Power Producers Step Up Cybersecurity

Power Producers Step Up Cybersecurity

Power providers seek a tailored approach that combines physical, electronic and procedural safeguards to meet facility and cybersecurity needs.

By Tom McDonnell, North American Power Generation Industry Leader, Rockwell Automation

The cyber attack on Ukraine’s power grid in December 2016 brought the industry’s vulnerabilities into sharp relief. For decades, the more familiar territory of physical security threats had dominated the conversation.

Right before Christmas, the grid attack cut power to 103 cities and towns, putting almost 200,000 Ukrainians without power for several hours, and the global utility industry felt the ripple effects. The urgency to address and attempt to prevent cybersecurity threats mounted.

Power Industry Makes Up for Lost Time

For years, cybersecurity trailed behind reliability, environmental regulations and aging infrastructure in the list of issues confronting power producers. Cybersecurity moved to the No. 2 spot in 2016. In fact, U.S. industrial control systems were hit by cyber attacks at least 245 times over a 12-month period between 2014 and 2015, according to the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team.

While every industry is prone to attack, the energy sector led all other industry verticals with almost one-third of the attacks. Power is a fundamental resource. Because it fuels civilization and is critical to economic and military defense infrastructure, it’s an obvious target for security threats.

For that reason, power generators are actively working and evolving in how to effectively navigate the cybersecurity landscape. We’ll take a look at where the challenges are and the ways power producers can address cybersecurity concerns and regulations more efficiently and effectively.

Challenges for Bulk Electrical Systems

When it comes to acting on relevant regulatory standards, power producers have to take a holistic approach. The positive news is that, in general, power producers are ahead of the curve when it comes to cybersecurity compared to other industrial companies.

Consider the recent “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” which calls for an assessment of cyber readiness and vulnerabilities. The electrical industry already is doing this to comply with industry regulations and standards, including the North American Electric Reliability Corp.’s (NERC) CIPTM, the Cybersecurity Act of 2015 and National Institute of Standards and Technology (NIST) standards.

People rely on power producers to provide economic security, environmental stability and health infrastructure service in their daily lives. Given the potential for national security threats, these standards are crucial.

The integration of renewable generating assets, propagation of distributed generation and need for an integrated regeneration infrastructure has led to multiple progressions in the industry. The first is the convergence of IT and operational technology (OT) systems into a Connected Enterprise for greater collaboration and plantwide efficiency.

The second industry shift is the increase of intelligent devices and smart equipment, which serve as the foundation of a connected power plant.

As power producers work to implement IT/OT convergence and intelligent devices, they must keep cybersecurity threats top of mind. The electric power industry, for instance, follows threat mitigation methods that focus on areas such as preparation, prevention, response and recovery.

It’s no secret that the goal for every facility is to manage risk properly, which might include system upgrades. Still, according to the Edison Electric Institute, tens of thousands of power plants in North America cannot be protected from all threats 100% of the time.

System and Technology Upgrades

In fact, not all producers will be able to upgrade systems and technologies to the same level or at the same pace. For producers that are building new plants or completely overhauling existing facilities — such as moving to a more modern infrastructure, control system or electrical product — this can be an ideal time to investigate and implement cybersecurity protections and processes as part of that larger design and implementation.

For many established facilities, however, it’s more complicated. They may not have the capital funds available to upgrade problematic legacy systems. We’re going to see producers running with their reliable and proven programmable logic controllers (PLCs) in many locations for the remainder of the plant’s life cycle.

That doesn’t mean these systems can’t get connected or be secured. It just means we’re going to see a rise in hybrid solutions that allow these facilities to achieve the improved production that comes with greater connectivity and the security required for customer satisfaction and regulatory compliance in a way that’s more immediately financially feasible.

Piecing together the right combination of technology and processes for a hybrid solution presents its own challenge. You have access to a plethora of rapidly evolving technologies. Sorting through everything that’s available and articulating how that will translate into the desired functionality and outcomes for an individual facility takes skill.

No plant has staff with the knowledge and resources required to assess which systems are needed, much less design, deploy or maintain more secure and connected systems. This issue can be addressed via workforce training and development, or though vendor-provided services and support.

Such systems can be successfully designed and deployed only if you look at cybersecurity in a holistic manner.

A Holistic Approach to Cybersecurity

Industrial security must be holistic to be effective. It’s enterprisewide, starting at the plant level and encompassing every individual end device. It addresses risk from all sides: people, processes and technologies. And it brings together IT and OT teams, both of which are indispensable in securing network architecture.

Three key areas need consideration when taking a holistic approach. The first is moving forward with a security assessment to understand your risk areas and potential threats. The next is deploying defense-in-depth (DiD) security to establish multiple fronts of defense. The third is working with trusted vendors that follow core security principles when designing their products.

Security Assessment

Power producers must cultivate a deep understanding of all risks and vulnerabilities that exist within their organization. A security assessment offers a fresh and unflinching look at site infrastructure nuances, software, networks, control system, policies, procedures and even employee behaviors. It’s the foundation for a successful security policy.

 Key deliverables for any security assessment include:

  • Inventory of authorized and unauthorized devices and software.
  • Detailed observation and documentation of system performance.
  • Identification of tolerance thresholds and risk/vulnerability indications.
  • Prioritization of each vulnerability based on impact and exploitation potential.
  • Mitigation techniques required to bring an operation to an acceptable risk state.

With an assessment in hand, implementation can begin.

DiD Security

DiD security is based on the idea that if any one point of protection is defeated, additional layers subsequently will need to be defeated. Therefore, DiD security establishes multiple layers of protection through a combination of physical, electronic and procedural safeguards. Just as a bank uses multiple security measures — such as video cameras, a security guard and a vault — this helps make sure threats encounter more than one line of defense.

A DiD security approach consists of six main components:

  • Policies and Procedures: They play a critical role in shaping workers’ behaviors to follow good security practices and confirming the appropriate security technologies are used.
  • Physical Security: Physical security should limit personnel access not only to certain areas of a facility but also to entry points on the physical network infrastructure, such as control panels, cabling and devices.
  • Network: A network security framework should be established to help safeguard your network infrastructure against cyberattacks.
  • Computer: The top means of intruder entry into automation systems is through software vulnerabilities. Security patch management should be established to track, evaluate, test and install cybersecurity software patches.
  • Application: Security devices also should be incorporated at the manufacturing or industrial application level as part of a DiD approach.
  • Device: Device authentication and unauthorized device identification can help make sure only trusted devices are used.

Trusted Vendors

Your plant’s automation system likely is a small part of capital assets or costs. However, it can have an outsized impact on helping you meet your security goals, similar to the impact it has on your production, quality and safety goals. Before selecting vendors for any system that will be connected to your network, request they disclose their security policies and practices. At Rockwell Automation, we’ve defined five core security principles for designing products used in a control system.

1. Secure Network Infrastructure. Vendors can help keep information in the automation layer secure and confidential. For example, technology can validate and authenticate devices before they are granted access to a network.

2. Authentication and Policy Management. Company policies dictate data-access levels for employees. Automation products can support these policies using access control lists to manage user access to devices and applications.

3. Content Protection. Automation solutions can help protect intellectual property by assigning passwords to routines and add-on instructions and by using digital-rights management to limit a user’s ability to view and edit device data.

4. Tamper Detection. Built-in tamper detection can detect any unauthorized system activity and alert the right personnel. It also can log key details, such as where the attempted intrusion took place, how it occurred and whether anything was modified.

5. Robust Vendor Security. A robust vendor-security approach includes providing security training to employees, using design-for-security development practices, testing products to global security standards, conducting final security reviews before products are released, verifying processes stay current with standards and technologies and having a plan in place to address vulnerabilities.

Power producers should look for a structured and tailored approach to meet physical and cybersecurity requirements. This approach can include multiple layers of protection through a combination of physical, electronic and procedural safeguards. It might include a highly integrated cybersecurity suite that consolidates solutions such as antivirus, application whitelisting, security information and event management and compliance into a unified solution.

Find out about Rockwell Automation Power Generation Industry Solutions.

Tackling the NERC CIP Standards

Given the many regulations and standards affecting power producers, it’s hard to process everything at once. The highest priority has to be what must be implemented — namely, NERC CIP.

Plan to protect your cyber critical assets. CIP-003, -007, -008 and -009 all offer guidance on securing individual assets within a system.

  • Requirements for identifying who owns cyber critical assets and documenting any exceptions.
  • Requirements for protecting the information associated with cyber critical assets and evaluating how you manage the security controls.
  • Definition of how to maintain security standards.
  • Guidelines for reporting and responding to system threats.
  • Guidelines for recovery recommendations if a company loses access to an asset.

Know what you have and where it is. CIP-002, -005 and -011 deal with understanding what critical assets exist within a system and what cyber critical assets are essential for the operation of the other assets.

  • Systems and facilities at master and remote sites.
  • Monitoring and control.
  • Real-time power system monitoring.
  • Real-time inter-utility data exchange.
  • An electronic security perimeter in which all cyber-critical assets reside — and documentation of the perimeter.
  • Perimeter must include electronically monitored access control.
  • Conduct an annual review of the perimeter’s cyber vulnerability.

Tend to the physical security of your assets. CIP-004, -006 and -010 describe how to create and maintain a physical security plan that complements the cyber security measures already in place.

  • Requirements for documenting physical access controls.
  • Processes for hiring and training employees on security measures.
  • Proper screening for new employee hires.
  • Raising awareness of security measures with existing employees.
  • Training appropriate personnel to use security measures.

The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Putman Media, Inc.

 

The JOURNAL

Check Out the October Issue

The JOURNAL from Rockwell Automation and Our PartnerNetwork™ is a bimonthly magazine, published by Putman Media, Inc., designed to educate engineers about leading-edge industrial automation methods, trends and technologies.