Understanding risk: cybersecurity for the modern grid.

23/08/2017
Didier Giarratano, Marketing Cyber Security at Energy Digital Solutions/Energy, Schneider Electric discusses the challenge for utilities is to provide reliable energy delivery with a focus on efficiency and sustainable sources.

There’s an evolution taking place in the utilities industry to build a modern distribution automation grid. As the demand for digitised, connected and integrated operations increases across all industries, the challenge for utilities is to provide reliable energy delivery with a focus on efficiency and sustainable sources.

The pressing need to improve the uptime of critical power distribution infrastructure is forcing change. However, as power networks merge and become ‘smarter’, the benefits of improved connectivity also bring greater cybersecurity risks, threatening to impact progress.

Grid complexity in a new world of energy
Electrical distribution systems across Europe were originally built for centralised generation and passive loads – not for handling evolving levels of energy consumption or complexity. Yet, we are entering a new world of energy. One with more decentralised generation, intermittent renewable sources like solar and wind, a two-way flow of decarbonised energy, as well as an increasing engagement from demand-side consumers.

The grid is now moving to a more decentralised model, disrupting traditional power delivery and creating more opportunities for consumers and businesses to contribute back into the grid with renewables and other energy sources. As a result, the coming decades will see a new kind of energy consumer – that manages energy production and usage to drive cost, reliability, and sustainability tailored to their specific needs.

The rise of distributed energy is increasing grid complexity. It is evolving the industry from a traditional value chain to a more collaborative environment. One where customers dynamically interface with the distribution grid and energy suppliers, as well as the wider energy market. Technology and business models will need to evolve for the power industry to survive and thrive.

The new grid will be considerably more digitised, more flexible and dynamic. It will be increasingly connected, with greater requirements for performance in a world where electricity makes up a higher share of the overall energy mix. There will be new actors involved in the power ecosystem such as transmission system operators (TSOs), distribution system operators (DSOs), distributed generation operators, aggregators and prosumers.

Regulation and compliancy
Cyber security deployment focuses on meeting standards and regulation compliancy. This approach benefits the industry by increasing awareness of the risks and challenges associated with a cyberattack. As the electrical grid evolves in complexity, with the additions of distributed energy resource integration and feeder automation, a new approach is required – one that is oriented towards risk management.

Currently, utility stakeholders are applying cyber security processes learned from their IT peers, which is putting them at risk. Within the substation environment, proprietary devices once dedicated to specialised applications are now vulnerable. Sensitive information available online that describes how these devices work, can be accessed by anyone, including those with malicious intent.

With the right skills, malicious actors can hack a utility and damage systems that control the grid. In doing so, they also risk the economy and security of a country or region served by that grid.

Regulators have anticipated the need for a structured cyber security approach. In the U.S. the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) requirements set out what is needed to secure North America’s electric system. The European Programme for Critical Infrastructure Protection (EPCIP) does much the same in Europe. We face new and complex attacks every day, some of which are organised by state actors, which is leading to a reconsideration of these and the overall security approach for the industry.

Developing competencies and cross-functional teams for IT-OT integration

Due to the shift towards open communication platforms, such as Ethernet and IP, systems that manage critical infrastructure have become increasingly vulnerable. As operators of critical utility infrastructure investigate how to secure their systems, they often look to more mature cybersecurity practices. However, the IT approach to cybersecurity is not always appropriate with the operational constraints utilities are facing.

These differences in approach mean that cybersecurity solutions and expertise geared toward the IT world are often inappropriate for operational technology (OT) applications. Sophisticated attacks today are able to leverage cooperating services, like IT and telecommunications. As utilities experience the convergence of IT and OT, it becomes necessary to develop cross-functional teams to address the unique challenges of securing technology that spans both worlds.

Protecting against cyber threats now requires greater cross-domain activity where engineers, IT managers and security managers are required to share their expertise to identify the potential issues and attacks affecting their systems

A continuous process: assess, design, implement and manage
Cybersecurity experts agree that standards by themselves will not bring the appropriate security level. It’s not a matter of having ‘achieved’ a cyber secure state. Adequate protection from cyber threats requires a comprehensive set of measures, processes, technical means and an adapted organisation.

It is important for utilities to think about how organisational cybersecurity strategies will evolve over time. This is about staying current with known threats in a planned and iterative manner. Ensuring a strong defence against cyberattacks is a continuous process and requires an ongoing effort and a recurring annual investment. Cybersecurity is about people, processes and technology. Utilities need to deploy a complete programme consisting of proper organisation, processes and procedures to take full advantage of cybersecurity protection technologies.

To establish and maintain cyber secure systems, utilities can follow a four-point approach:

1. Conduct a risk assessment
The first step involves conducting a comprehensive risk assessment based on internal and external threats. By doing so, OT specialists and other utility stakeholders can understand where the largest vulnerabilities lie, as well as document the creation of security policy and risk migration

2. Design a security policy and processes
A utility’s cybersecurity policy provides a formal set of rules to be followed. These should be led by the International Organisation for Standardisation (ISO) and International Electrotechnical Commision (IEC)’s family of standards (ISO27k) providing best practice recommendations on information security management. The purpose of a utility’s policy is to inform employees, contractors, and other authorised users of their obligations regarding protection of technology and information assets. It describes the list of assets that must be protected, identifies threats to those assets, describes authorised users’ responsibilities and associated access privileges, and describes unauthorised actions and resulting accountability for the violation of the security policy. Well-designed security processes are also important. As system security baselines change to address emerging vulnerabilities, cybersecurity system processes must be reviewed and updated regularly to follow this evolution. One key to maintaining and effective security baseline is to conduct a review once or twice a year

3. Execute projects that implement the risk mitigation plan
Select cybersecurity technology that is based on international standards, to ensure appropriate security policy and proposed risk mitigation actions can be followed. A ‘secure by design’ approach that is based on international standards like IEC 62351 and IEEE 1686 can help further reduce risk when securing system components

4. Manage the security programme
Effectively managing cybersecurity programmes requires not only taking into account the previous three points, but also the management of information and communication asset lifecycles. To do that, it’s important to maintain accurate and living documentation about asset firmware, operating systems and configurations. It also requires a comprehensive understanding of technology upgrade and obsolescence schedules, in conjunction with full awareness of known vulnerabilities and existing patches. Cybersecurity management also requires that certain events trigger assessments, such as certain points in asset life cycles or detected threats

For utilities, security is everyone’s business. Politicians and the public are more and more aware that national security depends on local utilities being robust too. Mitigating risk and anticipating attack vulnerabilities on utility grids and systems is not just about installing technology. Utilities must also implement organisational processes to meet the challenges of a decentralised grid. This means regular assessment and continuous improvement of their cybersecurity and physical security process to safeguard our new world of energy.

@SchneiderElec #PAuto #Power
Advertisements

Cybersecurity pitfalls!

09/03/2017

Jonathan Wilkins, marketing director of obsolete industrial parts supplier, EU Automation discusses three cyber security pitfalls that industry should prepare for – the weaponisation of everyday devices, older attacks, such as Heartbleed and Shellshock and vulnerabilities in industrial control systems.

IBM X-Force® Research
2016 Cyber Security Intelligence Index

In 2016, IBM reported that manufacturing was the second most cyber-attacked industry. With new strains of ransomware and other vulnerabilities created every week, what should manufacturers look out for in new year?

‘Weaponisation’ of everyday devices
The advantages of accessing data from smart devices include condition monitoring, predictive analytics and predictive maintenance, all of which can save manufacturers money.

However, recent attacks proved that these connected devices can quickly become weapons, programmed to attack the heart of any business and shut down facilities. In a recent distributed denial of service (DDOS) attack, everyday devices were used to bring down some of the most visited websites in the world, including Twitter, Reddit and AirBNB.

Such incidents raise a clear alarm signal that manufacturers should run their production line on a separate, highly secure network. For manufacturers that use connected devices, cyber security is even more important, so they should conduct regular cyber security audits and ensure security protocols are in place and up-to-date.

Don’t forget the oldies
According to the 2016 Manufacturing Report, manufacturers are more susceptible to older attacks, such as Heartbleed and Shellshock. These are serious vulnerabilities found in the OpenSSL cryptographic that allows attackers to eavesdrop on communications and steal data directly from users.

Industrial computer systems generally aren’t updated or replaced as often as consumer technology, which means that some still have the original OpenSSL software installed. A fixed version of the programme has since been released, meaning that manufacturers can avoid this type of attack by simply updating their system.

Keeping industrial control
Manufacturers understand the need to protect their networks and corporate systems from attacks, but their industrial control systems also pose a risk. If an attacker deploys ransomware to lock down manufacturing computers, it could cause long periods of downtime, loss of production and scrap of products that are being made when the attack happens.

This is particularly true in the era of Industry 4.0, where devices are connected and processes are automated. One of the most effective means of safeguarding automated production systems is cell protection. This form of defence is especially effective against man-in-the-middle attacks, whereby the attacker has the ability to monitor, alter and inject messages in a communications system.

In its report, IBM also stated that cyber security awareness in the manufacturing industry is lower than other sectors. The truth is that any company can be the target of a cyber attack. The only way to avoid a cyber security breach is by planning ahead and preparing for the unexpected.

#PAuto @StoneJunctionPR @IBMSecurity

Cybersecurity at the heart of the Fourth Industrial Revolution.

08/02/2017
Ray Dooley, Product Manager Industrial Control at Schneider Electric Ireland examines the importance of maintaining security as we progress through Industry 4.o.
Ray Dooley, Schneider Electric Ireland

Ray Dooley, Schneider Electric Ireland

A technical evolution has taken place, which has made cyber threats more potent than at any other time in our history. As businesses seek to embrace Industry 4.0, cybersecurity protection must be a top priority for Industrial Control Systems (ICS). These attacks are financially crippling, reduce production and business innovation, and cost lives.

In years gone by, legacy ICS were developed with proprietary technology and were isolated from the outside world, so physical perimeter security was deemed adequate and cyber security was not relevant. However, today the rise of digital manufacturing means many control systems use open or standardised technologies to both reduce costs and improve performance, employing direct communications between control and business systems. Companies must now be proactive to secure their systems online as well as offline.

This exposes vulnerabilities previously thought to affect only office and business computers, so cyber attacks now come from both inside and outside of the industrial control system network. The problem here is that a successful cyber attack on the ICS domain can have a fundamentally more severe impact than a similar incident in the IT domain.

The proliferation of cyber threats has prompted asset owners in industrial environments to search for security solutions that can protect their assets and prevent potentially significant monetary loss and brand erosion. While some industries, such as financial services, have made progress in minimising the risk of cyber attacks, the barriers to improving cybersecurity remain high. More open and collaborative networks have made systems more vulnerable to attack. Furthermore, end user awareness and appreciation of the level of risk is inadequate across most industries outside critical infrastructure environments.

Uncertainty in the regulatory landscape also remains a significant restraint. With the increased use of commercial off-the-shelf IT solutions in industrial environments, control system availability is vulnerable to malware targeted at commercial systems. Inadequate expertise in industrial IT networks is a sector-wide challenge. Against this backdrop, organisations need to partner with a solutions provider who understands the unique characteristics and challenges of the industrial environment and is committed to security.

Assess the risks
A Defence-in-Depth approach is recommended. This starts with risk assessment – the process of analysing and documenting the environment and related systems to identify, and prioritise potential threats. The assessment examines the possible threats from internal sources, such as disgruntled employees and contractors and external sources such as hackers and vandals. It also examines the potential threats to continuity of operation and assesses the value and vulnerability of assets such as proprietary recipes and other intellectual properties, processes, and financial data. Organisations can use the outcome of this assessment to prioritise cybersecurity resource investments.

Develop a security plan
Existing security products and technologies can only go part way to securing an automation solution. They must be deployed in conjunction with a security plan. A well designed security plan coupled with diligent maintenance and oversight is essential to securing modern automation systems and networks. As the cybersecurity landscape evolves, users should continuously reassess their security policies and revisit the defence-in-depth approach to mitigate against any future attacks. Cyber attacks on critical manufacturers in the US alone have increased by 20 per cent, so it’s imperative that security plans are up to date.

Upskilling the workforce
There are increasingly fewer skilled operators in today’s plants, as the older, expert workforce moves into retirement. So the Fourth Industrial Revolution presents a golden opportunity for manufacturing to bridge the gap and bolster the workforce, putting real-time status and diagnostic information at their disposal. At the same time, however, this workforce needs to be raised with the cybersecurity know-how to cope with modern threats.

In this regard, training is crucial to any defence-in-depth campaign and the development of a security conscious culture. There are two phases to such a programme: raising general awareness of policy and procedure, and job-specific classes. Both should be ongoing with update sessions given regularly, only then will employees and organisations see the benefit.

Global industry is well on the road to a game-changing Fourth Industrial Revolution. It is not some hyped up notion years away from reality. It’s already here and has its origins in technologies and functionalities developed by visionary automation suppliers more than 15 years ago. Improvements in efficiency and profitability, increased innovation, and better management of safety, performance and environmental impact are just some of the benefits of an Internet of Things-enabled industrial environment. However, without an effective cybersecurity programme at its heart, ICS professionals will not be able to take advantage of the new technologies at their disposal for fear of the next breach.

@SchneiderElec #Pauto #Industrie40


Three in four across 10 countries fearful Cyber Attacks could damage their country’s economy.

16/11/2014

Three quarters of surveyed adults (75 percent) across 10 countries say they are fearful that cyber hackers are carrying out attacks on major industries and sectors of the economy in their countries, according to the results of a study announced recently by Honeywell Process Solutions.

cyberbugMany survey respondents (36 percent) indicate they do not believe that it is possible to stop all the cyber attacks. A similar proportion (36 percent globally) report they don’t have faith in their country’s ability to keep up with cyber attacks because they feel that governments and organizations are not taking these threats seriously enough, particularly those respondents in India (61 percent), China (48 percent), and Mexico (47 percent).

“Cyber attacks are a clear and present threat to every industry, in every country throughout the world,” said Michael Chertoff, co-founder and executive chairman of the Chertoff Group, and former head of the U.S. Department of Homeland Security. “This threat is real and industries need a proactive and coordinated approach to protect their assets as well as their intellectual property. We have seen a number of attacks to critical industries in areas like the Middle East and the U.S. and these have had major impacts on their operations.”

The British government estimates that cyber security breaches at British energy companies alone cost those companies about 400 million pounds ($664 million) every year. In the United States, the Department of Homeland Security said that more than 40 percent of industrial cyber attacks targeted the energy industry in 2012, the last full year reported.

Methodology
These are findings of a poll conducted by Ipsos Public Affairs Research, September 2- 16, 2014. For the survey, a sample of 5,065 adults across 10 countries was interviewed online. This included approximately 500 interviews in each of Australia, Mexico, Russia, Brazil, China, India, Japan, the United Arab Emirates, Great Britain and the United States. Results are weighted to the general adult population ages 16–64 in each country (or in the U.S. 18–64). A survey with an unweighted probability sample of 5,065 adults and a 100% response rate would have an estimated margin of error of +/- 1.4 percentage point, 19 times out of 20 of what the results would have been had the entire population of adults in the participating countries been polled. Each individual country would have an estimated margin of error of 4.4 percentage points. All sample surveys and polls may be subject to other sources of error, including, but not limited to coverage error, and measurement error.

“These survey results are not surprising in light of the recent cyber attacks that have made headlines in several areas around the world,” said Jeff Zindel, leader of HPS’ Industrial Cyber Security business. “The impacts of these attacks, as well as others that have not been publicly reported, have cost companies and governments billions of dollars through operational issues and loss of intellectual property.”

For more than a decade, HPS has developed and delivered cyber security technology and solutions to industrial customers around the world through its Honeywell Industrial Cyber Security organization. This team has delivered more than 500 industrial cyber security projects integrated with its process automation solutions which are used at sites such as refineries, chemical plants, gas processing units, power plants, mines and mills.

In December 2014, HPS will establish the Honeywell Industrial Cyber Security Lab near Atlanta (GA USA). The lab will expand the company’s research capabilities and will feature a model of a complete process control network which Honeywell cyber security experts will leverage to develop, test and certify industrial cyber security solutions. This lab will help accelerate proprietary research and development of new cyber technologies and solutions to help defend industrial facilities, operations and people.

Among other findings of the survey:

• Four in ten (40 percent) survey respondents are not sure about how well their government or private industrial sectors are able to defend against cyber hackers, including 10 percent who are not at all confident.
• When asked about the vulnerability of nine critical industry sectors (which have varying degrees of computer and internet security systems in place to guard against cyber hackers), majorities of respondents globally see all sectors as being vulnerable to cyber attacks. Industrial sectors likely to be perceived as vulnerable to such attacks include oil and gas production (64 percent), medical/health care/pharmaceuticals (64 percent), power grid (63 percent), chemicals (61 percent) and aerospace/defense (59 percent).
• Those in India (92%) and Japan (89%) are most worried about cyber attacks, whereas Russian adults (53%) express the lowest level of overall concern.
• Among those who are relatively unconcerned about cyber hackers (“not very fearful” or “not at all fearful”), no single factor stands out as a primary justification. Many (31 percent) say that this is because they believe the risk of something major actually happening is really quite low, particularly in Australia (52 percent).

Other reasons for lower levels of concern include:

• Cyber hackers would have already done something big if they actually had these capabilities (25%),
• Computer and Internet security has been able to counter or block almost all of the threats (24%); or,
• Governments and its intelligence and armed forces will not let this happen (24%).


Cybersecurity cert programme launched!

19/12/2013
Programme based on its ISA99/IEC 62443 series of industrial automation and control systems security standards

Drawing on its internationally recognised leadership and expertise in industrial automation and control systems security, the International Society of Automation (ISA) has developed a knowledge-based industrial cybersecurity certificate program.

Through the work of its Committee on Security for Industrial Automation & Control Systems (ISA99), the Society has developed the ANSI/ISA99, Industrial Automation and Control Systems Security standards (known internationally as ISA99/IEC 62443).

ACFF741This new certificate program, the ISA99/IEC 62443 Cybersecurity Fundamentals Specialist Certificate, is designed to help professionals involved in IT and control systems security improve their understanding of ISA99/IEC 62443 principles and acquire a command of industrial cybersecurity terminology.

Developed by a cross-section of international cybersecurity subject-matter experts from industry, government and academia, the series of ISA99/IEC 62443 standards apply to all key industry sectors and critical infrastructure, providing the flexibility to address and mitigate current and future vulnerabilities in industrial automation and control systems.

The ISA99/IEC 62443 Cybersecurity Fundamentals Specialist Certificate will be awarded to those who successfully complete a designated, two-day ISA classroom training course, Using the ANSI/ISA99 (IEC 62443) Standards to Secure Your Industrial Control System (IC32), and pass a 75-question, multiple-choice exam.

While there are no required prerequisites to register for the certificate program and an application is not required to take the exam, it is helpful if interested professionals possess at least three to five years of experience in the IT cybersecurity field, with at least two of those years in a process control engineering environment in an industrial setting.

“Our new cybersecurity certificate program is another step forward in ISA’s development as a global leader in industrial cybersecurity standards, training and education, and in building on our commitment to meeting the needs of industrial control systems professionals throughout the world,” says Dalton Wilson, ISA’s Manager of Education Services.

Throughout 2013, both ISA and its sister organisation, the Automation Federation, have played prominent roles in helping the US government develop a national Cybersecurity Framework designed to thwart a potentially devastating cyberattack on critical infrastructure, such as a power plants, water treatment facilities and transportation grids.

The exam
The paper/pencil-formatted version of the ISA99/IEC 62443 Cybersecurity Fundamentals Certificate Program exam is available now. The electronic version will be available through the Prometric global network of testing centers during the first quarter of 2014.

In order to sit for the exam, applicants must register for both the aforementioned ISA course (IC32) and exam, and successfully complete the course.

The exam will cover the following areas:

  • Understanding the Current Industrial Security Environment
  • How Cyber Attacks Happen
  • Creating a Security Program
  • Risk Analysis
  • Addressing Risk with Security Policy, Organization, and Awareness
  • Addressing Risk with Selected Security Counter Measures
  • Addressing Risk with Implementation Measures
  • Monitoring and Improving the CSMS
  • Designing/Validating Secure Systems

Certificate renewal requirements
Because the ISA99/IEC 62443 Cybersecurity Fundamentals Certificate Program is a certificate and not a certification, certificate holders are not required to renew the ISA99/IEC 62443 Certificate.

However, once obtained, the certificate will only be considered current for three years. After the three-year expiration date, a certificate holder will no longer be able to claim that he or she holds a current/active ISA99/IEC 62443 certificate. In order to extend the current status of an expired certificate, a certificate holder must register for and take the related ISA99/IEC 62443 Certificate Knowledge Review. A score of 70% or higher is required to extend the current status of a certificate.