Is dependence to electric power the Achilles heel for businesses against the emerging cybersecurity threats?
Cybersecurity threats to electric infrastructure continues to be a top-of-mind topic for many business executives. From healthcare and data center facilities to commercial and industrial buildings, businesses depend on electric power to continue their operations. Moreover, this dependence has been further amplified with the greater adoption of connectivity and increased interdependence of sub-systems and processes within a facility or business.
For those that oversee these facilities and power generation equipment, being future-ready requires increased cybersecurity. This is a challenge. At Cummins Inc., we make our partners’ challenges our challenges; make their goals, our goals.
To help our partners in these industries be future-ready, we have asked three experts their take on the cybersecurity of electric infrastructure. These three perspectives aim to provide you with diverse viewpoints on how to strengthen your facilities’ cybersecurity.
How do cybersecurity gaps threaten our electric infrastructure?
Professor Alan Woodward, an internationally renowned computer security expert, offered his perspective on this question. Alan has particular expertise and current research interests in cyber security, covert communications, forensic computing and image processing. Alan is currently a Visiting Professor at Surrey Centre for Cyber Security, University of Surrey. You can follow Alan on Twitter at @ProfWoodward.
Here is Alan’s take on cybersecurity and infrastructure.
There is more computing power in embedded systems today than is used on desktop computers, yet it goes largely untended. As soon as any system is made “intelligent” it becomes a target for hackers. Being embedded and untended, these systems go on for years without the upgrades that are necessary to keep them secure. Moreover, remote monitoring has moved from private networks to using the internet as the means for communications. Put these together and you have a target that is at high risk of remote attack.
Anyone looking after systems that have any embedded computing power needs to manage that computing infrastructure just as if it was in a data center hosting thousands of websites. It is even more difficult in infrastructure, as some vendors don’t always keep their software updated. We’ve seen examples of scanners in hospitals that could be upgraded to escape ransomware, yet the scanner manufacturer didn’t support the latest software. Anyone managing these devices needs to look at the horizon and think “what if.”
Choosing your equipment vendors has also taken a different dimension. It’s no longer just about who has what certification, meets which standard, or has the best hardware maintenance operation. Now, you need to explore how the vendors keep the software embedded in your equipment up to date and respond to any cybersecurity threats.
Those managing infrastructure have the worst of both worlds. Hackers are beginning to see them as the soft spot for attacks, and not all equipment manufacturers see software security as part of their core business.
It’s vital to remember that it’s not just the embedded software that can cause infrastructure issues. You need to be aware of the interdependency between software that directly controls infrastructure and other systems. For example, if a payments system is held to ransom, could your pipeline continue to operate even though the direct control systems were fully functional?
How to prevent cybersecurity threats that could result in power outages?
We have asked this question to Kenneth Holley. Kenneth founded Silent Quadrant – a Washington, D.C.-based digital protection agency and consulting practice – in 1993. Over the past 28 years, Silent Quadrant has delivered digital security, digital transformation, and risk management to the world’s most influential government affairs firms, associations, and businesses. With a particular focus on infrastructure security and threat modeling, Kenneth has assisted many clients ensure brand and profile security. You can follow Kenneth on Twitter at @KennethHolley.
Let’s look at Kenneth’s perspective on preventing cybersecurity threats that could result in power outages.
As facilities technology continues its rapid emergence, facility managers and operators have become increasingly reliant on integrated technologies and iot. This convergence of IT and operational technology (OT) underscores the critical role of facility executives. This critical role is to ensure systems security, resiliency, and facility business continuity.
Facilities need to understand very clearly that there is a new dynamic. Intelligent organizations leverage connected sensors, facilities automation systems, and actionable intelligence to optimize operations and business continuity. This new dynamic means that the threats are now everywhere. This establishes a new level of criticality securing those connected systems designed to prevent power outages.
I encourage all facilities, as part of a broader security assessment, to immediately focus on the following Center for Internet Security (CIS) controls:
- Secure Configuration of Enterprise Assets and Software (CIS Control 4): Establish and maintain the secure configuration of enterprise assets (end-user devices, network devices, non-computing/iot devices, and servers) and software.
- Account Management (CIS Control 5): Use processes and tools to assign and manage authorization to credentials for accounts. This includes user and administrator accounts, as well as service accounts.
- Access Control (CIS Control 6): Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts.
- Security Awareness and Skills Training (CIS Control 14): Establish and maintain a security awareness program. The aim here is to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks.
Visibility of all assets within your facility is critical. You cannot hope to protect and provide resilience for what you cannot see and control. At the end of the day, integrated and interconnected technologies are designed to enhance overall business continuity. This requires a renewed operational approach to security.
Cybersecurity in a product’s design and the complete life-cycle
Dwayne Smith brings us the third perspective on this topic. Dwayne has extensive experience in cybersecurity and the adoption of technologies that support a multitude of applications. Those applications also include power generation and electrical distribution. As an engineer in the fields of nuclear and cybersecurity, he has supported initiatives across multiple customers within the Department of Defense, intelligence community, telecommunication, and other commercial business segments. In his current role, Dwayne works within industries that support data centers, manufacturing, marine, rail, and automotive. Dwayne is currently the Global Cybersecurity Engineering Director at Cummins.
Industries have and will continue to transform the way they design and build solutions. The introduction of new techniques to innovate and deliver products in a more efficient manner account for cybersecurity early in those processes.
These new techniques rely on how we think about cybersecurity as a priority within the design and manufacturing processes that produce these new products. This requires cybersecurity to be more than a concept that is thought about as a discrete and separate discipline.
Cybersecurity is now something embedded in a product’s lifecycle. Having cybersecurity embedded in how you build products eliminates the need for bolt on protections or to surround the product with protective technologies. These add-ons can be costly to manage, may hamper the performance of a product, or require the early retirement of a product.
Taking the proactive step to include cybersecurity early in these processes ensures that the product can be resilient over time. This approach can also increase the service time and life of a product so that it can adapt to evolving cyber threats. This reduces the risk impact and ultimately moves cybersecurity from a concept to a measurable quality metric.
The traditional ways of how systems are engineered, tested, and operated already consider the benefits of software and firmware that deliver the adoption of desired features.
Now, how these systems are engineered, tested, and operated also need to consider the data they collect or generate. That data is key to improving and sustaining products for both the product owner and the product supplier. How to retrieve that data for use, whether through a remote connection across the internet or from within a larger enterprise network requires that cybersecurity be considered end to end during a products life cycle.