NERC’s reliability oversight is bogged down on two fronts—standard-setting and compliance oversight. Progress depends on improving unwieldy process.
Protecting critical assets in a hazardous world.
holistic view of vulnerabilities affecting the most business-critical assets.
An advanced information security risk management program begins by implementing internal and external intrusion detection systems and establishing 24-hour-a-day incident monitoring. Furthermore, technical audits of SCADA devices and networks, and any other connected networks, are performed to identify security concerns. This includes physical security surveys and assessments of all remote sites connected to the SCADA network to evaluate their security.
On a systems level, it’s essential to create and track tickets to put in place controls and remediation to address threats and vulnerabilities in a timely fashion. Continuously reporting on risks, vulnerabilities, and effectiveness of remediation efforts enables an energy infrastructure provider to manage emergency response processes and procedures. Following this approach enables an organization to minimize the damage from a cyber attack.
From a policy and governance perspective, energy infrastructure providers should clearly define cyber security roles, responsibilities, and authorities for managers, system administrators, and users. At the same time, they should document their organization’s network architecture and identify systems that serve critical functions or contain sensitive information that require additional levels of protection.
Borrowing from McAfee’s current slogan, “safe never sleeps,” organizations should conduct frequent self-assessments to test their information security risk management program. At the same time, it’s essential to run training programs for employees and contractors to prevent unintended disclosure of sensitive information.
Implementing an ISRM program that integrates and interconnects components for managing security events, assets, threats, vulnerabilities and incident response, as well as software configuration and patches, will allow organizations to increase resiliency, improve response time, and enhance overall system robustness. At the same time they can reduce risk through the ability to make threats and vulnerabilities visible and actionable—enabling utilities to prioritize and address high risk security vulnerabilities prior to them being exploited.
Streamlining processes by leveraging automation and reducing redundant, manual efforts helps to reduce cost too—offsetting the initial expenses of implementing an advanced information security risk management program.
ISRM can help prevent and minimize the consequences of cyber attacks on our nation’s critical infrastructure. But will it guarantee an organization’s safety? As all security professionals are painfully aware, cyber criminals are outpacing many target organizations and security vendors when it comes to finding new ways to attack their victims. Thus, it seems that future attacks will be more severe, more complex, and more difficult to anticipate, plan for, and detect.
Beyond facing direct cyber attacks, which are targeting critical infrastructure systems, more attacks might include information warfare, using social media outlets as a new methodology. A good example of this new threat occurred in Russia, where hackers targeted a nuclear power plant near St. Petersburg in May 2008. 9 The cyber attack led to the shutdown of the plant’s website, which would have gone unnoticed by the public if not for the fact that the attackers circulated rumors of radioactive leaks via the Internet. The incident didn’t affect the plant operation, but caused panic among citizens living close to the facility.
Another threat scenario lies in the manipulation of energy markets by