By Michelle Froese, Senior editor
Windpower Engineering & Development
Last year, the Energy Department tested how state and emergency management officials would respond to a cyber incident. The simulated attack would take out power across seven states in the Northeast and mid-Atlantic regions, affecting infrastructure and some 16.7-million customers.
The result? “Many planning and communications gaps were revealed concerning the cyber incident,” states the follow-up report entitled Liberty Eclipse. The report also provides several recommendations. One is to expand the Energy Department’s energy assurance program to better support planning and preparedness, through regular education, training and exercises.
Scott Bolick, head of software strategy & product management at GE Power, understands the significance of cyber planning and security for important infrastructures.
“It’s really about mitigating risks,” he shares. “When I think about cyber security and protecting valuable assets, I liken it to buying insurance. I buy home insurance because it is important to me to protect my family. I want assurance that if anything happens, my son and wife are taken care of. But why does one ‘buy’ cyber security?” he asks.
For a wind farm or power plant owner, the answer includes safeguarding networks and control systems to eliminate unexpected outages and unplanned downtime.
“This comes down to mitigating risks and delivering on a promise of productivity — which means ensuring a utility or plant owner can fully live up to the obligations of what they’ve bid for electricity,” he says. “But when we look at power and utility customers, over 60% of the leaders tell us that their security strategy is not aligned to today’s environment risk.”
Perhaps this is of little surprise. One recent example of malware, called “CrashOverride” or “Win32/Industroyer,” is seemingly designed and deployed by a nation-state to target and shut down electric grids. Analysis shows that it is likely the same type of malware that shut down portions of the Ukraine electric grid in December 2016. Such malware is also reportedly capable of delaying restoration actions, erasing network software, deleting traces of the malware after its attack and preventing effective forensics. It is a big threat.
In the Department of Energy’s second installment of the Quadrennial Energy Review (January 2017), it warned that a widespread power outage caused by a cyber attack could undermine critical infrastructure, and notes: “Cyber threats to the electricity system are increasing in sophistication, magnitude, and frequency.”
“Cybersecurity is a concern because the digital revolution is so relevant, driving productivity and reliability for many industries,” says Bolick. “But this new digital world is something special, and something that cannot or should not be dismissed because it is pushing industry, and specifically the power industry, forward.”
Bolick points to how digital software can increase the annual energy production of a wind turbine by up to 10%. In this example, he is referring to GE’s Predix-based software, which collects data from wind turbines, analyzes it, and provides recommendations for increased efficiency.
“But whether you talk wind, solar or more conventional power plants, digital solutions are enabling these facilities to do things they could have never done before that allow for more strategic planning and productivity. It’s quite impressive and the digital proliferation is only going to increase.”
As it develops, however, it is important to keep digitalization from inadvertently introducing risks to equipment or infrastructure. “Unfortunately, what we see is that many utilities are struggling with their IT environment.”
According to a report from GE Power, one reason for this is “a cyber-security ownership issue,” and who is accountable for security measures. This typically lands in a nebulous area between the IT and the operations’ organizations. While IT teams are typically focused on protecting data and systems, now their role is expanding to work with operations’ technologists, who must protect critical assets and control systems. An attack on IT could lead to data theft, while an attack on operations could affect the physical world, such as people, environment and assets.
“People want a magic box that solves everything. But ultimately, cyber security is about people and processes. The reality is that you can and should have great technologies around cyber, but also the people to uphold and maintain it. A big portion of what we do in the Baseline Security Center is making sure of that, so we may deploy a product, but we’re also out there training and working with customers to fully benefit from it.”
Baseline security measures
GE’s Baseline Security Center is a risk-management platform that provides security tools, configurations and practices to reduce exposure to cyber risk. Unlike typical vendor products, the Center is platform agnostic.
“When we were considering a framework and deciding on how to best think about security for power customers, we stepped back and relied on the Center for Internet Security,” he says. “It provides a critical security framework that has 20 different control points or critical factors.”
The Center for Internet Security’s Critical Security Controls (CIS Controls) is a non-profit organization that works to safeguard private and public organizations against cyber threats. CIS Controls are a prioritized set of actions that can protect critical systems and data from the most pervasive cyber attacks.
Organizations that implement just the first five of 20 CIS Controls can reduce their risk of cyber attack by around 85%.
“What we’ve done is work with these control points to create the tools, configurations and services, so now we can go out and effectively enable a customer to meet cyber threats. The Baseline Security Center essentially lets customers quickly and securely manage controls. These may include patches and patch management, version management, access controls and rights and the basics of network and asset security.”
An understanding of asset protection is only the first step. Bolick says constant vigilance and updated policies and procedures are the best long-term security action against cyber disruption.
Proper threat mitigation involves working together to identify a road map that provides greater security. “A lot of cyber-security measures are really about developing a process that works,” he says.
Part of that process is the surveillance equipment and potential event response, but a large portion should also include audits and ongoing checks to ensure employees or workers are taking security seriously. This includes asking important questions, such as: What is in place for cyber training, what are the data-sharing requirements between departments, or is remote-user access and authentication acceptable at our facility?
“A large part of security is in the process and that may develop slightly differently at different organizations or enterprises,” he adds, “But the end goal is always the same, and cyber security comes down to insurance and managing risk.”
Best practices for cyber security
These few best practices recommended by GE Power are for maintaining a continuously protected environment, which most importantly includes a transition from a reactive to a predictive security program.
- Keep software and firmware up-to-date with timely patch updates.
- Hire an external cyber-security company to perform site evaluations, threat modeling, and penetration testing to evaluate systems.
- Engage an automate patch system for critical ICS — so that manual update schedules aren’t a barrier.
- Participate in security communities focused on business environments to stay current on trending attacks and best practices.
- Monitor critical systems for security related events and anomalies.
- Educate operations and IT personnel on a regular basis on new attack mechanisms so that they can act as watchful eyes across physical and system landscapes.
The last tip means that every employee needs to be armed with the tools and proper protocol for maintaining the company’s security profile.
Filed Under: Uncategorized