By Dominick Birolin, CISSP, CISA, NSE4
When it comes to finding and keeping the specialists necessary to defend an organization from cyberattacks, cybersecurity managers continue to encounter major difficulties—take Uber’s latest cyberattack—even the largest of companies are faced with these hurdles. What’s more, statistics suggest that finding the proper cybersecurity talent is only becoming more difficult.
However, because utility companies must safeguard both the standard information technology (IT) stack that powers their business operations and the operational technology (OT) that delivers the vital services they offer, it is even more difficult for this sector to find experienced security personnel. Although some may argue there are some overlaps in skills, there are differences in the knowledge and approaches needed for protecting IT and OT.
As a result, utilities cannot successfully safeguard their businesses if they only have employees with normal IT-oriented cybersecurity skills on their teams. This is because, despite their skill, these individuals are unaware of the special security difficulties that arise in operational environments such as the need for firewall selection. Security experts working in utilities know to choose firewalls that work with and are able to inspect Industrial Control System (ICS) and OT protocols – an additional selection requirement that only professionals with OT-focused expertise would likely know. This is why utilities require someone with the technical knowledge and aptitude required to secure operational technologies.
Assembling the Right Team
Lacking this specialist OT security expertise, utilities run the risk of not only experiencing a breach but also having their business operations hampered. Security professionals employed by utilities must know which hardware scanning tools to employ within their organizations—or whether to employ any at all. The majority of hardware scanning technologies are ineffective in an OT setting and, if installed without adequate configuration, can actually cause more harm than benefit.
For instance, a Network Mapper (Nmap) scan is a typical tool used in an IT environment to find open ports and identify systems running on remote servers. However, if it is used in an OT context, the older remote terminal units will probably be bricked. The Remote Terminal Unit (RTU) must subsequently be restarted by utility employees, who must then hope that their action is successful. They will actually need to replace the RTU if it malfunctions, which is commonly the case. The utility won’t have access to remote control features or the telemetry it requires for effective operations in the interim without an operational RTU.
Operational Technology and Systems
Utility operations are also run by proprietary, custom-built technology rather than common, pre-built systems. Vendors consequently don’t release security updates for such systems as quickly or frequently as they do for their conventional applications. In contrast, companies spend more time testing and releasing updates to address found security issues in proprietary software. Patches for specially designed OT systems may take 4-6 months to issue from vendors who regularly release weekly or monthly updates for their conventional software. Hardware manufacturers might only release upgrades once a year. Accordingly, utilities should be able to set their security policies to consider the fact that they will have to live with known vulnerabilities in their environments for months.
Additionally, OT systems typically have life cycles that are far longer than those of IT platforms and applications. It’s not unusual to come across operating technologies that are 15 to 20 years old; a utility, for instance, can have switch relays that are decades old – some of which are typically beyond repair. Compare that to the normal lifecycle of IT systems today, which is five years or fewer. As a result, most, if not all, of the systems in a modern IT stack were designed with current security concerns and threats in mind. However, those outdated OT systems lack such built-in safeguards because they weren’t created to tackle contemporary cybersecurity risks.
Improvements in Utility Services
There is now some good news regarding utility security. When compared to normal IT environments, typical OT environments are slightly less vulnerable to external intrusions since they typically have fewer, if any, Internet gateways. That doesn’t eliminate the cybersecurity dangers utilities face, though, or the serious repercussions a successful cyber-related intrusion could have.
Utility executives need to understand what is at risk and why it is so important to hire security personnel with OT expertise. They ought to be aware that IT security places a high priority on privacy and confidentiality, effectively protecting data from unauthorized access. However, OT security must put safety and dependability first because an OT-related cybersecurity assault could endanger the lives of utility workers and the public.
Utilities require security experts with the knowledge and abilities to apply updates, which necessitate shutting down extremely sensitive OT situations that were intended to operate continuously. They want experts who can select the best security tools for their particular needs. They also require cybersecurity professionals who can develop comprehensive security plans that take into account all of these problems.
Utilities benefit from having cybersecurity experts who can work well with the plant engineers who created and are currently operating the operational technology, who comprehend the special complexities of the operational technologies that run their utilities, and who can design and deliver a layered, defense-in-depth approach that prioritizes the protection of the utility’s most important assets..
About the Author
Dominick Birolin, CISSP, CISA, NSE4 is the Vice President of Cybersecurity & Compliance at Strive Consulting. Dominick has extensive information technology, audit, and compliance experience across a broad range of industries. Starting his career serving in the US Army from 1995 to 1999 with a military occupational specialty of microwave and satellite communications, he later served as AT&T North New Jersey Maintenance Manager where he prepared their network for Y2K. Dominick worked for Reuters (now Thompson Reuters) and rebuilt their stock market data feeds after the 9/11 attacks destroyed their major data hubs within the World Trade Center which was the major data hub for lower Manhattan.
His expansion into the power industry came in 2010 while working for an IPP in the Northeastern US. Where he built their NERC CIP compliance and cybersecurity programs. He most recently served as independent consultant, where he assisted clients with NERC CIP compliance and served as the Subject Matter Expert (SME) on Industrial Control Systems (ICS) and Operational Technology (OT) Environments. He’s also held senior solution architect roles with Wurldtech (a GE Company) and North American Energy Alliance LLC (Essential Power, LLC) as well as technology SME roles with AT&T Managed Internet Services.
Dominick formerly was a member of the MRO NERC Standards Review Forum (NSRF) group and now serves as a member of the NERC Security Working Group. The Security Working Group (SWG) serves the Reliability and Security Technical Committee (RSTC) in providing a formal input process to enhance collaboration between the ERO and industry with an ongoing working group. The SWG also supports industry efforts to mitigate emergent risks by providing technical expertise and feedback to the ERO Enterprise Compliance Assurance group in developing and enhancing security compliance-related products, including guidelines, guidance, best practices, and lessons learned.
Dominick is a Certified Information System Security Professional (CISSP), Certified Information System Auditor (CISA), and Fortinet Network Security Expert NSE4. For more information, visit https://striveconsulting.com/.