Protecting Our Energy Infrastructure
With the increasing global importance and integration of computers into all aspects of human endeavor, cybercrime has proliferated and now presents a serious risk to populations, nations, governments, businesses, and critical infrastructures. It’s been estimated that internet-generated criminal activity costs the world’s economy in excess of $400 billion annually. 1 The monetary price and potential dangers of cyber criminality will certainly continue to grow if left unchecked.
Attacks to our energy infrastructure are perhaps the most potentially disastrous. Initiated by hacktivists, adversarial governments, rogue states, quasi-religious factions, alone or in tandem, computer attacks are increasing and in some cases they are succeeding in permeating the perimeters of often outdated or inadequate infrastructural bulwarks. The implications of such criminal efforts are ominous. Imagine water treatment facilities, energy pipelines, telecommunications, satellite systems, banking institutions, and power plants being disabled or even destroyed by cyber attacks. The consequences of such incursions could spawn anxiety and even chaos among affected populations, while economies are seriously weakened and damaged.
Every moment, those behind this burgeoning cyber criminality are growing technologically more advanced and are looking for ways to disrupt, sabotage, and compromise critical infrastructural systems in acts of espionage, political maneuvering, terrorism, and outright war. In 2013 alone, Homeland Security officials in the US reported 256 incidents of attempted cyber crime aimed at critical infrastructure with most of these centered in the energy sector. 2 Former Defense Secretary Leon Panetta went so far as to claim that the US was confronting a menace that he referred to as a “cyber Pearl Harbor,” and a “pre-9/11 moment.” He painted a dire picture of potentially contaminated water supplies, sprawling blackouts, and of trains being forcibly derailed.3
There are myriad ways to carry out cyberattacks including malware, viruses, worms, spyware, password attacks, brute force intrusions, and DoS (Denial of Service) attacks. These methods of cyber attack can overload or infect the protective systems of critical infrastructure, making them easier to penetrate. Defense systems and targeted infrastructures may be disabled or even destroyed if the attack methodologies and the perpetrators of cyber crimes are not properly identified and thwarted.
On February 12th, 2013, US President Barack Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity which established that “It is the Policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”4
This order led to the establishment of a Cybersecurity Framework designed to assist organizations in dealing with the cybercrime issues. This joint effort between the private sector and the government focused on establishing a uniform language for communication and on cost-conscious ways of implementing effective cybersecurity measures. There were no direct regulations enacted related to Executive Order 13636.
President Obama instructed NIST, the National Institute of Standards and Technology to work with institutions and businesses directly affected by the executive order for the purpose of creating a voluntary plan designed to minimize the risks of cybercrime on the nation’s critical infrastructure. All of these efforts were undertaken in order to unify standards and procedures in a diverse cross-section of sectors and to create guidelines which could be implemented rapidly. To this end, inter-industry communication and collaboration were also encouraged. NIST unveiled a first draft of the Framework in February of 2014 along with an accompanying roadmap which revealed the Institute’s intended future direction for the Framework.
Predictably, efforts to curtail cybercrime, hacktivism, cyber-terrorist activity, and cyber-warfare, involve an expanding web of governmental agencies and private sector interests. Among these is NERC, the North American Electric Reliability Corporation. NERC is “a not-for-profit international regulatory authority whose mission is to assure the reliability of the bulk power system in North America.” 5 Responsible for The US, Canada, and part of Baja California, Mexico, NERC creates reliability standards and enforces them. It’s also involved in the training and certification of industry personnel.
The CIPC (Critical Infrastructure Protection Committee) operates under the NERC umbrella. It is made up of cyber, operations, and physical security experts from the industry. It also includes the Electricity Sub-sector Coordinating Council (ESCC) which works in tandem with the federal government to develop concepts and resources designed to protect critical infrastructure and expedite the exchange of vital information concerning identified systematic weaknesses.
NERC is overseen by FERC, the Federal Energy Regulatory Commission. FERC “is an independent agency that regulates the interstate transmission of electricity, natural gas, and oil. FERC also reviews proposals to build liquefied natural gas (LNG) terminals and interstate natural gas pipelines as well as licensing hydropower projects. “6 In 2005, the Energy Policy Act bestowed even more responsibilities on FERC including the promotion of infrastructure safety, reliability, and security.
President Obama, speaking at Stanford University in February of 2015, requested that the US government and the technical sector collaborate to battle cybercrime. Seeking to reestablish a sense of trust following the Edward Snowden leaks related to the National Security Administration (NSA), President Obama acknowledged that much of the nation’s critical infrastructure and computer networks are found in the private sector, necessitating the proposed joint effort. He also stressed the fact that the government is often the first to receive information related to cybersecurity threats, further reinforcing the benefits of a unified threat-fighting effort. The President’s words may have been prompted by recent attacks which were thought to have been perpetrated by North Korea. In addition, January saw hacking activities involving the US Central Command, Twitter, and YouTube committed by Islamic State sympathizers in the jihadist network. 7 Home Depot, JP Morgan Chase, and Anthem were also subject to recent hacking incidences.
Key advisors to the President disclosed that three new cybersecurity groups have been created. This follows a new executive order that bolsters the Fed’s ability to collate information between the private sector and the government. The inaugural entities include the Cyber Response Group, the Cyber Threat Intelligence Integration Center, and the National Cybersecurity and Communications Integration Center. The future will also see the continued development of ISAO’s (Information and Analysis Sharing Organizations) which should greatly facilitate the aggregation of critical cybersecurity information.
Key Drivers For NERC Compliance
NERC reliability standards have had an indelible impact on power companies. As entities within the energy sector address mandatory implementation of these new standards, key drivers of compliance and enactment vary, depending on the size of affected companies, attitudes in the C Suite, pressure from shareholders, and the outside influence of vendors. NERC continues to facilitate the training and certification of critical security professionals in an effort to enhance broadband skills across the platform and assert the cybersecurity footprint within the bulk power system. As the technical capabilities of cyber criminals grow, those entrusted with protecting our vulnerable energy infrastructure must stay one step ahead through inter-industry communication and by cooperating with NERC and related governmental agencies.
NERC CIPs compliance assists utilities in developing security agendas and protocols to defend important infrastructure assets from cyber attacks and service interruptions. Critical Infrastructure Protection (CIP) norms define the essential requirements for compliance and ensure that the bulk power systems maintain reliability. Rapid technological advancements and the escalating abilities of cyber attackers make compliance increasingly difficult and important. Now in the fifth integration (Version 5), CIPs standards help in the identification of a company’s critical assets and assist in identifying who is connected to those assets and what entities have access to them. NERC CIPs encompass logical protection, physical security, and security management control. Steps 8 and 9 address effective cybersecurity response and disaster recovery.
Despite these standards and regulations, some feel not enough is being done. Questions arise; is simple compliance enough? Does it really provide the necessary security and protection our essential power infrastructure requires in the 21st century? This paper will continue to address that issue.
The NIST Framework
The NIST Cybersecurity Framework holds the potential to drive future behavior within all sectors. The Framework is agnostic in the sense that it facilitates a normalization of the dialogue between people who are talking about cyber security, allowing for coalescence around a set of ideas, concepts, and principles.
NIST Special Publication 800-53 Revision 4 is an update to the Framework “motivated principally by the expanding threat space—characterized by the increasing sophistication of cyber attacks and the operations tempo of adversaries (i.e., the frequency of such attacks, the professionalism of the attackers, and the persistence of targeting by attackers).”8 800-53 is expediting the development of security controls directly related to applications security, mobile/cloud computing, and supply chain defense.
The NIST Framework is a key component in improving cybersecurity for our critical energy infrastructure. It has the potential to generate the kind of dialogue which is necessary to better understand the threats base and how industry professionals can best respond to those cyber threats, whether they’re advanced and persistent threats, or whether they are the work of everyday hackers.
Driven To Comply
As the power sector and other industries move forward, compliance itself has been a prime motivator and driver for change regarding the implementation of evolved cybersecurity measures. Only the largest organizations in oil and gas, who are often part of multinational pipeline ventures, are seen as attractive targets for cyber attacks on a global scale. These are the companies that are voluntarily moving ahead in complying with cybersecurity standards on their own. This perceived targeting is indeed a driver. Smaller companies are less inclined to feel targeted, so they are primarily motivated by the compliance requirements themselves.
Influence Of The C-Suite
Many organizations are primarily driven by the decisions of their C-Suite when it comes to NERC compliance. There are a lot of power struggles within affected organizations as to who is controlling what and who has the authority and the drive to make things happen within a given company. Often, there is a disconnection between IT and OT personnel, leading to a lack of useful collaboration. Regulations cannot be ignored, and they do provide an incentive for organizations to operate in mandated ways, but compliance is different than security. There is great variance from company to company as to what constitutes real security, or if compliance in and of itself is enough. Those who settle for mere compliance may render themselves vulnerable to hacking and cyber-attacks.
Satisfying Stakeholders And Shareholders
Government and private industry have others to consider in the implementation of NERC standards. Lobbyists and those they represent have much at stake when it comes to cybersecurity efforts as do shareholders in private sector industries. Both must be satisfied and achieving that is no small feat. The government is under pressure to keep the compliance threshold low which makes it difficult for the power sector to truly attain real security against cyber attacks. In the utilities industry, any regulatory oversight costs money that that’s the bottom line which in turn affects the shareholder. Any meaningful exchange of information will require a tandem effort. As President Obama stated at the recent Cybersecurity Summit, “Government cannot do this alone. But the fact is that the private sector can’t do it alone either because it is government that often has the latest information on new threats.”9
The Influence Of Vendors
Vendors are attempting to impose their own influence in the ongoing implementation of cybersecurity measures in the energy sector. Most companies that have international control systems utilize equipment from various vendors. These vendors incorporate their own security and visibility into their products. “ There seems to be no single entity that is creating an HDB (heterogeneous database system) to integrate all the disparate database management systems and present users with a single, unified query interface.” 10 This requires not just the standard bodies to be communicating with the manufacturers; it also involves manufacturers talking amongst each other to create a consortium. All things considered, no one entity will be the key driver for NERC compliance. End users, standards bodies, and international control systems vendors must unify efforts to achieve successful implementation.
Primary Influencers In Energy Sector Security
While NERC arguably has the biggest influence, other outside companies, compliance bodies, and forums also support and enhance security operations in the energy sector. NERC is the strongest one because they are a delegated authority for the Federal Energy Regulatory Commission (FERC). They have regulatory oversight to mandate what security standards should be followed and they possess the ability to impose fines that have a significant financial impact. NERC has the ability to affect power companies on social media, to influence company culture, and to color their reputation. Despite their obvious influence, there is some doubt that NERC has the technical capability to do what needs to be done.
NERC CIPs must be complied with unless an entity exists in the federal space. Certain power plants on the federal side such as the TVA and Bonneville Power have additional work to do. They have to meet NERC CIPs compliance standards and also meet FISMA (Federal Information Security Management Act) and NIST (National Institutes of Standards and Technology) requirements and guidelines. They want to ensure that they meet CIPs targets and NIST control targets, and avoid duplicating the process and engaging in unnecessary work.
SPIC (the Society for the Promotion of Information Technology) in Chandigarh, India has been influential in the development of a smart grid for industry standardization. In Europe, the International Electrotechnical Commission (IEC) “provides a platform to companies, industries and governments for meeting, discussing and developing the international standards they require. Over 10,000 experts from industry, commerce, government, test and research labs, academia and consumer groups participate in IEC Standardization work.”11 The IEC works in conjunction with the International Organization for Standardization (ISO) and the International Telecommunication Union (ITU) to integrate and unify global standards and to amalgamate knowledge from industry experts around the world.
How Will The Future Impact NERC Standards?
Fending Off Cyber Attacks
The ever-present threat of cyber-attack, hacking, and espionage will continue to shape and dictate the future evolution of NERC standards and related industry measures designed to secure the energy infrastructure. Other countries, governments, and hostile political/religious factions can potentially target North America and our bulk power system. This is certainly a dynamic factor when one looks to the future of cybersecurity in the US and abroad. The next few years will definitely witness the advent of more real time detection capabilities as opposed to the present-day reliance on educated predictions and trend analysis.
Despite recent industry-wide efforts to bolster the security of the energy infrastructure, some feel the systems built and deployed today cannot stand up to high-end cyber-attacks. To that end, NIST Special Publication 800-160 attempts to define “systems security engineering processes that are tightly coupled to and fully integrated into well-established, international standards-based systems and software engineering processes.”12 Operating under the motto of, “Build it Right, Continuously Monitor,” they have initiated a four-phase project that allows system developers and integrators to incorporate NIST security practices into their software and systems. It’s also hoped that 800-160 will facilitate improved dialogue between system engineers and system security engineers in the interest of scaling-back the threat of cyber attacks.
Time does not appear to be on the side of the energy sector cybersecurity efforts in North America. The regulatory bodies are trying to instigate progressive change, but international control systems vendors are often slow moving, and large corporations are often not willing to invest in anything that goes beyond their own systems. Emerging technologies may be the change-agents needed to awaken the market and allow OT personnel to install innovative products that don’t disrupt their operations. These technologies would also enable IT professionals to provide proper security measures.
Change itself is an impediment for most large businesses in the private energy sector. Often, the technology they presently possess has been operational for many years. It is not designed to be integrated with newer and more secure security products. New approaches presented by enterprise security vendors are often met with resistance, and new products that are utilized are a mish mash of different enterprise solutions that need to be adjusted for integration with an existing system.
Ideally, a protective technological security fabric is needed that blankets the bulk power industry, but this requires an initial investment few are willing to make. No one is pushing the agenda of consolidating those IT and OT groups so that they actually can work together in installing new technology. Even a process as rudimentary as patching HMI’s or any machine related to operations is a formidable challenge. NERC Version 5 has instituted patching regulations, but even when the process is automated, it often takes months for vendors to approve patches, and in the interim, power plants are not protected.
Mainstream Organizational Processeses In The Security Lifecycle
Inter-agency mapping is direly needed to make security controls more all-encompassing and effective. NERC CIPs, ISO 27000 controls, whatever products companies employ to enhance their cybersecurity efforts; will these map to what NIST or ISO has done? A set of “best practices” becomes necessary to transcend these disparate standards and controls. For manufacturers who build-in access controls and identification, authentication, and systems cryptography, the process can be even more complex. Often, source codes and other critical design elements important to developers are inaccessible; buried in the hardware, software, and firmware of the systems which they have no access to. To remedy this situation, NERC CIPs, NIST, and ISO controls need to be integrated early on in the design and development process of the security lifecycle. Ultimately, cybersecurity defense is a team sport. Critical infrastructure needs to not only be operational, but it needs to be functioning 24/7. There are many key players involved in the public and private sectors, and on the positive side, developers are already doing many of the things that they need to be doing.
Designed to minimize losses incurred from cyber-incidents (data theft, network destruction, and disruption of commerce) Cybersecurity insurance is in the early stages of implementation. This is already evident in the credit card/payment industry. Insurance companies are in the early stages of a campaign to try and model what a big risk would be and what insurance would look like if power producers were to be insured against cyber risks. It may be some time in coming as there is not a proliferation of cyber-criminal data in the energy sector to create actuarial tables. “Cyber crime breaches on average cost companies $1 – $3 million in damages, which can bankrupt smaller businesses, incite civil lawsuits, and cause fines to be levied.”13
Cyber attacks could potentially be reduced by the presence of a healthy cyberscurity insurance market.
Energy interests which institute preventative measures and “best practices” could be provided with more coverage. Currently, many companies decline available coverage because they believe the costs to be prohibitive, they are uncertain about what would be covered, and they are willing to risk that they will not be the target of a cyber attack. The Department of Homeland Security (DHS) has recently assembled a wide-ranging collective of public and private sector interests “to examine the current state of the cybersecurity insurance market and how to best advance its capacity to incentivize better cyber risk management.”14
Main Influencers Of Cybersecurity Implementation
Vendor Influence On NERC Revisions
As NERC security standards continue to evolve and be revised, FERC and utility companies are supplying important input and constructive comments to promote continual improvements. Vendors are definitely driving the development of the standards and assisting with the guidelines, as well. How much influence each faction has is a subject for debate. Operating under the premise that every idea is welcomed and is valid, those who are willing to work with the standards can ultimately influence them before they are finalized. Once they are in place, there is nothing that can be done other than to wait for the next version to emerge. Some believe those who get the best result are those who shout the loudest. Many bright individuals share their valued opinions on various committees, and the most influential of them truly can affect change.
DOE And Homeland Security
Most industry insiders cite the Department of Energy (DOE) and the Department of Homeland Security as prime providers of influence and oversight in the development of NERC CIPs standards and regulations. The DOE has been indentifying various labs and centers of excellence that have taken the initiative and are focusing on putting quality people to work in different areas of the cybersecurity landscape. Other groups like the NEI can greatly affect the development of NERC standards. “NEI lobbyists flexed their influence in 2014, drawing attention to their agenda with over $2 million in lobbying expenditures.”15 These agencies and many others interact with bulk power system entities to address pressing issues that impact the nation’s energy infrastructure. Companies that are the most active in the process, particularly the large ones, tend to affect the process to a greater degree.
Though they offer helpful guidelines, adherence to suggested standards is not the law. Utilities and vendors have suggested some practical standard practices, but they are not compulsory, so individual companies decide whether or not they wish to follow them. It’s important that utility companies and vendors be more active in collaborating to create standards and guidelines. NERC and NIST cannot do it on their own, though NERC can influence and ultimately define the default criteria.
Influence Of The Power Companies
NERC’s drafting team is comprised of industry personnel, so it is a collaborative effort. These are the actual people with boots on the ground doing the day-to-day work, providing input to the standards drafting team. Many are members of the power industry which is very de-centralized. Companies in the energy sector have different rate structures in different states that affect their profitability and what they may charge for the services they provide.
When power plants need to enhance their cybersecurity, it requires a significant investment and someone is going to pay for that. A company’s bottom line must be considered as part of any cybersecurity discussion because it’s a business reality and there are stakeholders to be satisfied. Financial considerations may dictate whether or not security controls are implemented and this fact needs to be emphasized in any discussion about the adaptation of new standards and regulations. The nation absolutely has to have power. It’s one of the most important of the critical infrastructure sectors because, like information technology, it transcends everything.
The Influence Of Research Institutes
Research institutes such as EPRI, the Cyber Security Center of Excellence, and NSCO have influence in developing NERC CIPs security standards due to their high level of expertise. Stakeholders from many different organizations come to the table in consensus to create the next generation of standards. Of course, each organization has its own agenda to promote and this ultimately colors the way the standards end up for better or worse. The public vetting process and sub-standards also play a role in determining the specifics of new NERC CIPs revisions
The Difficulty Of NERC Compliance
Once NERC CIPs regulations and standards are revised and agreed upon, they are implemented in the energy sector. Unfortunately, compliance teams, legal teams, and managers struggle with how to precisely to interpret these recommendations and requirements. They are often uncertain about what actions to take. While most are willing and ready to comply, some find it difficult to discern the official meaning of the regulatory language. This can cause confusion for compliance personnel who are forced to rely on whim and vague interpretations of NERC standards and regulations.
The ISA (Instrumentation, Systems, and Automation) provides an exhaustive reference for guidelines and instructions on how NERC’s provisions can be implemented, to help ensure that everybody is marching in the same direction. ISA’s 2014 Cybersecurity Conference “shed light on what can be done to protect industrial networks and control systems from serious, potentially devastating damage from cyber threats.”16
To counteract the unclear nature of NERC CIPs, many companies are actively documenting how they intend to fulfill, mitigate, or comply with the requirements and hope auditors find merit in this diligent record keeping. Since so many interpretations are presently in play, auditors can only note whether or not a company did what it said it intended to do regarding NERC CIPs compliance. Some power plants also struggle to comply with standards and regulations because they lack the electronic products and devices (such as those manufactured by Seimans and GE) that make such compliance possible.
The Influence Of NIST And Ir7628
The National Institute of Standards and Technology (NIST) recently published NISTIR 7628 Revision 1, Guidelines for Smart Grid Cybersecurity in order to provide “a comprehensive framework that organizations can use to develop effective cybersecurity strategies tailored to their particular combinations of smart grid-related characteristics, risks, and vulnerabilities.”17 Though NIST guidelines don’t impose the regulatory oversight of NERC CIPs, they still have impact in the energy sector.
Though NERC is perhaps taken more seriously, NIST standards are regularly integrated into many cybersecurity platforms, and they may point the way that critical infrastructure protection is going. Opinions vary on NIST’s importance. Because compliance to NIST guidelines is voluntarily, there is no mandate for companies to follow them. Additionally, the energy market is extremely fragmented and many businesses don’t have adequate personnel or the necessary funding to implement a lot of NIST’s suggested actions related to cybersecurity.
Money is probably the biggest factor in whether or not companies will follow NIST or even NERC. Factoring in the hundreds of priorities energy businesses have, the budgetary impact of cybersecurity implementation often takes a backseat to what seem to be more pressing immediate concerns. Beyond its presence as a buzzword, the Framework is costly to integrate and often a budget does not exist for such expenses. Beyond that, many doubt that industrial control system vendors can provide working solutions that operate in tandem with products from other vendors. They are wary of involving third parties. Security professionals know what they need to do, but they don’t know where to find the budget and they are unsure of what technology to use to implement the good ideas NERC and NIST suggest.
Do Public Comments Really Have Influence?
“Individuals and organizations throughout the country have provided their thoughts on the standards, best practices, and guidelines that would meaningfully improve critical infrastructure cybersecurity.”18 Comments regarding the direction of the Cybersecurity Framework have always been welcomed. The ultimate goal is to provide businesses, their suppliers, their customers, and government agencies with a common language and methodology for determining how they can best protect themselves. Whether they come from Microsoft, FERC, or an interested individual citizen with a great idea, they are all treated with equal reverence. NIST is primarily interested in whether the idea is technologically sound, cost effective, and if it is implementable.
Occasionally, NIST has contracts and receives support from federally funded research and developments centers connected with aerospace or the Institute for Defense Analysis that helps them to create a first draft. Once the draft is completed, it is posted on the website where public and private interests can view it and make comments. NERC summarizes the comments it receives and publishes them so that people can assess the reaction to the suggested standards for themselves. NIST employs an adjudication process in which a team of industry experts reviews individual comments and provides a response. Eventually, the comments help NIST arrive at a final adjudication for each particular comment – an exhaustive process. What NIST aims to achieve is a normalization of the dialogue that occurs when people are discussing cybersecurity. This allows for a coalescence of ideas, concepts, and principles from various sectors and presents many different choices about how the Framework is implemented.
The Future Of NIST
The next few years will see the continued implementation of the five revisions of the Framework which have been approved. Versions six and seven are on the way and will feature some changes in language for clarification. Barring any traumatic upheaval in the Beltway, NERC CIPs continue their evolution, incorporating NIST standards and data, and adding additional specificity to the implementation guidelines. NIST standards exist to prevent attacks and intrusions from outside forces within the power system and to maintain control of the energy grid. All facets of the bulk power system are considered when it comes to disaster recovery.
As with NERC CIPs, there is vagueness to NIST guidelines that leaves implementation open to much interpretation. At present, NIST refers companies to a lot of third party documents which seem to leave people lacking for a lot of detail. NIST document “IEC 62443-2-1:2010(E) defines the elements necessary to establish a Cyber Security Management System (CSMS) for Industrial Automation and Control Systems (IACS) and provides guidance on how to develop those elements.”19
Advancing technologies will continue to affect all aspects of life in the near future with computer hardware and software at the core of this evolution. More reflection will be required concerning the building of cybersecurity products and systems as things grow increasingly more complex. It is possible for scientists and technicians to reach a point where they don’t fully understand what they have built into their software. It can become so complicated that they don’t understand how to protect it. Some feel the industry has already passed that point. Defending operating systems from the cyber attacks of today and tomorrow may require significant reengineering of the IT infrastructure at the systemic and at the product level.
This will require trusting in technological principles, concepts, and methodologies in order to build highly assured components and systems. The greatest challenge will be in keeping the size of future operating systems manageable and understandable so that best practices can be applied. There is hope that systems will be developed which are more penetration-resistant. In the event that an attack is successful and permeates an outer perimeter, the energy sector must work toward creating technology that stops malware from bringing down entire power plants or the entire grid.
The Future of Real-Time Security
The bulk energy industry faces huge challenges heading into the future. Re-architecting the networks, segmenting them, and implementing security management will be tremendously expensive. There is a danger that companies will assess the high cost of hardware, software, licensing, and installation, plus the expense of operations and maintenance of the infrastructure, and they will underestimate. In many cases they will opt for the inexpensive route and have no automation software to schedule recurring or compliance required maintenance. Of course, the larger the company, the more security products they have to integrate and the more complex procedures they have to follow. Expecting humans to manually operate security systems can be risky, but in the interest of the bottom line, many power plants will forego more reliable automation systems.
Maintaining cyber security devices is a relatively new field. Electric utilities have known how to keep transmission systems operational for the past 50 years. They knew how to design, protect, carry power, connect to the transmission system, and distribute power. Now, these companies are adapting to new technologies and the learning curve is dramatic. More compartmentalized technicians are needed, such as file, server, and networking experts. Despite all the present-day defenses already in place, the infrastructure may not yet exist which can detect and thwart attacks across the spectrum. More monitoring capabilities are needed to formulate a proactive defense. As utility companies use more cloud services they will have to be more cognizant of what the risks are as Smart Grid penetration will continue to increase
In the security field, it’s difficult to predict what will be happening five or ten years into the future. Certainly, more real time detection will be utilized because people want to know what is going to happen. There are many strategies and types of attack which may occur. Older technologies such as firewalls and anti-virus programs try to detect malware by discovering code sequences. Today’s newest software examines code to detect subversive “kill chain” activity, but humans are still needed to take this information and put two and two together. Unfortunately, this takes time. Modern cybersecurity products are unable to detect a complete chain of events. They may detect malware, but breaches occur in mere moments and often it is too late to enact any meaningful counter-attack measures.
The successful real-time defense systems of tomorrow will be able to analyze incoming data and detect and isolate malicious exploits immediately before they advance along the kill chain. At this point, automated systems or humans can intervene and take protective actions.
Identity And Access Management
The authentication of identity is still an important aspect of maintaining effective security measures in the energy sector. “In the challenge of securing information and information technology, and in the challenge of preventing cyber threats, often the lack of strong identification has become one of weakest spots in the overall defense mechanism. Too often, existing credentials can be abused, have been badly implemented or managed, and lead to major vulnerabilities or incidents.”20
Organizations are moving away from the high-trust model of the shared log-on, not because they don’t have faith in their employees, but in the interest of localizing the impact of accidental or malicious occurrences. In the long-term they will continue trying to overcome technological constraints. Utilities will continue to employ standard IT tools such as Sysco and Juniper, but other facets of their operation (relays, RTU’s, PLC,s) don’t have the same protective systems. Until they can purchase it from vendors, they may have to mitigate threats with a local firewall. Seemingly innocuous information like the network time, the location of a control center, the IP address, even the vendor that’s chosen to run their infrastructure, may be important to those with ill-intent bent on committing a cyber-attack.
Incident Prevention And Mitigation Contingencies
Today’s IT security tools are configured to monitor the “normal” behavior of log-ins, but they are weak when confronted with advanced attacks. Adversaries don’t just want to permeate the control system, they want to inflict damage in a situation where the operator doesn’t intervene and the safety system is not performing adequately. Operators can’t really tell if the data they are seeing is accurate or if it has been manipulated because there is no technology available to validate whether or not the information is accurate. The San Bruno pipeline incident brings into focus the dangers of antiquated security systems and bad data.
“Pacific Gas and Electric Co. … struggled for nearly two decades with a computer system intended to keep track of the characteristics of its natural gas transmission lines, a battle that resulted in the company lacking information crucial to understanding its pipes’ potential weaknesses. … Omissions or data-entry errors made when the system was developed – and left uncorrected – may explain why PG&E was unaware that the 1956-vintage pipeline that exploded in San Bruno on Sept. 9, killing eight people, had been built with a seam, according to records and interviews. … Experts say the fact the pipe had a seam weld is a fundamental piece of information that should have been available with the click of a mouse on any decent pipeline database.”21
Despite the vulnerability of power facilities, security personnel do seem to understand the importance of contingency planning. The electrical grid is highly reliable overall, but when an incident occurs response plans have to go into effect before malware can gain a foothold and damage critical operating systems. It is essential that people know exactly how to respond in a given situation. Contingency plans for power plants may include alternative processing sites, alternative communications capabilities, and alternative storage facilities. Those are three tiers that are typically focused upon. The ultimate goal is to navigate an attack and to continue to be operational in a debilitated or degraded state. Contingency plans exist for four major types of threats, including natural disasters, structural failures, cyber attacks, and errors of omission or commission.
Black Holes And Unknown Threats
Cybersecurity measures are constantly being implemented to deal with known threats to the energy infrastructure, but the future is sure to be full of unknown dangers and “black holes” that will require innovative defense and response capabilities. Fortunately, ES-ISAC and all of the networks of collaborative communication now in place improve the outlook for maintaining the grid safely and effectively. Threats are monitored 24-7 and ES-ISAC is continuously updated.
Many international control systems, while different than those installed domestically, are connected to a global cybersecurity network. Of course, there is still a lot of concern regarding air gaps, primitive protections, and unicorns. The energy sector is dependent upon forward-thinking companies that are coming up with progressive solutions to deal with existing security issues. Cyber-criminals possess impressive attack skills and the hacking tools available to them make it easy to find new attack ventures, especially when it comes to old equipment in industrial control systems.
Unknown threats constitute anything that can permeate a security system’s perimeters. New systems are so complex they are connected in ways that their manufacturers might not even understand. End users may not be aware that the interfaces of the control systems they operate are publically available on the internet. Cyber-criminals can search for a particular geographical site or for a specific vendor and breach the user interface (HMI) of that control system. If end users haven’t changed the standard password and user name from the vendor, cyber-attackers can actually start the operations.
There has been a good deal of research done concerning Zero Days, which personify the unknown vulnerability. “ … a “zero-day exploit,” … is a virus or a worm that can take advantage of a vulnerability in software that others, including the software’s creators, have not discovered yet. Zero-day exploits are rare because software creators work hard to ensure they release programs that don’t have those kinds of vulnerabilities. … when one is discovered in malware, it suggests a higher purpose, something beyond a cyber-criminal hoping to vacuum up credit card numbers.”22
Another type of serious threat is the “inside job,” created within an organization or a system such as a power plant or a federal agency. Following a cyber-attack, the perpetrators can actually take control of the system and build it with new vulnerabilities, which they can later come back and exploit. The energy sector is relying on basic technology like never before, and it is vulnerable.
Are Surveillance Cameras And Log-In Data Enough?
Detecting and deterring cybercrime with standard surveillance cameras is not the most effective way of protecting critical infrastructure. Cameras are only as good as the people who monitor them and people are easily distracted. Cameras need to be coupled with analytics that alert and alarm. This type of technology does exist and it can greatly enhance existing security systems. Software is becoming more cogitative all the time. Manpower can be reduced with new technologies, but it’s difficult to secure people with technological abilities and to pay them enough to retain them. Thusly, there is a huge turnover rate within the energy sector.
New cybersecurity departments are expensive to maintain and it can be difficult to convince the C-Suite and a company’s shareholders that these departments can be cost-effective in the long run. It sometimes takes an expensive incident to bring this fact into focus.
Automatic Platforms? Semi-Automatic?
Despite the increasingly automated nature of IT platform systems, most insiders believe a human interface will continue be needed going forward. That being said, when a large utility has several hundred assets monitoring it, it is not feasible for two or three security operators to maintain visual security in that space. Visual analytics and automatic alert systems will continue to be employed more and more because it is not possible for individuals to physically monitor data streams continuously to see if any aberrations might be occurring. The future will see more real time analytics employed, to detect incidences as they are happening, or to detect them in advance. Again, there will most likely be a human interface involved to analyze data and recognize the source of any incursions and threats, or to deal with issues of multiple alarms, weather, or even wild game.
Who Needs To Know About Cyber-Attacks?
Eventually, incidents occur despite the best efforts of security teams. There is some debate as to whether information concerning cyber-crimes in the energy sector should be shared publically. Many in the industry are of the mindset that such intelligence has no business being parsed out to those without a need-to-know. Most would seem to prefer that information be shared privately among utilities so that if an attack is coordinated, it could be collectively defended against. Power companies do an acceptable job of sharing information concerning threats or security events that occur across various groups. In the United States there are eight regions that each have regulatory oversight and board groups that branch out from ES-ISAC.
It makes sense for the utility industry to share information, but there are not many vehicles established at this point to facilitate that process. In most instances, end users disclose information related to cybercrime when they don’t have any choice, because of the negative publicity that can surround such an occurrence. There is a consortium among some security vendors that has been created for the purpose of information sharing. In addition, Symantec and some other big players have reportedly been distributing intelligence to one another. Some have called for the creation of an ICS version of this information sharing model, but it may still be a couple of years before that goal is realized. “Threats to control systems can come from numerous sources, including hostile governments, terrorist groups, disgruntled employees, and malicious intruders. To protect against these threats, it is necessary to create a secure cyber-barrier around the Industrial Control System (ICS).”23
Some prefer a holistic approach to the cybersecurity problem. This would entail building products and systems that are as defensible as they can be and then continuously monitoring them. Even if everything is built to the best possible specifications, a small amount of attacks are still inevitably going to happen. Understanding the various types of cyber-attacks and sharing relevant information regarding these events can be very valuable, but again, most companies would be reticent to share it because of the damaging effect doing so could have on their reputation. Ultimately, it is a team sport. If there is a specific vulnerability in a power plant and the same commercial components developed by a shared vendor are being used across the industry, quickly distributed information could help other companies address those vulnerabilities quickly, before they become the next victim.
Most in the energy sector seem to feel that the public has a limited need-to-know priority regarding cyber-attack incidents. It is considered more important for selected agencies, the tech community, and vendors to receive critical information so future incidents can be prevented. Otherwise, it would be difficult to establish any pattern analysis of cyber-criminality, or to inform vendors about products which may have been compromised.
There has been much talk about establishing a clearinghouse of information for companies in the energy sector regarding cybersecurity. The Department of Homeland Security Information Network is, in effect, trying to become just that. Power companies need to know about potential phishing or malware attacks so that they can increase their awareness and work to mitigate these potential threats.
Information Sharing With Other Countries
Sometimes in the implementation of cybersecurity defense measures, it may be necessary to share information with other countries, as in the case of Europe and North America where stability of the grid crosses our political borders. If individual nations are tracking poor behaviors and unsafe cyber conditions, it would be advantageous for them to share more than anecdotal stories with neighboring countries. This is the case today. There is a paucity of information exchanged between nations regarding cybersecurity. Insurance companies and the safety industry are endeavoring to compile a lot of statistical data, but many in the energy sphere continue to operate in what has been termed, the age of stories.
Is There Room For Overseas Vendors?
There has been some anxiety caused by the thought of information sharing between utilities in the energy sector, and worries about shared threat alerts between nations. Is it safe to entrust overseas vendors in the development of security systems designed to prevent cyber-attacks? Are there elements of xenophobia and ungrounded fears to be found in the resistance these overseas firms sometimes face, or is some prudence warranted?
A lot of these trepidations have been overcome out of necessity because cybersecurity threats are experienced universally, all around the world. Ultimately, global information sharing is essential. Still, some feel it’s highly unlikely that overseas vendors will be able to infiltrate the U.S. market. The industry is entrenched and business relationships are long-standing. The energy grid operates on a level of comfort and trust. It would take a third party from an overseas country with unique technologies and capabilities to ingratiate itself in the North American energy market and find favor there.
Nerc In The Ics Security Market
As critical industrial infrastructure continues to be threatened by Flame, Stuxnet, Night Dragon, and Duqu attacks, the ICS security market will continue to expand. TechNavio’s analysts forecast the Global Industrial Control Systems market will grow at a CAGR of 8.15 percent during the period 2013-2018.24 NERC continues to have a huge footprint in the industry with over 50,000 substations and several hundred utility companies. In the western US, NERC has almost 500 registered utilities that adhere to NERC standards.
The ICS cyber security market has been estimated to be valued at between $3 and $4billion annually. Consulting companies and enterprise security vendors are major players in this arena. NERC has the power of regulation and wields heavy influence with electric utilities, oil, and gas sectors, but it is difficult to gauge the ratio or market size of NERC in the security solution market because there is no way to do a proper segmentation. Many of the products that are used to achieve some level of NERC CIPs valuation could also be used to provide visibility and provide security management capabilities in other industries such as manufacturing.
Challenges Of Meeting The Cybersecurity Threat
Keeping up with constantly advancing technologies is a huge operational challenge for utilities in the energy sector. It can be difficult to deploy the “best” security measures to meet future threats when new advancements in cyber-defense technology are happening constantly. Additionally, systems are becoming more and more connected with each other so the probability that these networks will be compromised or attacked is growing exponentially larger. “Cyber attacks on infrastructure have become a major worry for utilities following the 2010 Stuxnet computer virus, which experts believe was used by Israel and the United States to make some of Iran’s nuclear centrifuges tear themselves apart. The threat has been reinforced … by the appearance of a computer virus known as the Havex Trojan, which hackers appear to have used to attack oil and gas firms.”25
It is imperative that technology deployed in the infrastructure today can be upgraded and made to be integrated with the next generation of evolving systems. Some companies build the most impressive products, but they are not compatible with anything else. As a parallel, consider iPhones. How many iPhones have there been and how many chargers? It’s a similar situation with cybersecurity. Billions of dollars are spent to secure the latest products, but often things have to be reconfigured because products are not compatible. Meanwhile, cyber-attackers are adept at remaining one step ahead of the game, so security teams must do their best to stay on top of the technological race in cybersecurity. It’s no small undertaking. A large majority of the utilities are prioritizing investment to upgrade adequately. Unfortunately, the smaller co-ops often don’t have the financial capital to do the same.
Manpower Structuring In Operational Security
In terms of deploying manpower for the electric companies and their internal floor charts for operation security, there is typically a Chief Information Security Officer (CISO) and a Chief Information Officer (CIO). “CIOs are becoming increasingly important in calculating how to increase profits via the use of ICT frameworks, as well as the vital role of reducing expenditure and limiting damage by setting up controls and planning for possible disasters.”26
Large investment utilities in the energy sector have a CIO with several steps of separation to the Senior Director level of IT. Smaller companies tend to have a one-size-fits-all situation; a person or a small group of people at the head of the table who have a multi-faceted skill set in the cybersecurity area. Sometimes it is an Electrical Engineer or a specialized maintenance team. Some organizations hire or develop an Industrial IT or Operational OT tech group in which a multi-member team is assembled to tackle problems. In the ‘80’s, companies didn’t have IT departments, but today it is a given. Utilities are building aggregations that operate somewhere between control groups and IT organizations with the hope that they can understand the strengths and issues of both.
Security Solution Vendors And “Outside Thinking”
Electric power companies depend on security solution vendors a great deal for “outside thinking.” These vendors provide lifecycle management services and they relate well to people who understand compatibility issues and how security products are deployed. Because utilities are not technology companies, they depend on security vendors to provide the technological expertise they require. This being said, companies in the energy sector tend to remain with vendors they have worked with in the past that they trust. This loyalty may be based on an individual, long-standing relationship. There is a tendency for utilities to continue using products that their personnel are familiar with because training for the deployment of new technologies is expensive.
The Most Influential Vendors
While most within the industry itself are reticent to name names when it comes to identifying vendors that are particularly influential, many utilities seek out an EPC (Engineering, Procurement, Construction) or an engineering firm such as Flur. Such vendors would be responsible for designing a plant as far as concrete, metalwork, and electrical schematics. The control system is often offered up for bidding to outside vendors. A utility will prepare specs that deal with functionality and the types of devices they plug into. Vendors will then bid on the project, competing with other security solutions vendors to deliver the specs at the best price. Companies in the energy sector have to deal with compliance issues, so they are adjusting their procurement guidelines and contracts to include cyber security in their specifications.
According to SecurityMagazine.com, these were the most influential security solutions providers of 2014:
Vice President, Chief Security Officer, ADP
Kevin P. Donovan
VP, Global Security, Johnson & Johnson
Vice President, Corporate and Information Security Services, Exelon
Vice President and CSO, The Walt Disney Company
Vice President Global Security, Dow Corning
Michael A. Mason
Vice President, Chief Security Officer, Verizon Communications
Under Secretary for Intelligence and Analysis, DHS
Director of Europol
Director, Private Sector Partnerships Office of the Director for National Intelligence
Program Specialist, U.S. Department Of State, Overseas Security Advisory Council
CEO & Founder of CREATe
Senior Vice President, Chief Security Officer, and Corporate Director of Cybersecurity, MITRE
Senior Information Technology Policy Advisor, National Institute of Standards and Technology (NIST)
Future Security Solutions And Products
The future will see a continued rapid evolution of many new security solutions and products designed to meet the challenge of defending energy infrastructure against cyber-attacks. On the wish-list for many in the power industry is an integrated platform for security solutions that integrates a company’s policy procedures. Several platforms are already operational and they continue to be refined and improved.
Control system upgrades are needed for Institutions and organizations with an archaic or legacy code base. Especially if a power plant’s control system has been operational for ten years or more. Some of these systems may have code bases that are 20 years old. These organizations are not likely to regress and rewrite every line of code. They will instead develop secure new practices in hopes of being able to show that their entire code base is secure. Of course, new certification standards will inevitably come which will have to be complied with, which will hasten the ongoing evolution towards improving the security of the grid.
Security solutions vendors have devices with the ability to detect anomalies and aberrations in the operating systems that are needed to fill the tech-deficit gap faced by utilities today. These vendors can also provide the security of of amp logging, patching, change management, MOC (Maintenance of Certification), and remote access. It may require various vendors to fill the specific needs created by these tech-gaps. The successful vendor will create security products that satisfy the specifications of the OT environment and are as self-sufficient as possible. Ideally, they must do a better job of securing operations than many other security products combined. Of course, this task is easier to imagine than to execute.
Some in the power industry feel that many large ICS vendors do not excel at innovation. They may find it difficult to imagine what the future will look like. Large vendors concentrate on making better and more secure products, but they often fail to acknowledge that end users incorporate products from many vendors. Utilities clamor for heterogeneous solutions that have a higher view of the entire network and aren’t reliant on any single vendor’s equipment. “One of the main challenges when building up smart grids is to cope with the heterogeneous character of applied technologies. Since product life cycles can span several decades, the overall system complexity will considerably grow in the next years due to the application of many different protocols and technical solutions. This heterogeneity eventually increases the attack surfaces to a smart grid and might also lead to an increased vulnerability.”27
ICS vendors are traditionally large firms that are established in their ways of operation. At present, there is a certain degree of upheaval in the market space that extends to the vendor side. A new company called Bedrock Automation is designing industrial control systems from scratch. They are addressing many of the present challenges of cybersecurity and are attempting to be innovative, which is something large vendors are reticent to do because their efforts are inherently less focused.
There are many security solutions vendors involved in cyber-defense for utilities, but not many that are highly specialized and focused on building components that are used in ICS systems. This may be advantageous for those hoping to influence the direction of what industry vendors are manufacturing.
New products are now entering the ICS sphere from all around the world and they are incredibly complex, sometimes beyond the point of even being truly understandable by the companies that purchase them. This makes it easier for adversaries to hide things in their products and do serious damage to operating systems and code structures. This threat has caused formerly insular companies to come together and form consortiums with the intent of creating more trusted solutions.
Smart Meters, analytic products, key management infrastructure, and any commodity that aids in the detection of advancing or widening cyber-threats; these are all additional areas of security open to innovation where forward thinking vendors might find a niche or create inroads into new and viable markets.
The Future of I.D. Access and Authentication
Weak passwords and rarely updated software are a recurring theme behind the 48,000 cyber incidents reported to the Department of Homeland Security – including the theft of data on the nation’s weakest dams by a “malicious intruder,” and an incident where hackers broadcast a malicious warning about a zombie attack via several American TV stations, a DHS report has found.28
Many cyber attacks are initiated by compromising credentials or exploiting weak passwords. Identity Authentication Management is a key component of a more trusted system. Unlike public, operational, and managerial level controls, technical controls are the products that utility companies employ to improve their operational ability. So, when it comes to access controls, authentication at log-on, and keeping unwanted agents out of the system, these are controls that can only be put into products at the vendor level, and that becomes the vendor’s focus.
Two-factor authentication can prevent an individual from gaining access to an OS with the simple input of a user name and a password. In contemporary ICS systems, vendors often build products knowing that there will maintenance needed sometime in the future. They may provide a log-in capability for maintenance personnel to use that is inherently weak, perhaps employing just four characters. These passwords are sometimes distributed with the product and they are never changed by the end user, making the system easy to infiltrate by cyber-attackers who are aware of the commonly known password and user name. This is an example of something basic, fixable, and not cost-prohibitive that can be helpful in deterring cyber-attacks. One-time passwords and security tokens are also useful means of authenticating system users at log-in.
It’s obvious that the days of two-factor authentication are numbered. In an increasingly cyber-connected world, more secure means of proving identity will have to be developed. “Biometrics … are a fundamental shift in the way we are identified. Unlike traditional identification which you must either remember or carry with you, biometrics are you, consisting of voice analysis, iris patterns, vein matching, gait analysis, and so on. Such traits are unique to an individual and are incredibly difficult to fake.”29 Biometrics and even more secure methods of authentication are on the horizon. The energy sector will adapt and evolve to meet the challenge of nullifying cybersecurity threats, but the industries adversaries are exceedingly clever and are part of the same race to harness new technologies.
Key Buying Factors In Selecting Security Vendors
Electric utility companies select their ICS vendors and security solutions vendors carefully. They examine the histories of vendors to get a sense of what kind of research they have done in the past and they also consider the country that the products are originating from and the implications of that. Of course, long-standing relationships and bonds of trust are important in the energy sector. It’s unlikely that a large utility would engage in a direct sale with a small startup that’s delivering something potentially disruptive. In most cases, a startup would need to go through a channel partner such as a security company or an ICS vendor in order to have the endorsement and the credibility those channels can provide.
Many companies are concerned with meeting NERC standards and compliance criteria. Some would argue that the ultimate focus needs to be on security, believing that the by-product of good security is good compliance. Again and again, compliance wins out because of the high-cost of achieving security. Vendor-supplied security products need to work well within various control systems, integrate with legacy products and operations, and be cost-effective and competitive.
Despite the hurdles, there is room for start-ups and innovators. The market is not presently secure and it is looking for workable solutions wherever they may come from. New systems are coming all the time. Energy companies are looking for vendors who have the system capability to protect them and to respond to them quickly. They want vendors that provide viable solutions that can be readily updated as situations change. “The role of innovator has fallen to companies that don’t have a legacy and are willing to look at the problems in new ways … there is an opportunity for small vendors to get funding and make a dent in the security space.”30
With everything at stake in cybersecurity, the reputation of vendors is a huge consideration for power companies. IT/OT and physical security personnel attend several conferences annually and vendor reputation is always a topic of interest. There is a general consensus formed regarding which vendors are good and which ones are bad. Security people are very aware of who overpromises and who under delivers, so reputation is paramount.
Can Overseas Vendors Be Trusted With American Security?
In a global world of commerce, energy companies sometimes select overseas vendors for security needs, but the decision to outsource can be a difficult one to make and it can be problematic when it comes to conducting background checks for vendors who have remote access to their shipments. Some would see this as a distinct vulnerability. Occasionally, political situations may preclude companies from selecting certain vendors (example: North American firms not being able to sell products in the Middle East because certain components are made in Israel). Smaller companies don’t seem as particular about the origin of products as long they get the job done.
At present, there are some small start-up ICS security providers in Italy, France, and the Netherlands. In the US, few of these provide services to utility companies that possess any kind of developed, mature incident response capability. If overseas vendors are going to succeed in the States, they will have to have US-based incident response. Overseas vendors will find it beneficial to respect geographical borders and national security interests by having a significant physical representation in the United States.
In the US, many talk about the importance of “buying American.” The automobile industry offers up an interesting parallel. Cars are made up of various components built in locations across the globe before they are ultimately assembled in Tennessee. So, is it really an American car or not? Energy companies operate in a global marketplace and foreign manufacturers will increasingly be producing products American companies need to use. For many years, IT, computers, and software were made in the US, but now there is more outsourcing and it will continue to proliferate with companies such as Seimens in Germany being a prime example.
Soon enough, it may not matter where a product comes from if it is built to specs and it is trustworthy. Purchasers may not want to put specific security products in every system, but may elect to incorporate a diversity of products. In a cyber-attack, one type of product spread across a network might bring down an entire infrastructure. Diversity of components leads to a better resiliency of operating systems. Wherever components originate, it will be essential for security solutions vendors to provide their clients with a sense of assurance and trustworthiness regarding their products.
Of course, the US has a tight-knit relationship with many “fly-by” countries such as those in the UK, Canada, New Zealand and Australia. These places also have a close kinship in the intelligence community and they are used to interacting and sharing information.
Relationships With Regulators
Overseas vendors hoping to make inroads in the cybersecurity market may see networking and forming close relationships with regulators as beneficial, however, they may want to be careful with those interactions. There are policies and directives that prohibit such relationships in the interest of regulators maintaining their objectivity. Large companies with a lot of personnel might interface with regulators to a greater degree, pushing their various agendas, but this is not as important for those involved in creating core technology.
Ideally, regulators are supposed to operate above the fray. They have a job to do and they have a sector to regulate and that is what they do. In the world of cybersecurity, impartiality, technical correctness, public vetting, and overall transparency are paramount. Anything less can negatively affect relationships in either direction.
Can New Vendors Gain A Foothold?
Most people are familiar with the dominant vendors in the energy industry. Shell, Exxon, and Chevron are the leaders in oil and gas. Honeywell and Seimens tower above others as DCS control systems vendors. It may be hard to clearly define an industry leader, but one thing is certain. Bigger companies have more at stake and are always dealing with larger public opinion-related issues.
For new vendors trying to gain a foothold in the security solutions market, it can be incredibly difficult. Many of these fledgling enterprises fail in the first couple of years. Despite the threat of cyber attacks, vendors are still faced with the task of winning the hearts and minds of potential customers. There has to be compelling rationale for many energy firms to make the significant investment in protections needed to provide adequate security. “If the vendor can’t identify that there is a real problem and a lack of good solutions that exist, it probably will have trouble going to market … a startup’s approach must be promising and have the ability to be tailored to an organization’s environment. There also has to be a sense that the vendor has a cohesive team in place agile enough to respond to changing market conditions and evolving security trends.”31
Part of the problem for vendors, the energy sector, and society as a whole, is that there are really no clearly defined parameters for what security due diligence is. Regulations in some areas help define required behavior regarding the implementation and enhancement of cybersecurity measures, but the industry is still mired in a “have to do versus nice to do” gray area, and may still need to reach a pain point where some catastrophe occurs that changes the conversation and makes what seemed unreasonable suddenly reasonable.
Yes They Can!
Others believe that resourceful new vendors can indeed gain market share in the compliance space. After all, the world is always looking for a good thing … something new and revolutionary. Many small vendors build valuable relationships because they are forthright, trustworthy, candid, and transparent. Just because a company is large they are not necessarily the best. A small company with a technology system that truly helps can find success. There is no shortage of impressive products, tools, and GRC (governance, risk management, and compliance) packages, but people are still needed who can operate them and maintain them. The vendors that will win in the end must provide products that require less human intervention and maintenance. There is improvement needed in this area and so great opportunity exists.
Despite this opportunity, there is no sugar-coating the fact that achieving go-to-market status is not easy. A new vendor may have a good product, but enabling the convergence of IT and OT and meeting the demands and challenges of specific organizations is a tall order. It is often beneficial for a new and/or smaller vendor to try and partner with a larger company in the interest of enabling new relationships with utilities. Ultimately, vendors will need to present a compelling case as to why their technology will provide true security solutions. The market is waiting for that type of innovation. Niche applications are another area of promising opportunity on the compliance side. Small solutions that are hyper-focused have a place in the market, too, but again, vendors may need to partner with a bigger player.
Cybersecurity is a new frontier and its importance in the energy sector and beyond will only grow in the coming years. The real threat of cyber attack is ever-present and on the increase as those bent on creating chaos, profiting illegally, or settling perceived political scores, continue to refine their skills and incorporate rapidly evolving technologies into their cyber-attack arsenals. Security solutions vendors have an important role to play in protecting critical energy infrastructure and the people it serves. True innovators will thrive, as will those who show that their products work and contribute to the overall functionality of our nation’s power grid, and to the reliability of energy delivery worldwide.
The following links correspond with sources used in the creation of this paper.
Additional Source Material: