State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
Protecting critical assets in a hazardous world.
ruling body. It is believed that thousands of hackers have been recruited to form a botnet army in China. In May 2011, 7 a spokesperson for the Chinese Defense Ministry admitted that it has an elite unit of cyber warriors in its army, which is tasked to safeguard the Internet security of armed forces. China denied allegations that it uses cyber warfare as an offensive tool. Considering the funds available to many military powers as well as governments in general, state-sponsored cyber warfare represents a significant threat.
For instance, by disrupting the energy infrastructure of a country, the attacker could certainly create chaos, forcing the target nation to divert attention and manpower to dealing with internal issues rather than an external conflict.
Another factor that can’t be underestimated in the context of cyber security risk to energy infrastructure comes from the human element. Employees sometimes unknowingly fall prey to phishing attacks. And frequently users will insert USB thumb drives of questionable origin into network computers—not realizing that they could have been pre-loaded with malware. Hackers and malware build upon such weaknesses.
Improving Cyber Security
The reliable function of SCADA systems in the energy industry’s infrastructure may be crucial to public health and safety. As such, attacks on these systems may directly or indirectly threaten public health and safety.
In addition to collaborating with the Department of Homeland Security, FERC, NERC, and NEI, commercial energy providers should consider overhauling their approach to information security risk management to counter cyber attacks and prevent data loss, unauthorized disclosure, and data destruction. Following the recommendation of the DOE Offices of Energy Assurance and Independent Oversight and Performance Assurance, and the President’s Critical Infrastructure Protection Board, the following rudimentary actions should be taken to improve the cyber security of SCADA networks: 8
First, companies should manage and perform risk assessments to understand which systems have sensitive data and, therefore, have the highest criticality. In this context it’s especially important to identify all connections to SCADA networks. Based on the results of the risk assessments, energy infrastructure providers should rationalize the locations where sensitive data is stored to only the most secure systems that are protected against direct Internet traffic—disconnecting unnecessary connections to the SCADA network.
In a second phase, operators should evaluate and strengthen the security of any remaining connections. This includes, but isn’t limited to hardening networks by removing or disabling unnecessary services. At the same time, it’s important to track risks on these critical systems from a top-down perspective to understand the key threats that an energy company faces and ensure controls are in place to counter these threats.
Other steps to consider are dropping the use of proprietary protocols to protect infrastructure systems, implementing the security features provided by the device and system vendors, and establishing strong controls over any medium used as a back door into the SCADA network.
From a strategic perspective, energy industry players should consider managing risk from a bottom-up perspective by consolidating and correlating data from scanners, vulnerability feeds, patch management systems, and configuration management systems to get a