60 Plants in 60 Months: ICS Cyber Security Findings & Recommendations
This is an excerpt from Genieall’s speaking session at CanWEA O&M Summit 2020.
Drive up to a facility, the gate is unlocked. Walk into the O&M building and grab a seat. So far, no one has asked your name or for your credentials.
Chat with the O&M manager and provide them with a site review plan that would cover both physical and logical policies and processes.
Plug into the network using your consultant laptop – no questions asked. Run a quick scan and realize you can access the historian server as well as the OEM SCADA system web page. Test the default credentials, they seem to work…
Connect directly to the server via RDP using the same default credentials. Open a browser assuming you will get ‘Page cannot be displayed’. Find out that not only can you get to the internet, but it looks like the browser history is intact. Review the list of websites visited: Gmail, YouTube, TSN…
Think of a way to document the findings so that it will bring urgency to them without getting anyone in trouble.
Walk down the hall to the server room – the door is open. The rack door cannot be closed because there is a pile of network cables hanging. There’s a cable dangling across the ceiling going to a home grade dlink router. Connect to the local switch, scan the network – all of the turbine IO devices are coming up.
If this was not the cyber security review, but rather a cyber attack, you could guess what would usually happen next and what the consequences might be: ICS equipment damage, power generation/distribution interruptions, production shutdown, and potential safety hazards—to name a few.
Why is this the case? Lets looks at the reasoning behind it.
EPC contractor assembled the plant with little oversight especially on the technology end, the EPC contract had a section of about 1-2 paragraphs in length about cyber security.
Since commissioning, the focus has been on cost efficiency. The plant has been sold 2 times squeezing some of the potential out of the plant with the long-term requirement even further to focus on efficiency.
Having been built in 2009 there was little focus on cyber security. After all, NERC for low impact sites seized to exist. All is not lost, this can be fixed…
The question is where to begin?
This is probably the most common question we heard during our cyber security review of 60 plants in the span of 60 months. And believe it or not, some of the answers we are going to provide may seem quite shocking to you.
But before diving into the recommendations, let’s have a look at where the most common concerns within the energy industry reside.
ICS Cyber Security Findings
Here are the top ICS cyber security challenges shared within the energy industry:
As you may have noticed, we’ve also included the drivers (or reasons) for each of the ICS cyber security concerns. This should help to understand the cause of each of the challenges.
Did you know?
North American organizations that conduct business in the Energy sector are subject to strict compliance requirements of the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards. To help better understand those standards, we explain the top 12 NERC CIP compliance considerations in our 2-post series.
ICS Cyber Security Recommendations
Now, back to our question on where to begin to increase your cyber security baseline.
Having visited 60 plants in 60 months, we have a few recommendations on how to improve your overall cyber security posture. The ones at the bottom of the below Figure 1 are fundamental (similar to Maslow’s hierarchy of needs):
As you can see, it all starts with understanding of what must be protected. This is the basis of any strategy and activity and is typically captured during risk review. Think of it as satisfying the most basic psychological needs for food, shelter, etc. in Maslow’s hierarchy of needs.
Once you get to know your environment better, it is a great idea to refine the policies and processes in place and add any missing pieces to the puzzle.
At the same time, it is imperative to ensure that staff (including third parties) is aware of not only how to use technology (be it OT or IT), but more importantly why to use it in the right way.
Only after that should you invest into technology (physical and remote security, backups and monitoring, network and network security, etc.). This makes the difference: your people are your greatest asset and are also often the weakest link.
And here’s why: you can put in as much technology as imaginable, but it can only take 1 click to disrupt the plant operations. Think of it as Fort Knox: you can put the best security measures in place, but if you give the keys to the front door away along with all of the pass-codes, the defenses become meaningless.
It is fair to say that the cliché “people, process, technology” concept is true within the cyber security framework.
Some Good News
No need to panic, we’ve got some surprisingly good news:
1. It doesn’t take much time to review and ensure the environment is up to speed.
2. 1 week in many cases is all it takes to significantly upgrade a plant with limited downtime.
“The secret of getting ahead is getting started” – Mark Twain