“Literally, all you need is a credit card and access to the internet” to inflict damage on our nation’s power grid, said one panelist at the recent webinar, Shoring Up Cybersecurity Defenses in America’s Power Grid, sponsored by Honeywell.
If this statement doesn’t grab your attention, perhaps you’ve missed news about cybersecurity attacks on our water supply or the growing threat of OT devices coming online? The panelists, of course, are well-versed in the risks inherent in today’s grid, and the interlocking solutions that must be brought to bear on the problem set.
Of interest to me – besides as someone who enjoys clean drinking water and fully-charged electrical devices – were thoughts on how we, as a nation, might reduce our attack surface. (NetCentrics provides cybersecurity services to government customers.) The event was timely because the government named November Infrastructure Security Month.
Additionally, I enjoy learning how the energy industry and the U.S. government are responding to the ever-increasing shift to renewable energy, and the cybersecurity implications of this shift.
Panelists included: Alex Bagwell, VP Global Industrial Cybersecurity, Tripwire; Andrea Carcano, Co-founder, Chief Product Officer, Nozomi Networks; Danielle Jablanski, Sr. Research Analyst, Guidehouse Insights’ Digital Innovations; and Leo Kershteyn, Director of Product Management, Cybersecurity, Honeywell.
From Sensor to CEO
According to the U.S. Office of Cybersecurity, Energy Security and Emergency Response (Energy.gov):
“The highest priority for the Industrial Control Systems (ICS) Cybersecurity Initiative is for owners and operators to enhance their detection, mitigation, and forensic capabilities.”
The government outlines 17 recommendations to improve security infrastructure. Recommendations, not requirements. The panelists debated the merits of these recommendations from a vendor-agnostic perspective, and in the context of the pandemic illuminating a growing attack surface.
The security posture overall must exist from “sensor to CEO”. That’s because operation tech (OT) enabled with the proliferation of inexpensive sensors connecting to the internet continues to expand the attack surface. All parts of the business must be secured because everything is digitally connected in one way or another. Security, therefore, isn’t just an enterprise IT responsibility but a proactive stance in which everyone (and everything) must participate.
Can’t Automate Security Problems Away
Automation is, and will continue to be, an important tool in cybersecurity. Yet, it isn’t a panacea. The panelists emphasized several ways government and industry can adapt: improved inventory assessment, risk scoring, and zero-trust implementation. Additional recommendations for asset owners included:
- Commitment to ongoing evaluation of internal and external risks specific to their operation
- Getting creative on segmentation (of devices, services) before integrating any tool
- Discernment of access needs versus exploitation risk; accidents versus malicious behavior – by building a framework that enables parsing between these
- Investigate cloud provider pilot programs offering “embedded insurance” as part of risk mitigation strategy
At a high level, the government’s recommendations could be viewed as too vague to be actionable. Cybersecurity in the energy sector and industrial control systems overall is rapidly maturing. Jablanski points out that in a recent survey of energy sector participants, asset owners understood the inherent risks of the present moment. A majority classified themselves as “most exposed” to cyber threats. This is very different than just a few years ago.
The shift to renewables and the explosion of technology presents a revolutionary era of security unfolding. Using resources to enhance efficiencies, awareness, resilience are more cost effective than ever before. Using them wisely, and with an eye toward security is even more important.
NetCentrics has a long history of building and protecting cyber infrastructure in government and the private sector. Contact us to discover how our cybersecurity expertise can protect your valuable assets, both digital and operational.
Photo by Jorge Ramirez