Barak Perelman, VP of operational technology security, Tenable explains that the world is getting smarter as the Internet of Things (IoT) expands to touch every aspect of our lives. One area where it is making a real difference is the management of our energy supply.
The European Union and 65 other countries have committed to achieving net zero carbon emissions by 2050 and, in March of this year , it was announced that the National Grid Electrical System Operator would be leveraging smart technology to link and amass wind and solar energy created across southern England. Internationally, Sweden and India have similarly announced a joint initiative to develop Smart Grid solutions to integrate an expanding portfolio of sustainable energy sources.
Rising to the energy challenge
In order for a power grid to function effectively, there needs to be a continuous, steady balance between supply and demand. Without this balance, any abrupt changes in voltage and frequency could result in electrical failures and/or damaged equipment. Whilst the generation of electricity from more traditional methods — fossil fuels, nuclear power plants — typically provides a stable output of energy, renewable sources — solar, hydro, wind — are far less consistent.
To cope with these new challenges, operators require constant monitoring and access to the entire wide array of the modern grid. That’s where both smarter and interconnected technologies come in.
The convergence of the data side of the business (traditionally the realm of IT) and the operational technology (OT) side (used to manage industrial control systems (ICS)) has revolutionised our critical infrastructure. This connectivity can remove the need for a physical person to be on-site to manually make changes, and instead use a computer to remotely adjust settings whenever and wherever necessary. In addition to more flexible remote access, Smart Grids also require numerous sensors that are employed to swiftly gather data, and make real-time adjustments autonomously, to eradicate inconsistencies and instead deliver an evenly distributed current.
While IT/OT convergence improves efficiency, enables predictive maintenance and reduces downtime, it also exposes power grids to a much wider attack surface.
For many years, cybercriminals have infiltrated IT networks seeking to gain access to sensitive databases and assets. As we continue to connect our OT infrastructure, threat actors are seeing more possibilities to exploit vulnerabilities and exposures in legacy ICS equipment. The merging of these two previously separated environments poses a real risk by introducing even more attack vectors, while making cybersecurity threats harder to detect, investigate and remediate. In addition to the threat to data, an attack against OT systems could have physical consequences, both on the business infrastructure but also cause bodily harm.
When protecting regular IT networks, security professionals are used to thinking in terms of exploits, malware and backdoors. While these risks are certainly relevant for power grids, industrial attacks can be as simple as issuing regular commands in a documented protocol. The execution of the attack can be a Select Before Operate (SBO) command in IEC-61850 or a Single Command in IEC-104. This can easily change the state of a naive and unsecured circuit breaker or disable current protection, which can cause significant damage.
With cybercriminals typically looking to target low hanging fruit to gain entry, it is inevitable that we will continue to see attacks aimed at the perceived least defended OT infrastructure. This might include a smaller substation or transfer location rather than the core of any one grid. These smaller stations are frequently linked to a larger OT network, for example a regional grid, which could result in a domino effect whereby an attack compromises the entire network. Security initiatives must extend beyond core and HQ locations to encompass remote and distributed locations.
The biggest challenge facing the security teams tasked with managing this complex, sensitive and expanded attack surface is visibility. Energy providers can’t depend on costly, error-prone manual network inventories that may be out of date soon after they are collected. Instead, automated solutions are needed to identify and characterise converged IT/OT systems. A unified, risk-based view detailing what is exposed, where and to what extent across the combined IT and OT environments.
Failure to identify all systems creates blind spots where some systems are potentially insecure, thereby increasing downtime risk. When a security incident occurs, timely resolution depends on immediate availability of accurate inventory including every bit of information all the way from a device model down to the firmware version.
While it might seem overwhelming, identifying weaknesses within OT environments is critical to understanding risk. Vulnerabilities must be assessed and prioritised, based on risk and likelihood of exploitation, with those creating the most risk remediated either by patching or with other mitigation measures, such as changes to firewall rules.
Unlike dynamic IT networks, OT networks are fairly static; assets, connections and traffic patterns rarely deviate from a baseline. Timely detection of cyberattacks requires 24x7x365 monitoring of all traffic anywhere in the network, as well as changes made directly on the devices by the operators and maintenance teams. This includes traffic from within the substation bus itself to identify events which might be related to an attack stage.
These events should be clearly understood and allow enough context to discern whether the events are malicious in nature or part of routine operations. The solution should be adaptable to the specific needs of each network, so that false-positives are kept to a minimum and network managers can focus their efforts on regular operation.
As power grids become smarter and more connected, utilities need to rethink their cybersecurity strategies to deflect attacks. It’s the smart thing to do.