Chasing mandates on security compliance may be driven by aversion to fines. But that approach can lead to faulty security measures and, more importantly, impair your security stance. Listen in on a discussion of "how to think about security."
As is often the case in utility security discussions, the focus tends to be on how to think about security, rather than specific measures.
The obvious point is that specific measures must be kept under wraps. The less obvious point is that the weak link in applying security measures does tend to be people, and how they think about security.
That's not to say that there aren't technical hurdles that can be discussed. I offer here a few insights from a good discussion I overheard last week on both security-related technology and the development of a security culture.
According to Patrick Miller, CEO, EnergySec, and a principal investigator for the National Electric Sector Cybersecurity Organization, data privacy, cryptography and software patching have all become difficult challenges as endpoints on the grid proliferate and the "attack surface" expands.
"Isolation remains a fantastic approach," Miller said in a recent webinar held by Pike Research. "But don't count on it."
(For one thing, isolation is increasingly impossible to achieve, due to digital interconnectedness.)
In the big picture of "turbine to toaster," "we're entering a state of 'hyper-embeddedness,'" Miller said. "We're adding too many devices, too fast.
"Innovation versus security is a big issue," Miller added. "Innovation takes us forward, but security falls by the wayside. It's not that it's impossible, it's just that we're moving too fast.
"Not all vendors are created equal," he cautioned. "Consider using your security specifications and demanding them from your vendor. At least you'll know where you stand."
Miller added that "fast regulation is bad regulation."
"We're looking at 51 bar fights as the Federal Energy Regulatory Commission," he said, "as FERC wants to regulate down into the distribution system."
In the case of the North American Electric Reliability Corporation's Critical Infrastructure Protections, or NERC CIP, a new version just out begins to draw finer distinctions among definitions it uses, raising concerns that such a move "turns back the clock," panelists said.
Ernie Hayden, managing principal for energy security at Verizon, said in response to a question from moderator Bob Lockhart, a senior analyst at Pike Research, that the industry has "plenty of cybersecurity guidance and standards. We can use what we have and just get smarter on implementation."
That's when the discussion moved to how to think about security.
Hayden said that in security discussions with utilities, he had a strong sense that a common theme in the power industry was avoiding fines for non-compliance with security regulations rather than security itself.
"You need executive leadership to focus on security rather than compliance," Hayden said.
An exclusive focus on cyber security, however, will lead to other security vulnerabilities, Hayden said.
"I've recently seen bad physical security at utilities due to an over-focus on cyber security," Hayden said. "I've seen doors left unlocked."
Another weakness of the compliance paradigm?
"You can prescribe action, you cannot prescribe attitude," Miller said.
"I think we need to stand back and use common sense," Hayden said. "What is the problem? Can some problems be solved by a combination of administration, culture and diligence?"
"The networks are contested territory," Miller said. "Intrusion is not a matter of 'if' but 'when.' How do you respond? You can't respond if you aren't monitoring."
"We need to be balancing prevention, detection and response," Miller added.
What's needed is a utility with a "security conscience," a single individual "willing to ask the hard questions," Hayden said.
"One solution to all of this is finding the right people, well-trained people with the right instincts," Miller said. "But finding them and keeping them is a challenge, particularly when it comes to control systems security."
(Readers may also recall that we've touched on the divide between enterprise IT system security and control system security in "Cyber Security and Control Systems .")
Intelligent Utility Daily