How to Secure Utility Infrastructure Holistically

by Gedi Jomantas, Motorola Solutions

In 2014, U.S. government officials from the chief of the National Security Agency to the president warned that the nation’s critical infrastructure was potentially vulnerable to cyberattacks of various forms. Headlines told of hackers’ probing the systems that control utility infrastructure, potentially gathering massive amounts of data on pipeline or electrical grid configurations and performance. User authentication credentials were stolen, along with schematics and other data about the utility networks.

The perpetrators are thought to range from foreign state-sanctioned actors to terrorists, criminal hackers or even curious software experts. Whatever the motivation, utility managers have security worries that go beyond an attack on pipelines or grids.

Utility managers know the stakes. The challenge is to secure critical infrastructure systems that are integrated across the operation. This integration opens new attack vectors that must be factored into any security strategy. This integration across the utility operation mirrors our interconnected society. Potential security risks are intertwined with the community a utility provider serves. The utility can suffer collateral damage in an attack aimed elsewhere in the community or can be a launching pad in a larger attack aimed at compromising other assets in the community.

These new security concerns drive the need for a robust and holistic approach to security that goes beyond individual products and solutions from any single industry. Utility managers must consider the entire operation, its mission and its connections to the surrounding community. Security must be in the core DNA of the organization’s operations, the technology used and the ongoing risk assessment and tactical mitigation.

The Evolution of Infrastructure

Utility managers long have known the value of technology in driving efficiencies and precision in managing infrastructure.

Supervisory control and data acquisition (SCADA) networks control a utility’s generation and transmission and tie together a utility’s core operations infrastructure.

In the past, these SCADA systems operated as closed systems. They were built for a specific purpose and isolated from other management systems.

Now, SCADA networks are no longer isolated. They are integrated into larger data networks that tie together the entire operation, from mobile end user and back office to heavy machinery and management. This integration brings many benefits in efficiency and scale.

But integration also can present many new attack opportunities. Not only is information technology infrastructure vulnerable to new forms of hacking, but the expanding array of mobile devices used by employees in their work lives-some of which they bring from home-are vulnerable to attack, as well. Device security features vary, and their versatility as personal devices also makes them likelier to bring malware into the mission-critical workplace of a utility. Because of the integration of these devices with dual consumer and business uses, security must rely on the practices of each user as much as it does on firewalls and malware detection.

Utility managers also must consider the arms race nature of security in a digital world. Many of us probably can list some of the known types of Internet-driven attacks that often make headlines: Denial of Service, viruses, trojans, phishing and the like. Security strategy must guard against each of these attacks, yet addressing each in a vacuum is a limited approach. It risks leaving many other areas unsecured while time, money and management attention focuses on countering a singular attack vector.

Today’s security environment requires holistic thinking. Utility managers should be comfortable managing security risks within a framework that controls known issues and prepares to mitigate unknown risks in a rapidly evolving environment.

5 Steps Toward a Holistic Security Solution

A holistic approach to security does not begin with products to buy, software to install or fences to build. A holistic approach follows a process of threat and risk analysis, business and operational impact assessment, efficient and cost-effective corrective action, and vigilance and ongoing monitoring. The process is aided by the selection of a trusted advisor who can guide utilities through all of these steps and into the future.

1. Analysis and assessment. Your risks are unique to your operation, infrastructure, the community you serve and mission. Assessment must look at the end-to-end operation within the overall context of the operation in the community. This assessment step can be as in-depth as utility managers deem necessary. It can range from a schematic exercise that maps potential risks in the abstract to a full-blown simulation to evaluate vulnerabilities through test probes and intrusion detection.
2. Impact. This phase answers questions such as: Are your operations vulnerable as a single large unit or can certain services or functions be isolated when problems arise to preserve operations at some level? What is the likelihood of an adverse event’s occurring? What is the likely impact on the community? What are the business continuity implications? These questions create a framework for establishing priorities, developing procedures and allocating funds where necessary for prioritized mitigation.
3. Corrective action. Risks should be addressed in a systematic plan. Technical holes might require that new products or technologies are deployed. Other vulnerabilities might require new training programs or changes in policies and procedures, such as new rules for workers’ bringing devices from home. This step also must address issues of business continuity and procedures for business recovery. Perhaps certain assets should be mirrored in different locations or some key assets located in different sites to avoid cascade effects. In this step, compliance processes also can be developed to ensure corrective actions are maintained beyond initial implementation.
4. Vigilance. Utility managers must instill a security mindset that permeates a utility’s entire operation. Risk assessment must become ongoing, with deep end-to-end reviews performed regularly. Securing infrastructure is never finished; in the same way management strives constantly for greater efficiency, leaders always must work to improve security. Cost-effective processes must be developed to spread this mindset throughout the operation.
5. Trusted advisor. If all this were easy, anyone could do it. Security can seem daunting, but utility managers need not be security experts. They need trusted advisors who counsel them the same way they need engineers, lawyers and accountants in other aspects of the business. A trusted advisor must bring more than technical knowledge. The holistic approach requires an advisor who can look at the entire operation, its mission and its links in the community to create a security ecosystem where all the parts work together to build a secure whole.

Security is complex with many dimensions. A seemingly innocuous action can lead to a breach that has a cascading impact. In an interconnected world, utility managers must take a holistic approach to security planning to guard against new threats in our world.

Gedi Jomantas is director of security services for Motorola Solutions. Jomantas is a Certified Information Systems Security Professional (CISSP) and has an extensive background in leading security framework initiatives across mission-critical communications and complex enterprise IT customer environments.