As a big American football fan, I have always been amazed at the amount of preparation the teams and the National Football League (NFL) go through to handle all their challenges every season. There are so many things that have to be considered…especially security! There’s physical security to ensure there are no firearms or other contraband entering the stadium. There’s network security – making sure that systems are up and available so that all Web and mobile communications are not impacted by cyberattacks, not to mention making sure television transmissions run smoothly. But let’s think about the energy systems. I know when I attend a Houston Texans game at NRG Stadium, I want air conditioning because…have you experienced Houston humidity? And if it’s a night game, it would be nice to have lights. Anyone remember Super Bowl 47 in 2013? The biggest game of the year was halted for over 30 minutes in the third quarter because of a power outage. Although it was ruled a power surge issue, if it had been a cyberattack, over 72,000 people would have been stuck with no temperature control, no power for food preparation, no point-of-sale systems for retail purchases, and hot beer. The list goes on and on.
The threat against our electrical grid is growing at an alarming rate. We’re just three years removed from the first-known successful attack on an Ukrainian power grid, and according to Kaspersky Labs’ Threat Landscape for Industrial Automation Systems H1 2018 report, more than 40% of Industrial Control System (ICS) components were attacked in the first half of 2018. Just last month at the CyberwarCon forum in Washington, DC, FireEye researchers noted that while the US grid is relatively well-defended, and difficult to hit with a full-scale cyberattack, Russian actors have nonetheless continued to benefit from their ongoing vetting campaign. 20+ years ago, ICS components were not connected to the broader Internet because many of them were never designed to be. Today, it’s a completely different story. With utilities adding more and more connected components, each component must be treated as a potential entry point – and cybersecurity must be the number one priority.
“I’m just here so I don’t get fined”
If there’s anything that will get a person or organization to comply with anything, it’s a fine. In 2015, NFL player Marshawn Lynch responded to a potential $500,000 fine by showing up at a press conference and answering every question, “I’m just here so I don’t get fined.” Utilities in North America don’t have the luxury of just doing the bare minimum. In response to the 1965 blackout in the northeastern U.S. and southeastern Ontario, Canada that affected 30 million customers, the North American Electric Reliability Corporation (NERC) was formed to promote the reliability and adequacy of bulk power transmission in the electric utility systems of North America. NERC’s critical infrastructure protection (CIP) plan includes standards and requirements to protect the bulk power system against cybersecurity compromises that could lead to instability or power failure. Penalties for non-compliance can include fines up to $1 million USD per day, sanctions or other actions.
In late February 2018, one of the first-ever seven-digit fines against a power company was issued in connection with exposed sensitive data to the tune of $2.7 million USD. According to the penalty notice, a third-party contractor improperly copied data from the energy firm to its own network, exposing more than 30,000 records, including critical cyber assets, IP addresses, and server host names for over 70 days. With larger fines becoming more common, utility companies are caught in the middle ensuring their critical infrastructures are protected while keeping costs down and remaining competitive. Utilities must structure an end-to-end security strategy to protect and integrate both their IT and operations technology (OT) environments.
Light my “fire”
The time to hesitate is through. We haven’t seen the worst of attack attempts on our power grids.Utilities need scalable solutions to help them adapt and comply with the constantly changing NERC CIP requirements. FireMon can partner with utilities to automate their security policy workflows, optimize their vulnerability management efforts, and get their networks under control with complete visibility, real-time monitoring and continuous compliance checks.There will never be one answer for security, whether you’re trying to keep the lights on for the Super Bowl or protect your utility network. It requires a concentrated and collaborative effort across the board to ensure the physical and network security of your environment. Hopefully, it’s not the bare minimum of “I’m just here so I don’t get fined.”
For more information on how FireMon can help you achieve NERC CIP compliance, check out our latest NERC CIP solution brief or watch our Webinar: “Achieve NERC CIP Compliance with FireMon.” If you want to see FireMon in action, schedule a demo with us today.