The Mason-IBM-NSF April 2015 conference engaged industry, academia and government in a dialogue to address the challenges and uncertainties associated with securing industrial control systems (ICS) and processes, including supervisory control and data acquisition (SCADA) systems. It also made recommendations on possible actions and steps for industry leaders and policymakers.

Industrial control systems are vital to the operation of the U.S.’s critical infrastructure and can be found in electric, water and wastewater, oil and natural gas, transportation and discrete manufacturing industries, among others. The increasingly networked and linked infrastructure of modern ICS introduces serious cyber risks and vulnerabilities that cannot be addressed by physically separating the system and the components they control and monitor. Innovation and advancement will require the combined resources and collaboration of academia, government and industry.

Historically, security concerns over ICS were limited to physical attacks. According to a white paper from Schneider Electric, new factors have increased the vulnerability of control systems. Some of these include: growing connectivity through the integration of control systems and enterprise networks; insecure remote connections, where a failure to use encryption or authentication mechanisms with dial-up modems and wireless communications for remote diagnostics and maintenance exist; availability of technical information about infrastructures and control systems on the Internet; and standardized technologies that have made it easier for knowledgeable people to attack systems.

With the increasing connectivity of ICS and the evolution toward the smart grid, cybersecurity is playing an increasingly prominent role in the electric sector’s security strategy. Recent ICS-CERT statistics showed that the energy sector is the most-targeted of ICS operators, and U.S. policymakers are increasingly concerned that well-financed groups are targeting the country’s critical infrastructure.

Download the complete Mason-IBM-NSF Cybersecurity Workshop Report

Industrial Control Systems Get Serious About Security

One of the major insights discussed at the conference was the fact that cybersecurity risks to the electric industry continue to rise due to the increasing complexity of smart grids, greater use and adoption of new technologies, increased connectedness and the growing number of entry points available for potential adversaries. Cybersecurity must be included in all phases of the system development life cycle, from the design phase through implementation, maintenance and disposition.

With the Internet of Things (IoT), grid security threats have jumped the gap from physical to cyber, while the security of legacy systems is more often bolted on than built in. New critical infrastructure risks have been generated by an environment that combines TCP/IP, wireless radio frequency (RF) and Wi-Fi. Since the electrical grid is interconnected, a problem in one section can quickly affect another.

The convergence of IT and operational technology (OT), together with sensor proliferation and the higher level of intelligence on grid architectures, is increasing the ICS attack surface. This new environment will enable a shift away from data theft to more complex cases of sabotage and cybercrime.

ICS Needs Cooperation to Succeed

Different departments within a business are increasingly cooperating on security as IT and OT are more integrated. Achieving a culture of cooperation is a major objective for energy providers.

People are often the weakest link in an organization. Employees need support from senior leadership to be trained and aware of threats, assigned responsibilities and roles and have established policies and procedures. Threats to people include phishing, spear phishing, advanced persistent threats and malicious company insiders.

The looming reality that cyberattacks can impact key aspects of business operations calls for cybersecurity leaders to possess both cyber and business acumen — a combination not traditionally emphasized by the academic or the business realms. For many, the only option is relying on modern security measures.

A strong security solution assures the right technologies are procured, deployed and defended at multiple points. These tools supply layered defenses and deploy technology to detect intrusions.

Managing and Securing Utilities

The utilities systems that comprise the national electric grid require processes and procedures to manage overall security. These processes include password management, server administration, patch management, incident response and following industry-wide standards and regulations. Procedures include personnel training and regular assessments.

Additional cybersecurity insights discussed at the conference included:

  • Access controls are needed in the form of fences, security locks, card readers, video cameras, firewalls, virtual private networks (VPNs) and unidirectional gateways.
  • Hardening is required through installation processes and procedures, Host Intrusion Protection System (HIPS) and application white-listing.
  • Authentication and authorization should be controlled by centralized account management and role-based access control.
  • Monitoring and auditing should be implemented through centralized security event logging, real-time alerting and 24/7 monitoring.
  • The patching of control systems can be a challenge since ICS patching cycles are not as rapid as IT patching cycles. In addition, electric systems are 24/7, and any system downtime is unacceptable.

The Future of Industrial Control Systems

The conference speakers and participants provided recommendations for securing the smart grid and its IoT as part of a defense-in-depth strategy to limit the potential for damage and data leakage. Some of these recommendations were:

  • Using heterogeneous software and hardware to avoid cascading and wide failures when weaknesses are discovered;
  • Employing authentication and diverse encryption schemes;
  • Adopting hardened operating systems;
  • Tying data leaving local groups of devices to a bastion host or gateway device that filters communications;
  • Restricting local communications;
  • Limiting transmission of information from local sites;
  • Applying standards to ensure the smart grid and IoT interoperate safely.

Incorporating cybersecurity into the design phase early contributes to each of these measures and overall grid security. The integration and correlation of data from multiple ICS in conjunction with traditional network security information and event management (SIEM) systems contributes to grid security.

Cybersecurity should be addressed from the perspective of enterprise risk management. It needs to be on the agenda of an organization’s corporate risk committee. Risk-based methodologies should be used to assess the value of information assets, understand cybersecurity threats and develop a program that mitigates threats.

A successful model of building an effective organizational cybersecurity program is to develop a comprehensive cybersecurity strategy and translate it into programs that include benchmarking, asset classification, operational metrics, threat analysis, security alternatives and risk management. This approach will provide the basis for continuous improvements to help address risks and vulnerabilities.

To learn more read the complete Mason-IBM-NSF Cybersecurity Workshop Report

More from Energy & Utility

Water facilities warned to improve cybersecurity

3 min read - United States water facilities, which include 150,000 public water systems, have become an increasingly high-risk target for cyber criminals in recent years. This rising threat has demanded more attention and policies focused on improving cybersecurity.Water and wastewater systems are one of the 16 critical infrastructures in the U.S. The definition for inclusion in this category is that the industry must be so crucial to the United States that “the incapacity or destruction of such systems and assets would have a…

The UK energy sector faces an expanding OT threat landscape

3 min read - Critical infrastructure is under attack in almost every country, but especially in the United Kingdom. The UK was the most attacked country in Europe, which is already the region most impacted by cyber incidents. The energy industry is taking the brunt of those cyberattacks, according to IBM’s X-Force Threat Intelligence Index 2024.The energy sector is a favorite target for threat actors. The complexity of systems and the reliance on legacy OT systems make them easy prey. Because of the critical…

Third-party breaches hit 90% of top global energy companies

3 min read - A new report from SecurityScorecard reveals a startling trend among the world’s top energy companies, with 90% suffering from data breaches through third parties over the last year. This statistic is particularly concerning given the crucial function these companies serve in everyday life.Their increased dependence on digital systems facilitates the increase in attacks on infrastructure networks. This sheds light on the need for these energy companies to adopt a proactive approach to securing their networks and customer information.2023 industry recap:…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today