third-party vendors with specific expertise in SCADA and ICS technology. Vendors offer a wide variety of security services, including implementation and management of security controls.
Many organizations use third-party assessors to conduct testing on security controls. That approach is widely considered a best practice in cybersecurity circles because it introduces a degree of independence into the assessment process by using personnel who did not design the controls to perform the evaluation.
Vulnerability testing services conduct automated and manual scans of SCADA and ICS networks to detect the presence of known vulnerabilities that require remediation. Penetration testing services go a step further by attempting to exploit vulnerabilities to gain access to the ICS network, demonstrating the potential effects of a malicious attack.
Learn how energy and utility companies can address the growing threats they face by reading the white paper, "Securing SCADA Networks."