Utility Week - authoritative, impartial and essential reading for senior people within utilities, regulators and government
Issue link: https://fhpublishing.uberflip.com/i/982883
20 | 18TH - 24TH MAY 2018 | UTILITY WEEK Operations & Assets Market view I n August 2017, the UK government pro- posed plans to implement the Security of Network and Information Systems Direc- tive (the NIS Directive). The aim is to improve the security of the UK's essential services – including utilities. Facing a penalty of up to £17 million if they are not up to standard, energy and water providers must take action to prevent disruption to their services. The challenges of convergence In the past, utilities have largely relied on the separation of their business systems from their industrial control systems (ICS) or oper- ational technology (OT) to provide security. This meant air-gapping communications and control networks with no links to external networks. Today the industry faces new challenges. With the drive for operational efficiency, util- ities are being forced to deploy digital solu- tions that take advantage of IIoT (industrial internet of things) technology to integrate their operational systems and networks with internal business systems and external sys- tems such as data analytics services. Utili- ties are also under competitive pressures to explore opportunities to monetise their data in creative ways. All of this means a weakening of the sep- aration between customer, operational and corporate networks. The nationwide rollout of smart meters is a great example, and one that is recognised as a significant risk to the country's critical infrastructure if it is not secured properly. Right tools for the job Industrial networks and systems are set to undergo a digital transformation similar to that experienced by commercial businesses many years ago. This transformation will bring with it new and existing threats and risks. The potential for industrial cyber- incidents to occur at a frequency we have become accustomed to in commercial enter- prise is also real. If industrial cybersecurity is not properly addressed in the utility sector, we are open not only to the risks posed by data breaches Innovation meets security Rob Pears and Peter Herdman describe how pressures to increase efficiency and monetise data can put utilities at odds with the need to maintain operational security. but there is also a genuine risk to the avail- ability of energy and water at a local and national level. In some areas there are no second chances. Destruction on the scale of a terrorist attack could be caused or public health put at significant risk. Even low-level opportunist cybervandalism has the potential to cause disruption (or at least annoyance and distraction) and this risk is escalating given the growing digitisation of asset man- agement, automation and process control. Utility companies must make sure they are prepared to deal with the emerging cyberchallenges to securing industrial sys- tems. This means improving security pro- cesses and capabilities while also improving operational efficiency and achieving busi- ness objectives. Many utility companies do not have the experience or expertise to address ICS or OT security. Some organisations make the mis- take of trying to apply an enterprise secu- rity model in an industrial environment or believe technology will solve the problem. This approach does not recognise the fun- damentals of control systems and the chal- lenges associated with operating industrial plant. It is therefore prudent for utilities to learn the lessons and gain insight from other organisations that operate critical national infrastructure. The priorities in industrial environments are typically not the same as they are for business. Safety, availability, integrity and confidentiality – in that order – are typi- cally the priorities in industrial systems. As an example, a change made by enterprise IT on a manufacturing system brought produc- tion to a complete standstill. Had this been a safety-critical system in a utility company the outcome may have threatened public safety. Who, what and how…. If they have not already done so, utility companies should act now to protect their industrial infrastructure. There are many security activities that utility companies can start today using existing resources. These ICS/OT security basics are fundamental to developing foundations for a robust ICS/ OT security programme. Start by forming a multi disciplinary working group to address ICS/OT security. It is imperative that senior leadership from both information security and engineering are part of the group. Tech- nical personnel are also key participants. Engineering teams should document all ICS/OT cyberassets, starting with those they believe are critically important. They should include those networked controls, systems and devices that if compromised may affect health and safety or availability of the plant. High-level diagrams and design documenta- tion of the ICS/OT network are also essential, not only as an aid to assessing the risk and implementing appropriate technical con- trols, but also to facilitate investigation and recovery when an incident occurs. Oen this documentation does not exist, but it should be produced. Remember your suppliers A frequently overlooked primary attack vec- tor is the supply chain. With many small and specialist vendors supplying utility com- panies, this is an easy route to breach the defences of an ICS/OT network. By first com- promising a supplier, an attacker can exploit the trust and access smaller specialist sup- pliers have. Implementing a comprehensive supplier security assurance programme is essential to mitigate this risk. In parallel, a risk assessment should be undertaken. This should be followed by a report that documents recommendations for improvements and an ICS/OT security road- map. Experience has shown that the risk assessment and report should be prepared by ICS/OT security specialists. From the directives issued through possi- ble fines and safety impacts to reputational damage, the reasons to give cybersecurity due investment and attention become clear. The integration with wider industrial and technical development will be a key fac- tor in the effectiveness and efficiency of the implementation. Rob Pears, VP, energy & utilities, Capgemini and Peter Herdman, UK capabilities lead at ICS Security