How Power Producers Boost Security with Proactive Cyberthreat Hunting

By Pascal Ackerman, senior consultant of Industrial Cyber Security, Rockwell Automation

An unprecedented cyberattack hit the U.S. power grid on March 5 of this year.

There was little news coverage. There was no blackout, and it's not clear if it was a targeted attack. But hackers did use firewall vulnerabilities to cause periodic "blind spots" for about 10 hours for grid operators in the western United States. It's the first known time a cyberattack has caused that kind of disruption at a U.S. power grid company.

The incident was first referenced in a U.S. Department of Energy report in April, but only in vague terms. A North American Electric Reliability Corp. document described it in more detail. Considering the extent to which Russia and others continue to probe the power grid, it's an unsettling reminder that weaknesses are out there.

Greater connectivity and information sharing — enabled by technologies such as smart devices, inspired by concepts like the Industrial Internet of Things (IIoT), and brought to life in The Connected Enterprise® — are transforming companies and their operations significantly. They’re converging IT and operations technology (OT) systems and using new technologies such as mobile, analytics, cloud and virtualization to do more than ever before.

This increased level of connectedness allows manufacturers to benefit and address challenges that more traditional models and operating practices were not able to offer. Vast data streams are acquired, processed and transmitted, often in real time. However, it's these very streams of data and interconnectedness that are putting industry at risk.

Just as the nature of manufacturing and industrial operations has changed, so have the security risks. More connected operations can create more potential entrance points for industrial security threats. These threats can come in many forms — physical or digital, internal or external, malicious or unintentional.

Taking a Holistic Approach to Cybersecurity

Holistic industrial security is enterprise-wide, starting at the plant level and encompassing every individual end device. Taking a holistic approach to cybersecurity is of paramount importance, especially in today’s rapidly evolving digital manufacturing environment. It addresses risks from all sides: people, processes and technologies. In addition, it brings together IT and OT teams, both of which are indispensable in securing network architectures.

Forward-thinking companies use strategies and tactics to manage risk and help minimize or mitigate threats. Physical security strategies are no longer enough to protect operations. Today, manufacturers also need to understand and assess their industrial cybersecurity requirements and take a proactive approach to managing risks.

Proactive Threat Hunting

You may have a strong industrial security program in place and have implemented intrusion detection systems to avoid future incidents. But in the complex world of cybersecurity, you can’t stop there.

Despite all your efforts, latent advanced persistent threats (APTs) are still a concern. They are slowly at work trying to find chinks in your armor and exfiltrate data, bogging down your operations, and intrusion detection isn’t going to catch this activity.

Threat hunting is one of the next logical steps in your cybersecurity program. In its simplest form, you are searching the network for external threats or intrusions that went undetected by automated security systems. It’s a very scalable exercise and can be done with varying degrees of automation, including none at all.

It not only can further protect your proprietary recipes and information, but also has great potential for improving operational efficiencies. While this practice isn’t entirely new to the IT space, it’s making its way into OT environments.

Threat hunting is proactive, and takes a step back from the scanning tools, traps and future-focused infrastructure already in place. In an age of technology, it uses gray matter to uncover malicious activity and infiltrations that have been hiding in your network for months, maybe years. Further, it can find correlations not otherwise detectable between network activity and production inefficiencies.

The good news is, you likely have what you need to get started. Your human-machine interfaces (HMIs) and servers already are creating activity logs you can gather and analyze offline so there’s no stress on the network or production interruptions. Go hunting for infiltrations before they impact your plant floor.

Protecting Critical Infrastructure

Similar to the pharmaceutical industry, critical infrastructure such as power plants are an obvious target for security threats.

As a result, any company that generates power must be especially vigilant when it comes to understanding evolving cybersecurity threats. It’s imperative that power producers keep current on the latest processes and solutions that can be implemented to combat these threats.

As cybersecurity threats significantly increase each year, what can you do to help protect your operations?

Defense-in-Depth Security

Defense-in-Depth (DiD) is based on the idea that if any one point of protection is defeated, additional layers will subsequently need to be defeated. Therefore, DiD security establishes multiple layers of protection through a combination of physical, electronic and procedure safeguards.

A DiD security approach consists of six main components:

• Policies.
• Procedures.
• Physical security.
• Network.
• Computer.
• Application.
• Device.

Trusted Vendor

Your plant’s automation system is likely a small part of capital assets or costs. However, it can have a disproportionately large impact on helping you meet your security goals — similar to the impact it has on your production, quality and safety goals. Before selecting vendors for any system that will be connected to your network, request that they disclose their security policies and practices.

Rockwell Automation has a strategic partnership with Cisco to better understand evolving cybersecurity best practices and have defined five core security principles for designing products used in a control system:

• Secure network infrastructure,
• Authentication and policy management,
• Content protection,
• Tamper detection,
• Robustness,

Power generators should look for a structured and tailored approach to meet physical and cybersecurity requirements. Multiple layers of protection, a highly integrated cybersecurity suite and other upgrades can help producers get ahead of risks already running throughout the industry.

^{The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Putman Media, Inc.}