This month we participated in NERC’s 2016 annual Grid Security Conference bringing together cybersecurity and physical security experts from industry and government to share emerging security trends, policy advancements, and lessons learned related to the electricity sub-sector.
It’s no secret that Utilities are under greater pressure to operationalize security for Critical Infrastructure. The Ukraine cyber attacks in December 2015, where we experienced the first recorded power outage caused by a cyber attack, drew greater focus on protecting critical infrastructure. In May 2016, the G7 Energy Ministers released a joint statement that announced their commitment to “advancing resilient energy systems including electricity, gas, and oil, in order to respond effectively to emerging cyber threats and to maintain critical functions.” This is the latest in a series of movements around the world to protect data and critical infrastructure.
With this pressure mounting, Utilities are undertaking significant technological transformation implementations for security. The Utility sector has come to the realization that cyber-attacks can no longer be prevented and as the latest wave of sophisticated targeted cyber-attacks has proven, even classic defense approaches are lacking. Like many industries, Utilities have embraced the need to not only bolster their detection, but equally as important, their ability to respond and take countermeasures.
GridSecCon 2016 Takeaway: Get a Realistic Cyber Plan in Place
Yet the industry remains behind in its sophistication and adoption of next generation security capabilities. EY’s most recent Global Information Security Survey revealed that 42% of power and Utilities companies say it’s unlikely they would be able to detect a sophisticated attack.
Security centers in the Utilities sector are ratcheting up investment in detection tools for non-IT systems such as SCADA/ICS and physical security systems. As these investments yield the desired result, Utilities must shift focus on how to operationalize alerts before opening the alert floodgates.
However, will the exponential growth in detection alert investment actually increase protection from cyber threats to our nation’s infrastructure, or will it simply amplify the alert noise that makes it so easy for cyber criminals to operate under our noses in the first place?
The fact is most Security Operations teams in the Utilities sector lack the maturity to address this growing threat. What’s more, there simply won’t be enough budget to hire the number of people necessary to even begin to respond to alerts from multiple systems – not to mention finding people with the ability to tie alerts together, understand the complete threat landscape, and respond in time to prevent an outage.
Even in the case of the infamous and sophisticated Ukrainian power grid attack, which involved several stages of operation, the initial breach was to the corporate network before it moved into the SCADA system. There were alerts to be correlated here, both within IT and between IT and OT.
Understand Cyber Attacks in Real Time
The correlating of alerts into threat storylines is an ongoing and unresolved issue in the IT portion of most organizations already, so before investing heavily into driving more detection alerts from other systems, utilities in particular must have a sound security operational strategy and practice in place — leveraging technology such as ThreatNexus to automatically and effectively correlate alert data based on the relationships of these alerts with each other. Regardless of what network or system alerts stem from – IT, OT, and physical – the ability to tell the story of what is happening in real time is paramount to any security operations team in charge of protecting vital infrastructures. An end to end SOC platform, capable of creating meaningful, actionable, reporting automation and analytics, is what the next generation of critical infrastructure leaders must be investing in.
By having multiple networks susceptible to cyber threats, utilities need to be wary of not simply increasing their detection alert problem, but focusing their attention on shifting security operations from detection to response. In doing so, they can gain insight on the correlation of threats across all environments and proactively avoid a critical infrastructure outage by understanding the threat storyline in real time, rather than by sifting through forensics post incident.