Best practices for cyber security10 September 2021
Roger Clarke-Johnson of Emerson offers a practical guide to maintaining a strong cybersecurity posture
Adoption of digital technologies … remote working … the growth of intermittent renewables in generating portfolios … these and other market drivers are having dramatic impacts on the energy landscape. Hydro plants, in particular, are at an inflection point. Not only is hydropower shouldering a greater share of load swings – and playing an even greater role in grid reliability and resilience – it continues to be integral to public safety by protecting waterways; providing flood control and irrigation; offering recreational opportunities; and supplying drinking water.
These evolving market realities only heighten the need to maintain a strong cybersecurity posture. And the numbers bear this out: The global annual market for energy IT and cybersecurity for software and services is expected to grow from USD $19 billion in 2020 to more than USD $32 billion by 2028, according to a Navigant Research report.
Whether assets are fossil or renewable, the basic tenets of applying cybersecurity best practices remain the same. And it starts with the organization’s overall philosophy.
Being truly committed to protecting power-generating facilities and other critical infrastructure requires an approach that ensures control systems are truly secure, organizations are compliance-ready and generation reliability is maintained. Developing a security program focused on both compliance and security best practices will help to maintain a strong security posture.
One way to view cybersecurity is through the lens of four key areas—Identify, Protect, Detect and Respond/Recover—that are aligned with industry best practices, yet tailored to the unique requirements of power generation facilities and organizations. Let’s take a closer look at each.
At its core, this step is all about risk management – identifying what assets a utility has, understanding how they are interconnected and establishing a baseline assessment of how secure they may or may not be.
Organizations regularly evaluate the risks to their business and operations. Cybersecurity is an organizational risk that affects strategic, compliance, operational, financial and reputational risks. A risk-based approach to cybersecurity is not intended to protect against all threats to automation and controls, but to identify potential vulnerabilities and make a strategic decision based on the likelihood and impact of each vulnerability.
The first step in this phase is to document and inventory all cyber assets. Many utilities use databases and spreadsheets to track cyber assets, making sure to note the location, asset tag and how each is connected to other devices and systems. Once all the assets have been identified, it is important to understand how the equipment is networked together. Generating a detailed network topology diagram to show interconnections between devices and systems, both internal and external, helps utilities gain an understanding of what they have, how it is interconnected and what their resulting compliance obligations may be.
Understanding how equipment and systems are connected is the first step in determining the challenges of securing operations and meeting compliance obligations. The next step is to perform an initial vulnerability assessment in order to establish a baseline. Vulnerability assessments, which should be performed every 12 to 18 months to track improvements over time, can be conducted several different ways using a variety of manual processes and/or automated tools.
As a security best practice and from a compliance perspective, performing a ports and services baseline and comparison is an important part of a vulnerability assessment, as it identifies and compares the current open ports and services running versus those identified by equipment vendors as needed for operation. Hardening of ports and services to those identified as required for operation is a key step in eliminating potential vulnerabilities.
A vulnerability assessment should help expose what could be improved to enhance the facility’s overall security posture. Once an organization has a good understanding of its assets, how they are logically connected and how secure they are, the next step is to determine what can be done to harden systems, to secure them and protect them.
There are several best practices that fall into the Protect category including user management, system hardening, patch management strategies, anti-virus and malware prevention programs, and human factor prevention.
While Protect is where the rubber meets the road, it is important to apply common sense to ensure initiatives are practical and not so restrictive that they may actually compromise reliable operation. Take the difference between using shared accounts and unique accounts, for example. Some best practices in other industries may recommend that every person who logs onto the system has a unique user account. However, implementing a user management policy like this on a control system makes it difficult when operators are changing shifts. Logging out at the end of the shift so the next operator can log in could potentially cause the utility to lose visibility into the system until the next operator has logged on. In the power industry, it is common for operators to utilize shared accounts, while administrators, engineers and other personnel typically have unique accounts so that activity can be tracked.
Cybersecurity best practices promote a “defense in depth” strategy—using multiple tools or techniques to achieve additional security measures that help ensure a good security posture. For instance, although operators may share user accounts, use of security cameras, badging systems and log books make it possible to pinpoint the identity of the operator who may have either maliciously or inadvertently caused an incident.
One area that is sometimes overlooked when it comes to cybersecurity is the “Human Factor.” In most cases, the number-one threat to the system is not someone from halfway around the world hacking into a system; it is the person who just returned from vacation and wants to show everyone his or her pictures and unknowingly inserts an infected USB drive into a computer. The fact that the intent was not malicious is moot; the damage is the same. Providing cybersecurity awareness training, establishing a secured USB program and instituting policies to restrict what can and cannot be done on the system is a good first step in addressing the human factor.
After establishing security programs, hardening systems and defining a defense strategy, it is important to closely monitor all systems. This step encompasses security incident and event management (logging), network intrusion detection, configuration change management and internal policy audits.
In terms of logging, utilities should review applicable logs manually, or deploy a solution to monitor assets and alert personnel when thresholds are reached. Keep in mind that alerts may not always indicate that someone is trying to hack into the system - it could be something else entirely. For instance, if a system password was changed and a process running on a machine cannot log in, it is possible to see hundreds of thousands of failed log-in attempts. While not malicious, this indicates that something changed and should be addressed.
Another best practice with both a security and compliance focus is to track all system changes –even those that are purposely made. For instance, if an engineer makes changes to a control sheet, they should document the change as confirmation that the change was allowable. Any changes that have not been confirmed as allowable could be cause for concern. Change management can be addressed through a variety of manual processes and procedures as well as automated tools.
Finally, utilities need to be prepared if, despite their best efforts, something does go wrong. This is where Respond/Recover kicks in. Whether or not a site is classified as a critical asset, it is imperative that it have an Incident Response Plan with detailed actions for responding to internal and/or external malicious and non-malicious threats and attacks. Just as critical is having disaster recovery procedures at the ready. To be effective, the activities related to this step must be established beforehand and plans should be tested annually.
It is important to remember that security is not a project or a product: it is a process that continually evolves. As such, utilities should always consider cybersecurity as part of their regular maintenance program as well as part of the overall system life-cycle care plan. To remain current, organizations should establish a plan for regular maintenance as well as a plan to upgrade their security-related products every two to three years. For example, anti-virus software can run on a computer a long time, but without frequent updates, is it providing the same level of protection?
Hydropower plants produce electricity and generate revenue. They also serve and protect the public, and preserve the habitat of a variety of aquatic species. For these reasons it is imperative that cybersecurity initiatives must secure systems and ensure operational reliability. The bottom line is that simply meeting compliance obligations does not guarantee that systems are secured, and a strong security program does not necessarily mean an organization is compliance ready. But by considering both compliance and best practices with a focus on Identify, Protect, Detect and Respond/Recover, utilities can achieve a strong security posture that supports compliance and ensures reliable plant operation.
Hydro plants have long lifecycles: Some are over 100 years old. Digital transformation is beginning to touch these older plants in addition to the hundreds of younger hydro plants that have already been retrofitted with digital controls and automation. Applying the cybersecurity best practices outlined here can help ensure all hydro power plants can continue to be relied upon to quickly and cost-effectively produce clean, renewable, dispatchable electricity to the grid when it is needed most, while maintaining public safety for this generation and generations to come.