What comes to mind when thinking about information security? Does one think of the confidentiality, integrity and availability (CIA) triangle of a utility’s sensitive data and how to ensure it? Does one think about how, as the network grows, the risk for it to be exploited grows, as well? Or, does one think of the customer’s data in terms of digital 1s and 0s going across the world on a wire or a cloud and all the different access points onto the network? No matter what someone’s thoughts are in this area, one thing is certain: Information security has the attention of every utility these days.
How do utilities keep their data and electric information technology (IT) and operational technology (OT) networks safe in this constantly evolving threat landscape? Assurance that not only the utility’s sensitive information is secure but that the grid itself is secure should be undoubtedly on every utility CEO’s top three list. But what is assurance?
Minnesota Valley Electric Cooperative (MVEC) is a distribution cooperative serving more than 42,000 members in rural and urban areas. The cooperative challenges its 88 employees to improve the integration of processes and technology continuously to ensure members get the most reliable power at the best possible rate. MVEC is extremely member focused and takes securing sensitive information and power grid operations very seriously. Its IT and security team has been hard at work over the last several years leading the effort to bring security to the forefront of the cooperative’s culture. Building a culture of security takes a proactive approach and requires everyone’s support; it does not just happen.
As a small Midwestern community, security did not always permeate through MVEC’s corporate culture. However, times have changed. The cooperative’s security philosophy has evolved from the mind-set of being an IT problem or a technical issue to full realization of the critical business issue information security represents. MVEC has done its best to build a holistic information security program using a targeted, proactive approach to security.
The fact is, there is no one way to ensure the security of information. There is no magic button or formula that will work for every utility. There are many facets and dimensions to consider when it comes to information security. It is not an antivirus program, a policy, or the latest technical gadget or service. It takes a well-planned, coordinated and implemented security program that anticipates and safeguards against a wide range of potential threats as well as focuses on 12 key facets of security:
1. Risk management
2. Policy management
3. Organizing information security and governance
4. Asset protection
5. Personnel security
6. Physical and environmental security
7. Network security
8. Access control
9. Incident response management
10. Disaster recovery and business continuity
12. Security systems development life cycle.
Why Such Focus?
Why would a utility of MVEC’s size feel the need to take security so seriously? It comes back to a real desire to be the best utility in the eyes of its members. MVEC has a strong sense of responsibility to safeguard members’ sensitive information and protect their piece of the power grid from compromise or misuse. The threats are out there; they are real and evolving continuously. Currently, MVEC perceives threats in two distinct areas: data security and grid security.
Data security can be described as safeguarding any sensitive information and protecting it from unauthorized, unwanted or malicious use. In this regard, electric T&D utilities are no different than any other business in the world — all have sensitive data to protect. Data breaches are becoming more routine. In the U.S., 1093 data breaches were reported in 2016, up a stout 40% from those reported in 2015.
Current threats perceived with data security include ransomware, botnets and advanced persistent threats (APTs). Although data compromise can start in different places, it typically ends with the so-called cyber bad guys stealing sensitive information and selling it on the dark web, or any other undesirable outcome a utility could imagine. It comes with a hefty price tag in terms of tangible costs but also intangibles such as reputation.
Grid security describes the need to secure all assets having to do with the physical or remote operation and control of the electrical distribution system. The mission of grid security is to ensure all field assets are available for operation and control as intended and authorized, while ensuring they are never compromised by an unauthorized user.
One type of threat MVEC associates with grid security is the APT. Although in the traditional sense APT may be more aligned with data security, MVEC believes the same process could be modified and used to target an industrial control system (ICS) or supervisory control and data acquisition (SCADA) system.
According to Symantec, “An advanced persistent threat uses multiple phases to break into a network, avoid detection and harvest valuable information over the long term.” Symantec created an infographic that details the cyber attack phases, methods and motivations that differentiate APTs from other targeted attacks.
The Ukraine Event
To MVEC, the APT model greatly resembles the Ukraine BlackEnergy malware events of 2015. Although, instead of data exfiltration, the result in that case was widespread power outages and panic. The BlackEnergy power event involved the targeting and attack of several smaller utilities in the Ukraine by a nation-state actor who successfully compromised their SCADA systems. The original incursion was leveraged by malware-compromised spear-phishing email campaigns, resulting in tricking users and stealing passwords.
Once inside, the threat actors moved laterally throughout the network, eventually culminating in a very coordinated effort to open breakers simultaneously through the service territories of the affected distribution entities. The result was more than 225,000 people being out of power and a proof of concept. Not too surprising, the power grid can be hacked.
MVEC takes countermeasures to mitigate grid security risks from potential physical and cyber attacks. Physical measures include securing the substation and other key facility perimeters with fences, doors, locks, surveillance cameras and security systems. Also required is assigning visitor badges and logging all visitors to ensure only authorized access to the building and grounds. Limiting access to any computer equipment or server rooms is another security policy, as is enforcing media access control (MAC) security on the network switches to ensure only authorized computers can access the corporate network.
Cyber attack-specific measures include network segmentation, ensuring the SCADA or control network is fully isolated from the Internet-facing corporate network. This is accomplished by using separate network segments for any grid applications and network-isolated computers for accessing the SCADA network. Remember Ukraine? It is not a recommended practice to allow SCADA control from Internet- and email-connected systems. Sure there are defined operators of which very few have control access and two-factor authentication is used, but MVEC believes it is best practice to segregate the corporate network fully from the control network.
Many facets of MVEC’s security program overlap with regard to grid security and data security threat-risk mitigation. A few examples are risk management, policy management, personnel security, network security, access control and incident-response management. All of these are designed to help protect data and the grid. MVEC believes in informing, insuring and assuring. These are three things not easily quantifiable by traditional security gadgets and appliances, but MVEC has incorporated these into its security program.
Informing, Insuring, Assuring
One key focal point MVEC concentrates on is security awareness training. Spear-phished employees account for more than 90% of all successful attacks nationwide. Therefore, employee education is key. The MVEC information technology and security team has been training employees for the past few years, focusing efforts on social engineering and spear phishing.
“Stop and Think Before You Click the Link!” is the cybersecurity catch phrase the team developed to implant this concept into employees’ minds. Recently, MVEC required end users to complete computer-based online training modules to augment and reinforce in-house training efforts. This proactive approach helps to engrain security into MVEC’s corporate culture.
Hopefully, it is never needed, but MVEC does carry a cybersecurity insurance policy. In the event of a compromised system, the cyber policy would help to mitigate risks to the financial health of the cooperative.
What is better than insurance? Assurance. MVEC’s three-member IT team is responsible for supporting the communications and computing infrastructure and services for the cooperative as well as the operations networks, which include multiple smart grid applications such as advanced metering infrastructure, outage management system, distribution automation and demand response.
MVEC subscribes to the N-Sentinel Monitoring managed cybersecurity service offered by www.n-dimension.com. The N-Sentinel Monitoring service is an extension of the IT team, providing around-the-clock monitoring of the IT and OT networks as well as delivering timely threat intelligence and expert security guidance to help the utility reduce risk and improve its security posture. This provides assurance the team is safeguarding the data and the grid.
A Monitoring Result
Based on the valuable cybersecurity insights N-Sentinel Monitoring delivers, MVEC believed it could not afford not to subscribe to this service. Without it, a full-time security analyst would have to be hired, plus the utility would have to invest in a range of additional tools to get similar intelligence and awareness of what is going on in both the IT and OT networks.
In early 2017, there was a lot of chatter about Grizzly Steppe, the Russian civilian and military intelligence services (RIS) malware associated with a potential grid infiltration of a Vermont cooperative. The CEO of the National Rural Electric Cooperative Association (NRECA) alerted cooperative utility executives, including MVEC’s general manager. The general manager approached the security team to determine the team’s level of confidence MVEC’s members are protected from Grizzly Steppe and similar APTs. The security team shared an N-Sentinel flash alert, which included specific details about Grizzly Steppe.
Furthermore, MVEC’s security team also contacted N-Dimension's cybersecurity experts directly and verified there was no presence of Grizzly Steppe threat signatures identified on MVEC’s network, nor had any been found on the networks of other N-Dimension customers. This type of analysis in response to breaking threat news is an effective and important element in MVEC’s security program.
No Magic Button
The fact remains there is no magic button for information security. It is a balancing act that must consider people, processes and technology. It is a system each utility must develop for itself based on leadership, experience, knowledge and best practices. Bad guys are real; they are lurking around the corner, assessing networks for vulnerabilities they can exploit for their advantage.
Like many other challenges in the electric utility industry, security is something that takes careful planning, discipline, education, resources, commitment and hard work. The bad guys only need be right once; defenders have to be right every single time. Now, is it time to roll up the sleeves and get to work? ♦
Jeff Hanson joined Minnesota Valley Electric Cooperative in 2009 and supervises the information technology and security team. He helped to develop MVEC’s security program, leads the security team and serves as privacy officer. Hanson has been in the information technology field for 20 years, working primarily with telecommunications and networking infrastructure.