Manage Learn to apply best practices and optimize your operations.

True IoT security in the energy industry requires continuous compliance

In April, I wrote about the IoT-specific challenges in the government vertical. Today, I’d like to put a spotlight on the energy industry.

In the past, we didn’t really have to worry about attacks targeting our electric grids or utility plants because they weren’t connected to the internet and garden-variety cybercriminals had no way to infiltrate operations technology (OT) environments. OT networks and the devices deployed on them — industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems, programmable controllers, etc. — were isolated from IT networks and, thus, the associated array of cyber-risks. Today, however, the energy industry is operating in a very different environment.

The Industry 4.0 movement, combined with the increased adoption of IP-enabled infrastructure to overcome the North American electric power grid challenges, has resulted in the convergence of OT and IT networks. No matter the form — transmission and distribution, electric or water — the energy sector relies on a vast supply chain of IT and OT from third-party providers. ICS, SCADA, controllers and other OT devices are now part of the network ecosystem. This fact alone can undermine the security posture of any environment.

While digital technologies and other network modernization initiatives can have a positive impact on the business side of the house — increased efficiency, enhanced product quality, better decision-making and an improved bottom line — it also introduces new security and compliance risks.

For starters, the convergence of IT and OT networks has dramatically expanded the attack surfaces of energy organizations; each connected device now represents a potential entry point for cybercriminals. There’s also the challenge of securing OT devices and environments that weren’t designed to support conventional security technology — because, as mentioned earlier, cybersecurity never used to be an issue. And then there’s compliance with the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) requirements.

In response to the 1965 blackout in which 30 million customers were impacted across the northeastern U.S. and southeastern portion of Ontario, NERC was formed to promote the reliability and adequacy of bulk power transmission in the electric utility systems of North America. NERC’s CIP plan includes standards and requirements to ensure the bulk electric system is protected from unwanted and destructive effects caused by cyberterrorism and other cyberattacks that could lead to instability or power failure.

Achieving continuous NERC-CIP compliance

The U.S. Department of Energy released an August 2017 report that found seven “capability gaps” in the power sector’s ability to respond to a cyberattack on the electric grid. One of the seven identified gaps was “cyber-situational awareness and incident impact analysis.” This is still an issue today, thanks to increased network complexity and the proliferation of connected OT endpoints.

OT and IT environments are now interconnected, and devices and systems must interoperate for full functionality and value creation. This means that an energy manufacturer may be more inclined to prioritize devices that enable a smart grid, for example, based on interoperability rather than their security profile. So, the process to achieve continuous compliance starts with conducting a gap analysis of compliance management to determine what IT and OT assets it needs to protect, and the likely impact(s) that could result from compromised compliance.

In short, successful security and compliance programs require complete cyber-situational awareness — which is why it’s not surprising that this was raised as a point of concern in the DOE’s report. Achieving cyber-situational awareness can seem like an impossible task with today’s dynamic, hybrid infrastructures. But, the time and energy — no pun intended — spent on making cyber-situational awareness a reality is well worth the effort. Especially when you consider penalties for noncompliance with NERC-CIP requirements can include fines up to $1 million per day.

Avoiding these fines through continuous NERC-CIP compliance requires four key capabilities:

  1. Comprehensive visibility into all endpoints, assets and connections across all environments — including on-premises, virtual, cloud, OT, ICS and so forth — for an accurate understanding of the state of network infrastructure.
  2. Continuous monitoring of security controls to pinpoint baseline deviations, ensure that system changes do not have a significant negative impact on security, that security plans remain effective following changes and that security controls continue to perform as intended.
  3. Identification of critical and sensitive infrastructure components.
  4. Detection of events or configurations linked to adversarial or anomalous conditions for faster threat detection and incident response.

These capabilities give energy companies the agility they need to keep pace with changing NERC-CIP requirements, not to mention the ever-changing threat landscape.

Consistency is key

The benefit of comprehensive cyber-situational awareness can be summarized in one word: consistency. Energy organizations can benefit from consistent real-time network visibility, consistent change monitoring, consistent intelligence on how changes affect security and compliance, and consistent policy controls across environments.

Consistency of this nature helps energy companies maintain continuous security and NERC-CIP compliance, regardless of how endpoints move and environments change. And with these results, energy organizations can move beyond operating with a metaphorical and tactical “keep the lights on” approach to security, to a truly strategic security approach that actually does keep the lights on for millions of customers!

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.