We are coming up on two years since the Colonial Pipeline cyber breach. That cyberattack was a direct shot at the U.S. energy system and could be considered one of the most consequential cyberattacks in history. As we reviewed in our podcast episode “Colonial Pipeline fuels the fire: not the first, not the last, and how to protect for the future” with Boston Consulting Group’s Brett Thorson, the pipeline hack wreaked havoc and panicked buyers, causing a tidal wave of gas hoarding across the U.S. I live on the east coast and recall being on a road trip and encountering many empty gas stations while running on fumes.
The Colonial Pipeline incident arguably led directly to congressional passage of one of the most substantial cyber requirements for critical infrastructure firms in history — obligating them to alert the government within three days if they're hacked and within one day if they pay a ransom to hackers.
About the Energy Sector
The Energy Sector is recognized as a uniquely critical enabler for the other 15 critical infrastructure sectors in Presidential Policy Directive 21. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has stated: “The US energy infrastructure fuels the economy of the 21st century; without a stable energy supply, health and welfare are threatened, and the US economy cannot function.” Because of this, the Energy Sector’s challenges are a priority and must be addressed to ensure our long-term prosperity as a nation.
In the U.S., energy infrastructure is largely privately owned, operated, and financed. However, there is a large regulatory role for the government at both the state and federal levels. The sector includes a variety of facilities, equipment, and systems.
America’s energy sector is undergoing a dramatic transformation to one that requires a cleaner fuel supply, increased reliability, improved resilience, and more control over energy costs for customers. These factors, combined with the traditional requirements for safety, reliability, and low energy costs, will require utilities and energy companies to consider more rapid adoption of new business models, advanced technologies, and alternative rate designs and pricing options.
In addition to the transformation to new technologies, the electric grid and energy infrastructure face increasing cyber and physical risks as cyberattack impacts increase.
Energy Sector Threats
On 23 March, the U.S. Senate Committee on Energy and Natural Resources held a full committee hearing to examine cybersecurity vulnerabilities in the energy infrastructure and how those vulnerabilities are being used to disrupt energy security and the economy. In the Senate hearing, Senator Manchin said that:
“Russia’s cyberattack that shut down Ukraine’s electricity grid in 2015 was a wake-up call to the possibility of large-scale cyberattacks on critical infrastructure like the electric grid,” he added. “Putin’s vicious aggression in Ukraine increased the likelihood that Russia will increasingly rely on extreme and dangerous tactics against Ukraine’s allies, such as using cyberattacks as retaliation for sending arms and aid to Ukraine.”
In the energy sector, the tempting cybersecurity attack surfaces are within industrial controls—command systems associated with a nuclear plant, hydro dam, or urban power grid. Threat actors range from state-sponsored adversaries to individual bad actors, such as insiders and transnational cyber criminals.
There have been a couple of identified points of vulnerability in the nation’s electricity grid system. For example, grid distribution systems have grown more vulnerable, in part because their operational technology (OT) increasingly allows remote access and connections to business networks. In fact, the perception some people have that OT environments remain segregated from business IT environments is no longer valid. In our “IoT Security, it’s not just alphabet soup” podcast with Kate Scarcella she said:
“The Internet world is colliding with the industrial world, and the data is no longer is isolated. And in fact, it's being aggregated and being analyzed in the cloud. So, everything has become much more public and available. And the ramification of this is that the attack surface has become immeasurable.”
One of the participants in the Senate hearing was Puesh M. Kumar, director of the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) of the U.S. Department of Energy (DOE). When addressing cyber threats to the sector, Kumar said that in 2022, the DOE, along with CISA, the FBI, and the NSA released a joint advisory warning that threat actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices using custom-made tools.
“These tools could potentially enable a threat actor to manipulate the systems that Americans rely upon to produce, deliver, and consume energy,” according to Kumar. “This joint advisory and its implications demonstrate our adversaries’ capacity to disrupt our critical infrastructure and are illustrative of the breadth and depth of the threat landscape overall.”
OT Security Control Challenges
The way we think about OT security controls is orthogonal to how we think of controls in IT environments. As Scarcella says in the podcast:
“…one of the biggest challenges that we have in IT is understanding with OT that the devices first need to be available, and they need to always be available. The valves always need to be working. … so, OT to get back to the point of security tenants and principles, OT is based on availability, then it's based on integrity, then it's based on confidentiality. So, we sort of changed the [information security] paradigm and flip it upside down.”
We explored some of the OT security control challenges in the context of solar energy in the podcast “Powering your cyber strategy” with Bryan Galloway, who was the Director of Information Security with Enphase Energy at the time. Enphase Energy is an energy technology company that manufactures software-driven devices like solar panels. Galloway recommended getting back to basics and maintaining basic cyber hygiene when creating a cyber strategy for OT environments. He also shared that oftentimes their software will integrate with PLCs (Programmable Logic Controllers) that will make real-time decisions on the fly, which can impact their security approach due to the potential threat:
“Our approach had to change for the risk profile. Which means we had to understand the changes in the threats, right? Once I allow an OT or an IoT device to make decisions, then it has the ability to do things, which means it changes an active player now. It's not just a passive collector or sensor, or intruder.”
Galloway’s perspective on threats was echoed in the Senate hearing by Stephen L. Swick, chief security officer at American Electric Power (AEP), who said:
“To best protect the electric grid, we must proactively identify threats, strategize how to shield against them and share relevant intelligence and mitigations across the critical infrastructure to strengthen our defenses. Regardless of what we do to protect our own systems, we each are as strong as our weakest interconnected peer.”
Unfortunately, while traditional engineering in the sector includes considerable safety and failure mode analysis, OT engineers and technical staff many times fail to capitalize on opportunities within the early design lifecycle of engineered systems to reduce cybersecurity risk and known threats. Instead, cybersecurity risks mitigations are frequently bolted on during late stages of testing and operational deployment by cybersecurity specialists. These specialists may lack an OT engineer’s deep awareness of critical functions performed by the engineered system and the key hazards it could face.
A Path Forward with Cyber-Informed Engineering
Back in January, my Reimagining Cyber podcast co-host and I had the opportunity to speak with Virginia “Ginger” Wright in episode 46, Energizing Cybersecurity. Wright is the Energy Cybersecurity Portfolio Manager for Idaho National Laboratory’s (INL) Cybercore division within its National and Homeland Security directorate. She leads programs focused on cybersecurity and resilience of critical infrastructure for the DoE, DARPA [Defense Advanced Research Projects Agency] and other government agencies. One of the programs Wright leads is Cyber-Informed Engineering (CIE).
Section 5726 of the National Defense Authorization Act for Fiscal Year 2020 directed the Secretary of Energy to establish a government-industry working group to develop a national CIE strategy to isolate and defend energy infrastructure from security vulnerabilities and exploits in the most critical systems. The Securing Energy Infrastructure Executive Task Force developed the National CIE Strategy for adoption by the Department of Energy. The five intertwined pillars represented in the strategy are:
The CIE will guide engineering teams to consider and mitigate the potential for cyber compromise throughout the engineering design lifecycle of a system, leveraging engineering solutions to limit the pathways for cyber sabotage, exploitation, theft, and misuse within the system. As Wright said in our podcast,
“I think a lot of engineers understand materials that they build with. They understand wood, they understand concrete, and depending upon their engineering discipline, pick the appropriate material. But they don't often get taught to think about digital systems in the same way they think about materials. That these systems have stress points and failure points, and they can be trusted to a certain level but after that, we need to build protections into our system to protect us from the ways that they can fail or be brought to failure by an adversary. And so, we are working with universities to build these ideas into engineering curricula so that we can start introducing engineers to the ways that their systems can fail via adversary interdiction and what protections they can apply.”
It is hoped that CIE will provide the basis and approach for instituting a culture of cybersecurity within the energy industry, akin to the industry’s strong culture of safety.
Learn How OpenText Cybersecurity Can Help
In line with the philosophy of CIE, OpenText Cybersecurity solutions enable organizations to build security into their critical systems.
Threat Detection and Response
Monitor OT cyber threats with ArcSight. Upon ingestion of event data, ArcSight’s SODP normalizes and enriches data in a Common Event Format (CEF), making it easier to monitor OT events like Temperature Alerts, Flow, RTU, Empty Pipe alerts.
The ArcSight suite offers machine Learning-based threat detection with out of the box use cases including, but not limited to, lateral movement, privilege escalation, and command & control detection.
OpenText EnCase Endpoint Investigator CE delivers efficient evidence collection, with in-depth analysis and reporting capabilities, across a limitless number of endpoints in a single, intuitive solution.
Related assets include:
- Video: Machine Learning + ESM for Oil/Gas Pipeline (OT/ICS) Threat Detection
- Video: Dubai Electricity and Water Authority Case Study
- Video: ArcSight Defense against Industrial Control Systems (ICS) Threats – MITRE ATT&CK Dashboards
- Case Study: Large Energy Company that needed compliance and protection against cyber-attacks.
- Case Study: NPC Ukrenergo
- Data Sheet: CrowdStrike and ArcSight Intelligence
- Blog: OpenText Security & Protection Cloud CE 21.3
- Galaxy for sector specific threat intelligence
Data governance, protection, and privacy
Voltage enables UpStream, MidStream and DownStream data privacy and protection for OT operators. Voltage FAS and SDM can identify and classify data, as to whether it is regulated, is sensitive or personal data that must be protected, or data with no value. Govern data through information archiving and content management, and act on data to move, monitor, delete, encrypt, or mask, etc. Resources include:
- Blog: Driving innovation in the energy industry
- Blog: IIoT and the road to data monetization
- Video: Data Collection as a Force for Overcoming Supply Chain Challenges
Protecting the Human-Machine Interface in OT
NetIQ provides a comprehensive identity management and governance solution that can span across IT and OT infrastructures.
- Identity Services: Registration, Identity Lifecycle, Password Management, Account Claiming
- Governance Services: Access Req/Approval, Access Certification, Access Reconciliation, Event Remediation
- Governance Policy: Role Management, Access Policies, Detective Controls, Preventative Controls, Process Orchestration
- Analytics: Gov Insight/Visualize, Role Mining, Risk Scoring, Peer Group Analysis Decision Support
Supporting resources include:
- Case Study: VINCI Energies
- Blog: Streamlining Identity Management: A Look at VINCI Energies and NetIQ
- Case Study: State Grid Shanghai Municipal Electrical Power Company
Fortify provides a holistic, inclusive, and extensible AppSec platform that spans SCA, SAST and DAST. Given the extensive use of APIs by OT components, Fortify can scan APIs for vulnerabilities and weaknesses like command injection, weak authentication, SQL injections etc. Supporting resources include:
- Ebook: Boosting Cyber Resilience with Fortify
- Blog: Fortify Your APIs and Get Them Battle Ready
- Webinar: API Security Needs Grow Ever Larger