How do you deliver critical infrastructure security in 2019 and beyond?
There are no easy answers to that challenge because these are complex systems. Further, these systems are subject to complicated threats like hacking, natural disasters, internal threats and beyond. Don’t let the magnitude of the problem discourage you. The best way to approach critical infrastructure security is by focusing on one area at a time. Right now, let’s take a close look at IT security for energy infrastructure.
Why IT Security Needs To Be A Focus To Protect Energy Systems
Fifteen or twenty years ago, most energy security professionals were focused on terrorist attacks due to 9/11. While such attacks remain a possibility, this type of threat has declined in probability. Instead of bombs, planes and direct armed attacks, energy facilities face a different danger: cyber attacks. Unlike a classic terrorist attack, cyber attacks do not usually involve a loss of life or injury for the attacker. They require relatively modest resources available for purchase on the dark web.
The increasing digitization of modern energy systems brings both efficiency gains and security threats. Decades ago, energy facilities were not networked, and there was no easy way for an attacker to do damage from a distance. Today that has all changed. Just think back to the 2003 energy grid failure in North America, which impacted over 50 million people in Canada and the United States. Though this system failure did not involve a cyberattack, it shows how a failure in one part of the infrastructure can impact many people.
Your Step-By-Step Plan To Stop Cyber Attacks On Critical Energy Infrastructure
Cyber attacks on energy infrastructure is a growing threat. To stop this threat from plunging the nation into darkness, follow these steps.
1) Review your current IT security situation.
You cannot defend yourself against threats you cannot see. To address that issue, you need to build a program to comprehensively assess risks facing your organization. To build out your assessment and monitoring program, consider adding in the following elements:
- Review monitoring reports from your IT tools. Most cybersecurity tools produce reports, but you may not be reviewing them regularly. Start by examining how many high-risk alerts you have received in the past six months.
- Monitor industry news and government activities. The bar is always increasing in energy industry security. Increasing IT security is a hot topic in the industry press: Strengthening the Energy Sector’s Cyber Preparedness.
- Look outside your industry to other areas. Look at other industries like banking and health care, where there is immense pressure to deliver a high level of security.
- Check for information decay. In IT security, it is very easy to become complacent. If it has been more than 6-12 months since you last analyzed your IT security, assume your prior analysis is out of date.
Based on this review, you will detect some gaps in your cybersecurity program. To validate those gaps and make sure you have not missed anything, use the next step.
2) Verify your IT security needs with an outside perspective.
As an IT security professional, you are deeply familiar with every aspect of your organization’s security. Take a security manager at a nuclear power facility. You likely have physical security procedures and random tests to verify entrances and exits are controlled. From an IT perspective, you will probably have additional controls in place to look for new vulnerabilities. All of that expertise is helpful.
However, you will develop blind spots over time. If you have never had a security incident involving former employees, you might ignore inactive user risk as a priority. The best way to detect these types of problems is to leverage an outside expert for advice. Ask them to complete a review based on an established standard from the Federal Energy Regulatory Commission and other applicable requirements.
3) Automate your IT security administration activity.
Based on your review and external assessment, you will have a laundry list of cybersecurity problems to fix. To get control over all of these problems, classify them into two groups. The first group is activities that require rules and consistency to execute (e.g. following your password management policy to the letter). The second group is judgment-based security issues that need expert support.
If you are like most organizations we work with, you will find quite a few routine and rules-based activities. To address those IT security needs and free up time for other requirements, you will need IT security automation tools.
Consider password reset requests as an example. It is critical to make new passwords available to your users so they can get back to work. If users know their only option is to wait in a long phone queue, they will search for less secure password options. They might even start reusing passwords from non-work accounts at the office! The solution is to use a tool like Apollo, an IT security chatbot that can be accessed by Skype, Slack, your website and other means.
4) Prioritize the remaining IT security gaps.
After you implement IT security automation tools, you will solve one of the most persistent problems in critical energy infrastructure protection. Now, your IT department will have more capacity and breathing room to tackle further tasks. We recommend equipping your non-IT security specialists to defend against cyber-attack by offering password training.
5) Develop a monthly IT security report for management discussion.
Implementing a few projects this quarter will tighten your cyber defenses dramatically. However, there is no such thing as “done” in IT security. That’s why the final step of this plan is to build a habit of reviewing IT security risks and programs each month. Through this process, you will be able to spot problems quickly and stop them.
Protecting critical energy infrastructure is vital for everyone. You can’t afford to be too comfortable. Even if you are confident in your defenses right now, do yourself a favor. Implement the first two steps of this process this month and find out your actual security risks.
