• Print
  • Decrease text size
  • Reset text size
  • Larger text size
07/11/2017

Cybersecurity in Energy: Are you ready?

As recently announced in a joint Technical Alert by the Department of Homeland Security and the FBI, there has been a series of on-going cyber threats infiltrating our nation’s energy, nuclear, water, aviation, and critical manufacturing sectors. While the impact of the intrusions have not yet been detrimental, we believe that Federal and State Regulators will continue to further emphasize and progress policies that will require the security and protection of networks associated with the nation’s critical infrastructure. Is your organization prepared to comply with upcoming regulations?

United States Federal Initiatives

Over the past two years, the global energy sector has seen a large increase of cyberattacks. In 2015, an attack on the Ukrainian power system led to power outages that affected hundreds of thousands of people. In recent history, the energy sectors in Europe and North America have been the newest targets of attack, as there have been several reports of attempted attacks on electricity grids, along with nuclear facilities in the United States. In a recently announced Technical Alert by the Department of Homeland Security and the FBI, hackers seem to be interested in learning how energy facilities operation and how to gain access to operational systems themselves, to the extent that they could potentially sabotage or gain control of the systems. They believe the threats are a part of a multi-stage campaign that first targets low security, small networks of 3rd parties and vendors, in order to gain access, then move laterally to high value asset owners within the energy sector.

As the likelihood and complexity of attacks continue to intensify, along with a deeper understanding of the implications associated with an attack, the United States government has begun to further develop and expand policies regarding protecting the nation’s critical infrastructure.

President Trump’s Executive Order: Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

In May of 2017, President Trump signed an Executive Order intended to further improve the nation’s cybersecurity. The Executive Order contains three main priorities for the Trump administration: the protection of federal networks, cybersecurity of critical infrastructure, and cybersecurity for the nation.

The Executive Order calls for many sectors of the government to write risk management reports on whether or not the country is adequately prepared to defend itself against cyberattacks. It also calls for a report to be provided to the President regarding the modernization of the Federal Information Technology.

The Order demands an assessment of the nation’s critical infrastructure and the electrical grid. Most of these reports are due within the next 90 to 240 days and will be filed with the Department of Homeland Security. This demand requires that the secretary of Homeland Security and the Secretary of Energy must assess the potential for a power outage associated with a significant cyber incident. It also requires an action plan for each agency to implement the NIST Framework for Improving Critical Infrastructure Cybersecurity, as detailed below. The Order also includes a section titled “Resilience Against Botnets and Other Automated, Distributed Threats” that focuses on threats posed by botnets, in order to reduce threats perpetrated by automated and distributed attacks.

Finally, the Order acknowledges the US is dependent on a global secure and resilient internet, and it calls for the Secretaries of States, Treasury, Defense, Commerce, and Homeland Security, in coordination with the Attorney General and Director of the FBI, to submit a report outlining their international cybersecurity priorities. The Order acknowledges a global shortage of skilled cybersecurity workers and asks the Secretary of Commerce to review the nation’s training programs and the ability to field the necessary workers in the years to come. The agency has to write an assessment on whether the US is training enough skilled cybersecurity workers to deal with the expected demand, resulting from an increase of cyber threats. The agency is also required, in 120 days, to provide recommendations for how the nation can grow and sustain the necessary workforce, in both the private and public sector, given the growth in importance.

As of October 2017, the White House has not provided specific details of the progress made to the deadlines outlined in the Order, but a National Security Council spokesperson confirms that progress has been made, while the release of products may very over time. Specifically, the White House’s American Technology Council and Office of American Innovation has submitted its draft on the Federal IT Modernization Report.

Recent Congressional Bills

NIST Small Business Cybersecurity Act

In April of 2017, the Small Business Cybersecurity Act was introduced to the House of Representatives to amend the National Institute of Standards and Technology Act to require the NIST to also consider small businesses when it facilitates and supports the development of voluntary, consensus-based, industry-led guidelines and procedures to cost-effectively reduce cybersecurity risks. As mentioned previously, as threats are frequently multi-stage attacks, securing small business networks are just as critical as those of major energy operators.

MAIN STREET Cybersecurity Act of 2017

In March of 2017, the MAIN STREET Cybersecurity Act of 2017 was introduced to the Senate as the Making Available Information Now to Strengthen Trust and Resilience and Enhance Enterprise Technology Cybersecurity Act of 2017. This bill also amends the National Institute of Technology Act to require small businesses, as in the NIST Small Business Cybersecurity Act previously mentioned.

IoT Cybersecurity Act of 2017

The United States Senate has also introduced the IoT Cybersecurity Improvement Act of 2017, as a direct response to the constant stream of attacks in the market of connected devices. The bill seeks to use the government’s buying power to set a basic level of security for IoT devices bought by the government and would require vendors of connected devices to make sure their products can be patched when security updates are available. This bill would also require vendors to not allow their devices to use hard-coded passwords and to ensure that their devices are free from known vulnerabilities at the time they are sold.

Please visit http://en.finance.sia-partners.com/20171018/cybersecurity-and-iot-where-do-we-go-here to see our thoughts on Cybersecurity and the Internet of Things!

The Department of Homeland Security

As protecting critical infrastructure includes a growing interconnectivity between cybersecurity and physical security, the Department of Homeland Security has issues the Homeland Security Presidential Directive 7 (HSPD-7), which establishes a national policy for the Federal departments and agencies to prioritize critical infrastructure and protect them from terrorist attacks. Specifically to high-risk chemical facilities, the DHS has issued Chemical Facility Anti-Terrorism Standards (CFATS) that regulates high-risk chemical facilities to ensure they have security measures in place to reduce terrorist risks associated with facilities.

In addition to the actions required from President Trump’s Executive Order, the Department of Homeland Security (DHS) employs a risk-informed, all-hazards approach to safeguarding critical infrastructure by implementing the National Cybersecurity and Communications Integration Center (NCCIC), Critical Infrastructure Cyber Community Voluntary Program (C3VP), and the National Infrastructure Coordinating Center (NICC).

National Cybersecurity and Communications Integration Center

The Cybersecurity Information Sharing Act of 2015 created the NCCIC as a 24/7 cyber situational awareness, incident response, and management center that is a national nexus of cyber communications integration for the federal government, intelligence community, and law enforcement. The NCCIC has created an Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) that works to reduce risks within all critical infrastructure sectors by partnering with law enforcement and the intelligence community and coordinating federal, state, local, and tribal government and control systems owners, operators, and vendors.

Critical Infrastructure Cyber Community Voluntary Program

With growing interconnectivities between cybersecurity and physical security, DHS has created a voluntary program to act as a coordination point within the federal government for critical infrastructure owners and operators interested in improving their cyber risk management processes. In addition, the community encourages the use of NIST’s Framework for Improving Critical Infrastructure Cybersecurity, as detailed below.

National Infrastructure Coordinating Center

The NICC is a dedicated 24/7 coordination and information operations center that maintains situational awareness of the nation’s critical infrastructure for the federal government. When an incident or event affecting critical infrastructure occurs and requires coordination with the Department of Homeland Security, the NICC serves as that information sharing hub to ensure the security and resilience of the critical assets.

National Institute of Standards and Technology

In February 2013, President Obama signed Executive Order 13636, which like President Trump’s Order, involves “Improving Critical Infrastructure Cybersecurity”. As a response from this Order, the National Institute of Standards and Technology (NIST) developed a voluntary risk-based Cybersecurity Framework, which acts as a set of industry standards and best practices to help organizations manage cybersecurity risks. The intent of the Framework is to allow for collaboration between the government and the private sector to address and manage cyber risks in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. The Framework consists of three parts:

  • The Framework Core – a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles
  • The Framework Profile –the Profile is intended to help organizations align its cybersecurity activities with its business requirements, risk tolerances, and resources
  • The Framework Implementation Tiers – the Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risks

Although the NIST Cybersecurity Framework is currently a voluntary practice, President Trump’s Executive Order called for the Department of Energy and the Department of Homeland Security to evaluate their cybersecurity practices against the NIST Framework, which could potentially mean the Framework may eventually become a mandatory requirement for organizations associated with protecting the nation’s critical infrastructure.

In addition to the Cybersecurity Framework, the NIST releases special publications with more specific guidelines, such as SP 800-53 and SP 800-63 which are about the Security and Privacy Controls for Federal Information Systems & Organizations and Digital Identify Guidelines, respectively. The NIST has also established the National Cybersecurity Center of Excellence (NCCoE) and has industrial specific guidelines, such as the Capability Assessment for Securing Manufacturing Industrial Control Systems.

Industrial Specific Standards and Guidelines

Federal Energy Regulatory Commission

The Energy Policy Act of 2005 gave the Federal Energy Regulatory Commission (FERC) authority to oversee the reliability of the bulk power system, also known as the power grid. The FERC also oversees interstate transmission, public utilities, hydroelectric power, interstate natural gas pipelines, and interstate transportation of crude oil and petroleum products. This authority also includes the responsibility to approve mandatory cybersecurity reliability standards. The North American Electric Reliability Corporation (NERC) has been certified by FERC and has developed the Critical Infrastructure Protection (CIP) cybersecurity reliability standards. In January of 2008, FERC issued Order No. 706, approving the CIP reliability standards.

In addition, with growing interconnections of information technology into operations, such as the smart grid, there are growing concerns in an increase in vulnerabilities of cyber attacks and loss of electricity services. To address these concerns, the Energy Independence and Security Act of 2007 (EISA) gave FERC and the NIST responsibilities related to coordinating the development and adoption of smart grid guidelines and standards.

NIST Framework Implementation Guidance

As previously mentioned, the NIST provides guidance on implementing the Cybersecurity Framework for specific industries. Below is a collection of published papers with guidance associated with the Energy industry in the United States.


Publishing Entity

Title

Associated Sector

The Department of Homeland Security

Chemical Sector Cybersecurity Framework Implementation Guidance

Chemicals

The Department of Homeland Security

 

Commercial Facilities Sector Cybersecurity Framework Implementation Guidance

Commercial Facilities

The Department of Homeland Security

 

Critical Manufacturing Sector Cybersecurity Framework Implementation Guidance

Manufacturing – Oil, Gas, Chemicals, Power, Utilities

The Department of Homeland Security

 

Nuclear Sector Cybersecurity Framework Implementation Guidance

Nuclear Power

The Department of Energy

Energy Sector Cybersecurity Framework Implementation Guidance

Energy

American Water Works Association

Process Control System Security Guidance for the Water Sector and Cybersecurity Guidance Tool

Utilities (Water)

United Nations’ International Maritime Organization

Interim Guidelines on Maritime Cyber Risk

Maritime (Shipping, trading, logistics)

United States Coast Guard

Navigation and Vessel Inspection Circular 05-17: Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSE) Regulated Facilities

Maritime (Shipping, trading, logistics)

North American Electric Reliability Corporation

NERC Critical Infrastructure Critical Infrastructure Protection Program

Electricity

 

Engineering Standards

In addition to the NIST industrial specific guidance, many engineering standards have developed in support of protecting energy facilities.


Organization

Standards

American Petroleum Institute (API)

•API STD 1164 – Pipeline SCADA Security
•API RP 780 – Risk Assessment Methodology
•API RP 70/70I – Security for Offshore Oil & Natural Gas Operations/International Oil and Natural Gas

International Society of Automation (ISA)

 

•ISA99 – Industrial Automation and Control Systems Security

Interstate Natural Gas Association of America  (INGAA)

 

•Control Systems Cyber Security Guidelines for the Natural Gas Pipeline Industry

The American Institute of Chemical Engineers (AIChE)

 

•Center for Chemical Process Safety (CCPS) Guidelines for Managing and Analyzing the Security Vulnerabilities of Fixed Chemical Sites

International Electrotechnical Commission (IEC) & ISA

•ISA/IEC 62443 – Series of standards on cybersecurity for ICS

National Petroleum and Refiners Association (NPRA) & API

•Security Vulnerability Assessment Methodology

 

Thoughts of Consideration for Energy Organizations

  • Do you have cybersecurity policies, procedures, and technology in place that allow your organization to detect, mitigate, and monitor cyber risks?
  • Do you know how the standards, policies, and regulations we have described apply to your organization?
  • When was the last time your cybersecurity policies, procedures, and technology were reviewed and updated?

We are frequently asked to run an exercise that allows our clients to answer the above questions and put in place the necessary steps to ensure adequate protection from cyber threats.

Sia Partners’ Cybersecurity Offerings and Credentials

We at Sia Partners work with our clients to help them understand and assess the cyber threat landscape, in addition to determining and implementing mitigations against cyberattacks.

Hardware and Software

  • Understand – the threat space, threat agents, vulnerabilities, etc.
  • Assess – understand the probabilities of threats, severity of impact, etc.
  • Plan – define mitigation approaches (in-house, outsource, etc.)
  • Design – define sustainable mitigation measure (people, processes, systems, etc.)
  • Implement – implement cybersecurity measures (people, processes, systems, etc.)

People

The human element is an important component, if not the weakest link, as it pertains to cybersecurity. It is paramount to engage your staff in the topic of cyber threats and cybersecurity as well as their responsibility of being vigilant within their roles. Sia Partners can help your organization by:

  • Engage – build awareness
  • Ready – train and educate
  • Adopt – embed cybersecurity work policies and procedures
  • Sustain – put mechanisms in place and roles to continuously maintain and develop cybersecurity practices

Key Takeaways

  • An attack on your company could be detrimental to supplying energy to the United States.
  • As the likelihood and complexity of attacks continue to intensify, along with a deeper understanding of the implications associated with an attack, the United States government has begun to further develop and expand policies regarding protecting the nation’s critical infrastructure.
  • All organizations that contribute to the energy sector are going to be held responsible for keeping the United States’ critical infrastructure safe and secure.
  • While most of the current guidelines are voluntary, President Trump’s Executive Order on cybersecurity give reason to believe the guidelines might soon become requirements.
  • The Department of Homeland Security plays a role in cybersecurity as physical security and cybersecurity continue to converge.
  • The National Institute of Standards and Technology have developed a Cybersecurity Framework that can be applied to organizations across industries.
  • Many industrial specific standards and guidelines are continuing to be developed as the importance of securing the nation’s critical infrastructure is further being understood.

Sources

0 comment
Post a comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Image CAPTCHA
Enter the characters shown in the image.
Back to Top