The panel included experts from National Cybersecurity and Communications Integration Center (NCCIC)/ Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), EnergySec, a power producer and water utility.
Jeff Gray, the Unit Chief of Outreach and Training for NCCIC/ICS-CERT opened describing the Industrial Control System connected to the Internet being vast. The worldwide threat assessment has grown dramatically over the past two decades with countries expending resources to develop sophisticated cyber-threats.
Social engineering including spear phishing, phone phishing, baiting, elicitation, tailgating and pre-texting account for more than 60% of the breaches that occurred in 2016. The top sources of infection were spear phishing, weak authentication (passwords) and network scanning. The attack surface increases as more devices (Internet of Things and mobile devices) are connected to the Internet.
Jeff closed his portion the talk saying it’s important to designate someone in the organization to take advantage of the wealth of ICS-CERT resources including training, alerts, site assessments and network architecture reviews and analysis.
Steven Parker from EnergySec next described how NERC CIP standards continue to evolve. Significant work is being done on virtualization environments to allow mixed use in a secure manner. Requirement interpretations are beginning to emerge from the current round of audits. With a change in administration in Washington DC, what’s next is still a guess.
States play a large role in cybersecurity policies and regulations for water and wastewater companies. A few states have passed mandatory requirements and the U.S. Federal Government may look to play a role in developing standards and guidelines. From a power generation perspective, states have some control on intrastate distribution. For independent power producers, costs of cybersecurity can be challenging in low-price markets.
Steven sees that industrial control systems have come into the crosshairs of cyber-threats. There is a significant influx of new products and services for ICS security. Real-world attacks are focusing more attention on critical infrastructure. Over the next few years, there will be a need and desire for stabilization and standardization of cost-effective security approaches. Today it is very difficult to find skilled and experienced security professionals and the need to increase educational efforts is required but will take time to fill the gaps.
A power producer engineering manager described how their system patching procedures changed over time. From doing them all in bulk a few times a year, they now do them monthly and it requires about 80 man-hours of effort for their engineering staff for the 1650MW combined cycle plant. They developed action plans based on a vulnerability assessment they conducted and noted that physical and electronic access control review was a significant part of the action plan and ongoing reassessments.
A process control manager with an East coast water process plant described their ongoing cybersecurity efforts which require considerable resources and contending with continuous change. Establishing governance policies, procedures, focused people and budgets were important in moving to more sustainable efforts.
A question was asked about how we stand today versus 5 to 10 years ago. The panel agreed the levels have increased significantly from improving technology—firewalls, segmented networks, PC I/O hardening, etc. and more policies and practices to do periodic assessments and action plans. Supplier programs such as the Power & Water Cybersecurity Suite provide technologies, services and programs to help with ongoing efforts.