Forward-Thinking Strategies Can Secure the Power Grid

urbans/Shutterstock.com

Owners and operators of our power systems need better ways of knowing what assets they have in their production environments, which have computing capability, and which connect to the internet.

Defending America’s interconnected electric, oil and gas networks from physical and digital disruption is a defining challenge of our time: It requires actions that acknowledge the origins and complexities of energy infrastructures, and how they intersect with the internet’s ever-evolving capabilities and vulnerabilities, as well as the complex oversight mechanisms that have evolved over time.

For policymakers, power utilities and other stakeholders, energy security will always remain an inherently “physical” arena, focused more on raw materials and commodities than computers. The U.S. maintains the Strategic Petroleum Reserve, for example, which plays a critical role in U.S. energy, economic and national security. Whether it’s petroleum reserves or finite elements like helium, maintaining these emergency stockpiles rightfully falls within the domain of the federal government.

The readiness of coal, nuclear, wind, oil, solar and other power stations to perform under all conditions presents a valid and critical national security issue. However, we should not let debates about any one piece of this energy portfolio’s future sideline the strategic priority of securing connected systems they all rely on everywhere.

The interwoven physical, commodity and internet risks of energy security flashed back into focus recently, when the Trump administration moved to specifically increase grid operators’ reliance on nuclear power and coal-fired plants. The Energy Department characterized these facilities as being more centralized in operation, with coal piles and reactors permanently situated on site for generation—in Energy’s reasoning, less susceptible to disruptions from cyberattacks that could impede propane flows to natural gas plants, for example.

Reactions to the Energy order are mixed, and arrive as both Energy and the Homeland Security Department have promulgated new national cybersecurity strategies including calls for the public agencies and private sectors (energy generation, transmission and brokers in-between) to cooperate more closely to better secure our interconnected energy systems. Chief among these strategies’ calls-to-action is that the rise of the internet of things and industrial internet of things and the risk these devices potentially introduce when deployed alongside energy resources—threatens grid and pipeline operation. However, with greater connectivity comes efficiency and a safer grid that allows continuous monitoring.

Shifting Focus

With major cybersecurity concerns in the fast-moving world of IoT and energy, the focus must shift. It sounds simple, but owners and operators of our power systems need better ways of knowing what assets (IT and otherwise) they have in their production environments, which have computing capability, and which (gulp!) connect to the internet.

Such a task brings challenges: Power system operators cannot use the same tools to manage connected plant equipment as corporations use to oversee, say, computer workstations. Power system environments are complex, with such “things” as valves monitored by connected sensors, SCADA controllers or ruggedized field systems. Protecting these connected entities in a wider energy security campaign is not like deploying anti-malware or encryption tools across fleets of PCs. Traditional cybersecurity scans can degrade the performance of switching and other critical gear, risking possible system downtime or worse.

Regardless of whether these systems or nodes are persistently connected to the internet, they are still susceptible to exploitation (through vulnerabilities or deliberately introduced malware, etc.). Attackers usually need to only gain entry into one place to move laterally into other systems, often completely unfettered. So while it is tempting to gauge “which” collection, combustion or generation facility has the greatest internet exposure and attack surface, policymakers and operators should instead focus on determining and managing their true connected footprint—which is not static over time. Security strategies should stress passive detection of connected systems and the monitoring of their levels of activity, first. A “do no harm” approach reassures operators that security does not need to come at the expense of reliability while identifying and correcting widespread “hygiene” problems.

So what else can be done to protect these complex and sensitive environments? Consider the following:

Work together. While the new electric grid initiative is still taking shape, developing and expanding this program will do far more for energy sector cybersecurity than just investing in one power source. Energy and Homeland Security must work together with industry to truly shape industry behavior, and we all must accept that the security of our national power infrastructure is a shared responsibility.  Some of the costs of making it secure must inevitably be borne by us consumers.

Learn from what exists. The federal government has learned a thing or two about how to secure sensitive IP-enabled equipment, such as x-ray machines in military hospitals or optical scanners in processing facilities. In programs like Continuous Diagnostics and Mitigation, the federal government is implementing “old” (but good) principles with cutting-edge tools like agentless asset detection. Learning from this can help vastly improve security without risk of disruption to critical government services.

Test, implement, measure. Find a way to test “state of the art.” As with any new cutting-edge security technology, people are reluctant to implement something without proof. Power operators need more testing capabilities to accelerate the adoption of innovative, effective security solutions. Then, they have to measure improvement, to determine how much they are able to improve their security postures, or not. Metrics start with domain awareness, and fear of regulatory action/penalties should not encumber the transparent measurement of progress.

The U.S. election triggered a multitude of headlines about the insecurity of voting systems. Regardless of anyone’s particular political leanings, there is no doubt that our adversaries are actively seeking ways to disrupt American society and institutions. And our adversaries fully realize that widespread, prolonged power outages would do this, so we should approach the threat like the critical national critical priority that it is. Whether its coal and nuclear today—or breakthrough fuel sources tomorrow—we have to keep a clear and consistent eye on the digital backbone that simultaneously puts our nation and economy’s energy lifeblood in reach, and at risk.

Ryan Brichant is a vice president and chief technology officer of Global Critical Infrastructure Cyber Security for ForeScout Technologies.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.