The 2015 (ISC)2 Global Information Security Workforce Study survey conducted by Frost and Sullivan revealed that there will be a shortage of 1.5 million professionals in the cybersecurity sector. Very simply, there is a major skills shortage and lack of experienced, qualified cybersecurity personnel. Training and education of staff should be a top priority for all critical enterprises developing or implementing a ICT strategy. Cybersecurity is no longer just about cyber technology defences; it is about the processes implemented and the training given to staff to manage cyber threats.
This is a sentiment shared by Nadya Bartol, Vice President of Industry Affairs and Cybersecurity Strategist at the Utilities Telecom Council (UTC), who shared some of the key security concerns as well as best practice in formulating a strategy to minimise the risks faced by utility companies today.
What are the major security concerns around IoT deployments, what is the potential impact of these risks and what are the measures that can be put in place to manage/minimize the risk of cyber-threats?
Utilities have been running the Industrial Internet of Things (IIoT) since they began implementing intelligent devices. In my observation, they don’t use the phrase Internet of Things. They don’t think of themselves running IoT, but that digitisation has been a natural progression as technology has evolved (eg. sensors) and has enabled the efficient operation of the grid, pipelines and administration of water supply and so on. They’re all intelligent. The problem is not with digital or IIoT, but more so the security in running these networks that run all these very important functions that impact our daily lives.
The change comes as these networks are exposed to an increasing number of technologies coming online, where in most cases sensory technology has been confined meters, cameras, mobile devices used to run SCADA monitoring, for example.
So it’s the same security issues, but there are more points of compromised potential entry due to the fact that manufacturing base that produces all these devices is not necessarily uniformly educated about how build and design secure.
The manufacturers of devices and sensors that haven’t had to be on the internet in the utility space are a lot more recent to the table. The knowledge about how to design secure is not everywhere, it is not necessarily taught in schools, so people come out and go into these companies and they don’t quite understand how to do this.
People who work in the IT space don’t understand how to write efficient design hardware and software for geographically distributed environments. So when a utility has sensors in multiple places in a geographically distributed network, it is interesting to hear their concerns about the efficiencies associated with it, such as, I have this much security built on my network, on my communications network or on, then my SCADA may not run at the speed that is necessary.
It is a security design issue. How do I acquire a solution that will not impede on my primary purpose? Then there are the considerations that networks/devices can be hacked and customer data can be stolen leading to malicious activities causing service disruption or possible explosion.
So security concerns are all the same, but they are on steroids because today, there are so many more devices that are connected to the grid.
When considering the measures or controls put in place to secure networks, there is a workforce crisis. There are several measures, however, there are not enough people who understand and know how to implement them. As these technologies are rolled out, they need to be designed securely, thought about through the lens of security, and architected securely.
Establishing minimum security requirements is tricky due to the fact that when someone is designing a device for the future, the tendency is to incorporate all kinds of features in case those features will be used. However, these features can be misused and misconfigured too.
The designer needs to take into account what a device is supposed to do as well as what it is not supposed to do.
What has been some of your experiences with working with utilities? Do they fully understand how manage cyber risks associated with digital technology integration?
Utilities know that they have a cybersecurity challenge. They know they need to build reliable, dependable and safe networks that will run whatever function they are putting in place. They know they have a challenge and they are working on this challenge and trying to design and operate networks the way they are supposed to be. When there aren’t enough people, it is not necessarily going to get done. There are simply not enough people to do this. While utilities may understands that they have a cybersecurity challenge, I don’t think anybody fully understand how to manage evolving cybersecurity risks. There are however, ways to organise the work, govern the work, design networks, implement protective controls to respond to and minimise the impact should a breach occur.
Utilities that have these innovations – a set of agile, reputable processes that need to be governed appropriately and governed in a way that processes are collaborative throughout the organisation – are better off from a security point of view, than those who do not.
Protective controls include authentication for access. This could be a password, badge, pin, token, or thumbprint. Security training, managing identities is very important. Who has access to what device? When can they have access? Why do they have access? What can they do with this access? Minimising what people can do within certain systems is also a method of control.
Ownership and responsibility: Who is responsible for securing customer data. What is the utility’s role and what is the customer’s role?
This is tricky; I think that it depends on the jurisdiction that the utility is in.
When the utility collects billing data, which closely resembles personal data, it is the utility’s responsibility to protect, when it resides on their systems. But if the customer is careless with their own data, the utility cannot be responsible for that.
When it comes to energy consumption data, both the utility and the customers have a responsibility to protect data. However, I think this relationship is still evolving.
In terms of whether the customer will play an increasing role in protecting their data, – will depend on the level on customer sophistication – which can vary greatly. There is a lot of education needed to help customers understand what all this data means for them.
How do utilities go about putting in place a strategy for IoT security?
I don’t see an IoT security strategy any different from a security strategy because these are the networks and systems of the future. A cybersecurity strategy today needs to be agile and focus on reliability and safety business objectives and should always reflect the purpose of the business.
A strategy needs to have a policy which is a set of general statements and associated processes that implement the controls that minimise risk. For example: access authentications, training, awareness of individual users, secure design principles, secure architecture.
This includes measures that will kick in when a security breach happens:
- How quickly are you going to respond?
- What are you going to disconnect?
- What are the rules for disconnection? And what are the rules for reconnection?
- How are you going to get the system back online?
- External consequences: How are you going to interact with the press and authorities?
Utilities need to minimise the risk at the front end and the backend, managing risk in the most organised way possible to protect the utility and its customers.
When it comes to purchasing software and hardware, the dialogue and relationship developed with suppliers is critical when implementing their digital and social security strategy. What is key, is to establish a set of security control requirements that utilities want their suppliers to comply to – to ensure deliverance as well as setting up a set of processes should a breach happen:
- How are you going to communicate irregularities with your supplier?
- Who is your point of contact?
- Whose responsibility it is to fix or mediate the situation?
- How does everything go back online?
A utility can stipulate whether it would like certain functions activated or closed when acquiring hardware, and can choose not to have open functionality or may choose to minimise functionality. The utility can also request hardware as products of secure coding practice, as people who are trained in secure coding practice understand how to write code that is less vulnerable and that others would not necessarily know how to do. They will avoid common “constructs” in the code – avoiding exploitable vulnerabilities.
Utilities can also mandate encryption but these measures again depend on what the device does.
What role does staff training play? Is there a need to train staff around cybersecurity?
Yes, definitely, there is role-based training and education. This means educating people whose job is to secure the network or design the network. These include engineers, operations personnel, software developers and people who participate in implementation of design and implementation of ICT.
And then there is the general user awareness – making individuals in the utility aware of the impact of their actions (from utility executives to customer service personnel) and of the utility’s ability to deliver reliable and dependable services.
What, in your opinion, is not being said enough about security at the moment?
It will never end, it has become a way of life and we need more educated people.
What are your top tips for utilities in securing their systems?
- Know your assets to know how you can secure them; understanding your asset base is critical
- Invest in training for utility staff
- Hire trainable people
- Suppliers are critical – ask questions, negotiate with your providers
- And invest in awareness training for end-users MI