In December 2015, more than 200,000 Ukrainians found themselves without power during a blackout cause by a cyberattack launched from within the Russian Federation. The attack was carried out by a spear-phishing campaign that was used to install malware on energy company computers. The malware, dubbed BlackEnergy, was specifically designed for use against industrial control systems (ICS) and supervisory control and data acquisition (SCADA) networks.
This attack highlights a significant security concern for organizations in the energy and utility industries. Critical infrastructure such as energy and utility assets are a major target for cyberattackers, and SCADA networks may be particularly vulnerable.
To address these threats, energy and utility companies should deploy a layered defense that combines security frameworks, technology solutions and services that provide an overlapping set of controls to protect against cybersecurity risks.
Security Frameworks and Solutions for SCADA
Security guidance such as the National Institute for Standards and Technology’s Cybersecurity Framework helps organizations adopt a risk-based approach to protecting their SCADA networks, as well as other data and systems. NIST’s framework provides guidelines that energy and utility companies can customize for their specific operating environments, helping them to balance the costs and benefits of specific security controls.
NIST also provides specific guidance for ICS and SCADA systems being operated by energy and utility companies in NIST Special Publication 800-82: Guide to Industrial Control System (ICS) Security. This document provides detailed information on ICS threats, vulnerabilities and security controls.
The specific controls that energy and utility companies should consider are numerous. They include:
- Multifactor authentication to enhance security to access control systems beyond simple passwords.
- Firewalls to segment networks of differing security levels and restrict traffic between networks.
- Anti-virus software to protect against the latest malware, installed on every SCADA endpoint that can support it and updated at least daily.
- Security information and event management systems to provide centralized monitoring of ICS security. These solutions also compile data for analysis in the event of a security incident.
- Virtual private networks to provide authorized users with the ability to access SCADA networks remotely.
- Enterprise mobility management controls to manage configurations, security patches, applications and other settings on mobile devices.
- Patch and configuration management solutions to ensure that all devices on SCADA networks are properly configured and patched.
- Frameworks such as the NIST guidance can help organizations identify and select the solutions that best meet their needs.
Security Services: Get Help to Secure Your SCADA Systems
For many energy and utility companies, deploying effective cybersecurity controls is a major challenge. In situations where in-house expertise may be lacking, security services from vendors with specific expertise in SCADA and ICS technology can provide valuable assistance. The wide variety of services a third-party partner can provide often include the ability to implement and manage security controls.
To determine how secure their SCADA networks are, many energy and utility firms utilize third-party assessors to test their own security controls. These tests may involve vulnerability assessments to uncover where an organization’s security environment may be weak. Penetration testing offers an even higher level of security assessment by enlisting white hat hackers to engage in a controlled attack against an organization’s defenses to gain access to the ICS network, demonstrating the potential effects of a malicious attack.
Many cybersecurity experts consider such third-party testing to be a best practice, as it introduces a degree of independence into the assessment process by using personnel who did not design the controls to perform the evaluation.
This blog post brought to you by: