Utility Week

UTILITY WEEK | 22ND - 28TH MARCH 2019 | 21 Operations & Assets Ofgem and the DWI remain tight-lipped about how advanced utilities are in meeting the requirements of the regulations, prompt- ing some experts to speculate that progress has been patchy. Energy companies are particularly alive to the threat of a security breaches because there have been a number of high-profile attacks, such as the power outages that affected hundreds of thousands of people in Ukraine in 2015 and 2016 fol- lowing a cyber attack by the Dragonfly cyber espionage group. However, there are con- cerns that the water industry may be trailing in its preparations. Paul Knott, a security strategist at cyber security so‡ware and service provider Symantec, warns that the operational tech- nology within critical infrastructure compa- nies usually presents the highest risk. "Some systems that were never intended to be con- nected have now been connected, and that presents risks," he says. Meanwhile, the security risks posed by the proliferation of Internet of Things devices relating to smart energy, such as light bulbs, white goods, batteries and electric vehicle chargers, pose a growing risk to the stability of the transmission and distribution systems. Skills shortages Another likely challenge to meeting the requirements of the regulations is the availa- bility of suitably skilled cyber security profes- sionals. Government-commissioned research published in December found that more than half of businesses and charities have a basic cyber security skills gap, and the Center for Cyber Safety and Education forecasts a global shortfall of 1.8 million workers in the infor- mation security sector by 2022. Organisations also need a fall-back plan in case their personnel and technol- ogy fail to repel an attack on infrastructure, de Leeuw says. "Organisations must have a clear response and recovery planning – and plans for continuous improvements to cur- rent systems." Mo Ahddoud, chief information secu- rity officer at gas distributor Scotia Gas Net- works, says he believes the regulations are 100 per cent fit for purpose and have helped organisations to reflect on whether they have the appropriate controls to protect against the threats they face. "Conceptually, when you look at what they are trying to achieve, we can only advocate it," he says. "The challenge boils down to specific interpretation. Can you show evidence that you are complying with your acceptable risk threshold? If not, that's something you could be criticised for." Opinion Asset security: the next generation Increased threat means utilities need to change their approach to securing their networks and apply the techniques and principles already in use in IT to the operational environment, says Andrew Longyear. T he digital transformation of utilities brings with it major challenges for water and energy companies in terms of protecting their operations from cyber- attacks. In the past, safeguarding assets from unauthorised access was primarily a physical activity. However, our digital world means keeping water treatment works or electricity substations under physical lock and key is no longer enough. Power utilities must be connected to increase grid efficiencies, improve resilience and ultimately deliver the next generation of services. But with the growing need for cross-sector digital connectivity, cyber security, data integrity and confidentiality will be increasingly important. The growing number of attacks on the power side have sent shockwaves through the industry, resulting in new regulations to avert crippling attacks on critical energy infrastructure. The challenge is to fully protect operational assets without disrupting operational process, while still allowing third-party access for maintenance purposes. Threats and security breaches can originate from anywhere; for example, an employee using an USB stick or laptop to download data from an PLC (programmable logic controller) or RTU (remote terminal unit), not realising that the device contains malware. And even if a utility has managed to lock down its own operations, what about the risks posed by third party suppliers, who have no idea that the route to attack could be an insecure on unchecked laptop? This topic was discussed at length during a recent industry roundtable, supported by Cisco, which I took part in (report p18). Utility companies are having to change their approach to align with new regulation and the new requirements of the operational communication networks. First, it is important to identify every device connected to the operational network; this includes older but essential devices running legacy protocols. Under- standing the security posture and risk profile of each device ensures they cannot com- promise overall security. All new substation devices, for example, will ideally now have an identification process where each device announces itself to the network, using authentication that can be verified by some type of authority to establish trust. The iden- tification of every device is also critical in determining which other devices it can –and should – communicate with. Second, the ability to control access to the communications network and all devices on it, is critical and is aligned with the identity and posture of these devices. The ability to segment or quarantine rogue devices quickly ensures their impact is minimal. Controlling access to the network also extends to managing third party devices and people, such as contractors. The same policies should be applied for access within a substation/treatment works in addition to remote access via VPNs. Third, the ability to closely observe and manage the communication network is key. We can now use techniques to monitor infrastructure communications flows, analyse network traffic behaviours and use threat intelligence to identify any suspicious devices or traffic. An example of this would be a temperature measurement sensor sending control commands to a PLC. This type of traffic can only be picked up by in-depth visibility of the network. These principles and techniques have been used in the IT industry for many years and are now being applied to the operational environment. We need to be mindful that the operational network has a greater focus on availability compared to the IT world at large and as such, some techniques such as automatic remediation are o‡en modified for utilities companies. Andrew Longyear, solutions architect, Cisco

• Cover