Practical Advice for Managing Growing Technology Security Threats

Mechele Herres

Mechele Herres

Cybersecurity is at the top of mind of all organizations as threats continue to escalate from nefarious players across the globe. Utilities have a huge burden to bear when it comes to securing the grid and vast amounts of infrastructure in place. As expansion and modernization of the grid evolves, so expands the number of interconnected cyber-enabled devices.  

In an interview with Utility 2030 Collaborative, Tim Conway of the SANS Institute shares some valuable information on risks, implications and advice. I had the privilege of working with Tim at SANS and he is among the best in the industry. He is actively involved in the ICS (Industrial Control System Space). He has over 20 years of experience working in critical infrastructure and has worked with asset owners and operators in efforts to defend their environments and respond to incidents. 

What implications do you see for utilities as IoT continues to grow for utilities?  

There is going to be confusion and debate around terms like Internet of Things (IoT), Industrial Internet of Things (IIoT), Industry 4.0, etc. depending on device placement and use.  What is important to focus on is the movement toward cyber physical devices in all elements of our lives.  Utilities will need to constantly balance the needs of the customers they serve and enable those capabilities in a way that does not impact the safety or reliability of the system.   

Do you see it impacting operational areas differently i.e. billing, power generation, grid, industrial control systems (ICS), Supervisory Control and Data Acquisition (SCADA)?  

There are obviously some environments of greater concern than others as they have wide area view and wide area impact. However, an interesting trend that we need pay close attention to is the interconnectedness and interdependence of these systems, which can provide attack vectors from lower impact assets or technologies to be leveraged and enable attacks on higher impact areas.   

Do you see one area being more vulnerable than another?   

Really tough to answer as there are a number of variables at play, and many of these variables are not controllable by the asset owner. However, thinking about areas that may be more vulnerable than others, I would look at those process or automation environments that are becoming more and more distant from human operators and support personnel.  Distance from the process under control results in a high reliance on the whole of system integrity in order to operate effectively, which introduces a number of attack vectors and associated vulnerabilities.  

How do attackers usually infiltrate?  

They target humans. 

What do you attribute the ever-increasing cyber-attacks to?  

The ubiquity of cyber devices.  

Do utilities have what they need today to protect the grid (i.e. employee expertise, software, culture)?  

Culturally, operations personnel within utilities are filled with mission-focused and dedicated personnel. The struggles will always be a question around how much investment is enough around capital and O&M expenses, appropriate balance around workforce development programs (initial and continuing) and obtaining the necessary tools and technology for the operations environment. 

What is the ideal model for infrastructure protection?  

There is no perfect model that will rule them all—an Ideal model needs to meet a sector where it is and address the greatest risk—then progress to address greatest identified risk areas over time.  Areas of strength learned across different models should be highlighted – Requirements designed by industry for industry, with clear asset prioritization criteria and an effective incentives or enforcement approach will exist in mature approaches over time. 

Do you see utilities working together more to solve cyber issues? Is there a collaborative group that exists? If so, what is that group?  

Information sharing and analysis centers, industry working groups, cyber mutual aid efforts, joint exercises, and competitions are growing and becoming increasingly more integral in many sectors.  

If you were to recommend the top 3 things utilities should be doing for mission critical security, what would they be?  

Train and retain teams, know your assets (inventory hardware, software, and configurations), and practice IR and recovery.  

What steps should utilities be taking to protect themselves? 

Understand adversary capabilities, identify achievable operational impacts, and mitigate the most impactful of those. 

Since all utilities are most likely in various stages of cybersecurity protection, would this guideline help to assess their current risk and how to mitigate?   

There are certainly assessment tools and maturity model approaches, but I would start easy….. ask some of your key, experienced personnel how would they attack the system and what keeps them up at night. 

With customer-centricity in mind, how do you see the best way to assure customers that their power is safe, secure and available 24 X 7 X 365?  

Educate customers on the balance of those items. 

Any other cyber advice would you give to utilities?  

Help each other when you can and ask for help more than you do. 

Outside of SANS, Tim continues to work on projects that blend cyber security, operations technology, and critical infrastructure protection with a focus on the energy sector.   

About Tim Conway 

Dig Deeper  

SANS Institute Industrial Control Systems Security Resource Page and Forum  

SANS ICS456: Essentials for NERC Critical Infrastructure Protection Course  

ICS Security Summit 2021 is Completely Free 

About Tim Conway

Tim serves as the Technical Director – ICS and SCADA programs at SANS, and is responsible for developing, reviewing, and implementing technical components of the SANS ICS and SCADA product offerings. Additionally, performing contract and consulting work in the areas of ICS cyber security with a focus on energy environments. 

A recognized leader in CIP operations, he formerly served as the Director of CIP Compliance and Operations Technology at Northern Indiana Public Service Company (NIPSCO), and was responsible for Operations Technology, NERC CIP Compliance, and the NERC training environments for the operations departments within NIPSCO Electric. 

Recognizing the need for ICS focused cyber security training throughout critical infrastructure environments and an increased need for NERC CIP hands on training, Tim authored and instructs the ICS curriculums newest course ICS456 – Essentials for NERC Critical Infrastructure Protection.