Due to recent attacks on many forms of energy management technology
ranging from supervisory control and data acquisition (SCADA) networks and automation
hardware devices to smart meters and grid network management systems, companies
in the energy industry are increasing significantly the amount they spend on
security. However, I believe these organizations are still spending money in
the wrong areas of security. Why? The
illusion of security, driven by over-engineered and over-funded policy and
control frameworks and the mindset that security must be regulated before making
a start is preventing, not driving, real world progress.
Sadly, I don’t see organizations in the oil and gas
exploration, utility, and consumer energy management sectors taking more
visible and proactive approaches to improving the security of their assets in
2013 any more than they did in 2012.
It’s only January, you protest. But let me ask you: on
what areas are your security teams going to focus in 2013?
I’ve had the privilege in the past six months of travelling
to Asia, the Middle East, Europe and the U.S. to deliver projects and have seen
a number of consistent shortcomings in security programs in almost every energy-related
organization that I have dealt with. Specialized security teams within IT
departments are commonplace now, which is great. But these teams have been in
place for some time. And even though as an industry we spend millions on
security products every year, the number of security incidents is also increasing
every year. I’m sure this trend will
continue in 2013. It is clear to me (and this is a global issue in energy
security), that the great majority of organizations do not know where or how to correctly spend their security budgets.
Information security teams focus heavily on compliance, policies,
controls, and the paper perception of what good security looks like when in
fact there is little or no evidence that this is the case. Energy organizations
do very little testing to validate the effectiveness of their security controls,
which leaves these companies exposed to attacks and wondering what they are
doing wrong.
For example, automated malware has been mentioned many times
in the press and is a persistent threat, but companies are living under the
misapprehension that having endpoint solutions alone will protect them from
this threat. Network architectures are still being poorly designed and
communication channels are still operating in the clear, leaving critical
infrastructure solutions exposed and vulnerable.
I do not mean to detract from technology vendors who are working
hard to keep up with all the new malware challenges, and let’s face it, we
would we would be lost without many of their solutions. But organizations that
are purchasing these products need to “trust but verify” these products and
solutions by requiring vendors and solution integrators to prove that the
security solutions they are selling are in fact secure. The energy industry as
a whole needs to focus on proving the existence of controls and to not rely on
documents and designs that say how a system should be secure. Policies may make
you look good, but how many people read them? And, if they did read them, would
they follow them? How would you know? And could you place your hand on heart and
swear to the CEO, “I’m confident that our critical systems and data cannot be
compromised.”?
I say, “Less say, more do in 2013.” Energy companies
globally need to stop waiting for regulations or for incidents to happen and must
do more to secure their systems and supply. We know we have a problem in the
industry and it won’t go away while we wait for more documents that define how
we should improve our security defenses. Make a start. The concepts aren’t new,
and it’s better to invest money and effort in improved systems rather than
churning out more polices and paper controls and hoping they make you more
secure. And it is hope, because without evidence how can you really be sure the
controls you design and plan are in place and effective?
Start by making improvements in the following areas and
your overall security posture will also improve (a lot of this is old news, but
sadly is not being done):
Recognize that compliance
doesn’t guarantee security. You must validate it.
·
Use ISA99 for SCADA and ISO27001/2/5 for
security risk management and controls.
·
Use compliance to drive budget conversations.
·
Don’t get lost in a policy framework. Instead
focus on implementing, then validating.
·
Always validate paper security by testing internal
and external controls!
Understand what
you have and who might want to attack it.
·
Define critical assets and processes.
·
Create a list of who could affect these assets
and how.
·
Create a layered security architecture to
protect these assets.
·
Do this work in stages. Create value to the
business incrementally.
·
Test the effectiveness of your plans!
Do the basics
internally, including:
·
Authentication for logins and machine-to-machine
communications.
·
Access control to ensure that permissions for new
hires, job changers, and departing employees are managed appropriately.
·
Auditing to log significant events for critical
systems.
·
Availability by ensuring redundancy and that the
organization can recover from unplanned incidents.
·
Integrity by validating critical values and ensuring
that accuracy is always upheld.
·
Confidentiality by securing or encrypting
sensitive communications.
·
Education to make staff aware of good security
behaviors. Take a Health & Safety approach.
Trust but verify when
working with your suppliers:
·
Ask vendors to validate their security, not just
tell you “it’s secure.”
·
Ask suppliers what their security posture is. Do
they align to any security standards? When was the last time they performed a
penetration test on client-related systems? Do they use a Security Development
Lifecycle for their products?
·
Test their controls or ask them to provide
evidence that they do this themselves!
Work with agencies
who are there to assist you and make them part of your response strategy, such
as:
·
Computer Emergency Readiness Team (CERT)
·
Centre for the Protection of National
Infrastructure (CPNI)
·
North American Electric Reliability Corporation
(NERC)
Trevor Niblock,
Director, ICS and Smart Grid Services
No comments:
Post a Comment