dragos
Image credit: Stock

In a discussion with Anjos Nijk, managing director of the European Network for Cyber Security (ENCS), Smart Energy International asked about the position of small utilities with limited resources, the role of information management systems and why collaboration is the key to success.

Smaller utilities, says Nijk, face a particular challenge in that they don’t have access to the number of resources and experts that larger organisations do. Yet they still have the same type of infrastructure to operate, in the same evolving environment as the larger organisations.

This article first appeared in Smart Energy International Issue 4-2019. 
Read the full digimag here or subscribe to receive a print copy here.

“This is an area that requires specific attention,” he says, continuing that “practical solutions need to be made available for them.”

“It comes down to the fact that it is difficult to create the necessary expertise themselves and they have to rely on third parties. There are several considerations: First – of the most important areas to take action on is information security management and how to deal with this issue. It is an important responsibility and an information management system (IMS) can help them to focus on the right things.

“Secondly – when undertaking training they have to make sure that people are aware of the objectives and how it might impact the organisations or the utility. Then, the third thing is to ensure that their supply chain management processes and the components they use are secure. For instance, when a utility starts with a smart meter deployment, it’s really important they know the meters and other components adhere to their safety requirements. Lastly – the issue of connecting with a security operation centre (SOC). For a small organisation to implement a security operation centre is not feasible but it is important to know what’s going on in the grid or network and that help is available if it is needed. Specialised parties can help with best practice and procedures – many of these were created for large organisations but can be adapted to smaller utilities.

The questions these utilities should be asking themselves include: · Who is responsible for security?

  • How do we go about procurement?
  • Do we have security requirements in place?
  • What practical protection measures are in place? For instance, virus scanners and protection or firewalls?

To bring a utility up to a proper information management standard, the questions above would need to be answered and Nijk believes “it is really important to have an assessment – you can consider it a baseline – that answers the questions: What are the things that I need to do? Have I taken care of them?”

This is something that can be outsourced to consultants. But it is important to undertake an assessment of and gain an understanding of the current protection measures already available in-house. Of course, awareness training is also very practical as it clearly defines what a particular organisation should focus on.

ENCS provides training to smaller utilities that would be very useful for them. The organisation can provide access to standardised security requirements that have been created for organisation members, such as procurement procedures.

For utilities, it makes a lot of sense for smaller organisations to team up with larger utilities or associations. It is increasingly important to strengthen the IT organisation, as well as increase security skills for the various roles in both the security and the OT domain.

Outsourcing

Is it possible to outsource information security management? What about outsourcing the entire threat management or cybersecurity management role?

Nijk is very clear: “You can’t get rid of your responsibility. And this is also the case for the smaller utility – so you can’t outsource it entirely. But you do need to decide how to manage it instead. As I said previously, the implementation of an IMS can help. But collaboration is a requirement. To identify the roles and inputs that you require from other parties is a fairly standardised framework.

“I want to make a comparison with the banking world. They have been under attack for the past 15 or 20 years – and it’s very clear that the attackers are after money. The banks know what they lose from attacks and from the mitigation measures that they have identified, and it is therefore easy to build the business case. As a result, they have established standard levels of expenditure that they allocate to the topic of security. But for utilities, it’s a little more complex because you don’t have the same number of attacks as you have in the financial world. Also, when there is an attack on an electricity network, they are not necessarily after money, because utilities are a different type of target.

“The type of people who would attack the grid are generally fairly skilled, and as such sophisticated defence measures have to be in place, and this clearly has a cost.

“For a bank, the losses are generally purely financial, but in the case of power utilities, it goes beyond that, because it could also involve a loss of life.”

Yet it would appear that tariff structures are not keeping pace with the changing dynamic or giving consideration to the additional costs of cybersecurity, and are an ongoing challenge for regulators and utilities.

Yet it would appear that tariff structures are not keeping pace with the changing dynamic or giving consideration to the additional costs of cybersecurity, and are an ongoing challenge for regulators and utilities.

Are smaller utilities more at risk?

In principle, the technology used by utilities, both big and small, is similar and in this case, size is not likely to be an indicator of how attractive a target they are. Often the motivation behind the attack will determine the choice of target.

Nijk explains: “In terms of how attractive a target they are as smaller utilities, I think that’s probably less the case. But when you consider untargeted attacks, such as WannaCry – this may easily hit them as well. What it means is that security hygiene has to be in place – password protection, regular backups etc. All the traditional actions are important, very important, for the small utilities. In terms of the most sophisticated attacks, I think they are less of a target.

Ultimately, the motivation for the attack will determine the target and how the attack is facilitated.

“There is a lot of active investment into cybersecurity in the utility industry, and at the basic level, utilities are prepared against personal attacks. But at the nation-state level, the authorities need to be involved. They need to bring a level of protection to the energy grids. Yet, often this is a challenge due to the level of knowledge they may have regarding the systems involved. Protection against nation-state actors is quite a big challenge.”

Blue team-red team

Some of the findings from various ‘blue team-red team’ exercises being run by ENCS point to the continued predominance of silos within both operational and managerial levels of many organisations. However, during these exercises, individuals start understanding the perspective of the ‘other side’.

“This is a real eye-opener and helps them to understand the position of their colleagues and what they need to do to continue cooperation when back in their environment.”

Yet, how long do these insights remain significant enough not to lapse back into old habits? It would seem that things are changing – albeit slowly.

Risk assessment

“There has been quite a lot of organisational development of the various types of utilities. And there is quite a lot going on there in terms of restructuring organisations, and consideration in terms of how to implement new business models. However, practically speaking, in order to address security issues, awareness is always the key. Not everyone will take the lessons back with them in the long term, but there are always some for which this is a game-changer.”