Owners and operators of our power systems need better ways of knowing what assets they have in their production environments, which have computing capability, and which connect to the internet.
Defending America’s interconnected electric, oil and gas networks from physical and digital disruption is a defining challenge of our time: It requires actions that acknowledge the origins and complexities of energy infrastructures, and how they intersect with the internet’s ever-evolving capabilities and vulnerabilities, as well as the complex oversight mechanisms that have evolved over time.
For policymakers, power utilities and other stakeholders, energy security will always remain an inherently “physical” arena, focused more on raw materials and commodities than computers. The U.S. maintains the Strategic Petroleum Reserve, for example, which plays a critical role in U.S. energy, economic and national security. Whether it’s petroleum reserves or finite elements like helium, maintaining these emergency stockpiles rightfully falls within the domain of the federal government.
The readiness of coal, nuclear, wind, oil, solar and other power stations to perform under all conditions presents a valid and critical national security issue. However, we should not let debates about any one piece of this energy portfolio’s future sideline the strategic priority of securing connected systems they all rely on everywhere.
The interwoven physical, commodity and internet risks of energy security flashed back into focus recently, when the Trump administration moved to specifically increase grid operators’ reliance on nuclear power and coal-fired plants. The Energy Department characterized these facilities as being more centralized in operation, with coal piles and reactors permanently situated on site for generation—in Energy’s reasoning, less susceptible to disruptions from cyberattacks that could impede propane flows to natural gas plants, for example.
Reactions to the Energy order are mixed, and arrive as both Energy and the Homeland Security Department have promulgated new national cybersecurity strategies including calls for the public agencies and private sectors (energy generation, transmission and brokers in-between) to cooperate more closely to better secure our interconnected energy systems. Chief among these strategies’ calls-to-action is that the rise of the internet of things and industrial internet of things and the risk these devices potentially introduce when deployed alongside energy resources—threatens grid and pipeline operation. However, with greater connectivity comes efficiency and a safer grid that allows continuous monitoring.
With major cybersecurity concerns in the fast-moving world of IoT and energy, the focus must shift. It sounds simple, but owners and operators of our power systems need better ways of knowing what assets (IT and otherwise) they have in their production environments, which have computing capability, and which (gulp!) connect to the internet.
Such a task brings challenges: Power system operators cannot use the same tools to manage connected plant equipment as corporations use to oversee, say, computer workstations. Power system environments are complex, with such “things” as valves monitored by connected sensors, SCADA controllers or ruggedized field systems. Protecting these connected entities in a wider energy security campaign is not like deploying anti-malware or encryption tools across fleets of PCs. Traditional cybersecurity scans can degrade the performance of switching and other critical gear, risking possible system downtime or worse.
Regardless of whether these systems or nodes are persistently connected to the internet, they are still susceptible to exploitation (through vulnerabilities or deliberately introduced malware, etc.). Attackers usually need to only gain entry into one place to move laterally into other systems, often completely unfettered. So while it is tempting to gauge “which” collection, combustion or generation facility has the greatest internet exposure and attack surface, policymakers and operators should instead focus on determining and managing their true connected footprint—which is not static over time. Security strategies should stress passive detection of connected systems and the monitoring of their levels of activity, first. A “do no harm” approach reassures operators that security does not need to come at the expense of reliability while identifying and correcting widespread “hygiene” problems.
So what else can be done to protect these complex and sensitive environments? Consider the following:
Work together. While the new electric grid initiative is still taking shape, developing and expanding this program will do far more for energy sector cybersecurity than just investing in one power source. Energy and Homeland Security must work together with industry to truly shape industry behavior, and we all must accept that the security of our national power infrastructure is a shared responsibility. Some of the costs of making it secure must inevitably be borne by us consumers.
Learn from what exists. The federal government has learned a thing or two about how to secure sensitive IP-enabled equipment, such as x-ray machines in military hospitals or optical scanners in processing facilities. In programs like Continuous Diagnostics and Mitigation, the federal government is implementing “old” (but good) principles with cutting-edge tools like agentless asset detection. Learning from this can help vastly improve security without risk of disruption to critical government services.
Test, implement, measure. Find a way to test “state of the art.” As with any new cutting-edge security technology, people are reluctant to implement something without proof. Power operators need more testing capabilities to accelerate the adoption of innovative, effective security solutions. Then, they have to measure improvement, to determine how much they are able to improve their security postures, or not. Metrics start with domain awareness, and fear of regulatory action/penalties should not encumber the transparent measurement of progress.
The U.S. election triggered a multitude of headlines about the insecurity of voting systems. Regardless of anyone’s particular political leanings, there is no doubt that our adversaries are actively seeking ways to disrupt American society and institutions. And our adversaries fully realize that widespread, prolonged power outages would do this, so we should approach the threat like the critical national critical priority that it is. Whether its coal and nuclear today—or breakthrough fuel sources tomorrow—we have to keep a clear and consistent eye on the digital backbone that simultaneously puts our nation and economy’s energy lifeblood in reach, and at risk.
Ryan Brichant is a vice president and chief technology officer of Global Critical Infrastructure Cyber Security for ForeScout Technologies.