ADDRESSING CYBER SECURITY IN THE ENERGY AND UTILITIES INDUSTRY

Addressing cyber security in the energy and utilities industryUnderstanding and addressing the changing threats

The cyber security risks facing the energy and utilities industry have dramatically increased in recent years, with high profile targeted attacks on operators, suppliers and service companies across sectors now being commonplace.

• 2010 – Stuxnet malware attacked the Iranian nuclear fuel processing industry

• 2011 – Night Dragon malware stole valuable information from oil and gas companies

• 2012 – Shamoon attack caused massive business disruption after around 50,000 computers were taken out of service in Saudi Aramco

• 2014 – Havex attack saw energy and utilities companies being targeted through spam emails and compromised vendor websites

• Most recently – BlackEnergy malware targets specific control systems in critical infrastructures.

Energy and utility companies are high value targets due to:

• the critical infrastructures they support for the supply of essential commodities, such as water, fuel and electricity to society

• the valuable information that is held in business systems, eg oil and gas reserves or energy trading information, customer information and the finance systems they operate

• it being a highly competitive industry, which places a premium on competitor intelligence

• the environmental footprint of their operations which could attract 'hacktivists'.

PA provides clients with the confidence that their process control, Supervisory Control and Data Acquisition (SCADA), and industrial automation systems are adequately protected against cyber threats by helping them to better understand the security risk, improve and maintain security, and respond quickly and effectively to incidents.

To find out more about developing trust and confidence in the resilience of your most critical systems, please visit www.paconsulting.com/icssecurity

or contact us at industrialcybersecurity@paconsulting.com

3TACKLING THE CHALLENGES OF CYBER SECURITY

The sector is increasingly reliant on operational technology as companies digitise their operations. Smart metering and grids improve our power grids, while digital oilfields enable exploration and production of increasingly complex oil and gas reserves, and allow the use of information technology to drive operational efficiencies. However, these trends increase the security risks to these infrastructures.

Of specific interest to attackers are the industrial control systems (such as process control, automation or SCADA systems) that operate mission and safety critical infrastructures. This includes oil and gas drilling; production refining; electricity generation, transmission and distribution; and potable and waste water networks.

Attackers and researchers are more focused on identifying vulnerabilities in the supporting technologies, meaning operators

and vendors have an increasingly difficult task in managing these vulnerabilities, patching them or putting other mitigations in place.

Energy and utilities companies, and their partners, need to recognise these trends, the risks they pose and develop strategies to stay ahead of the rapidly changing threats.

PA’s cyber security capabilities help organisations address these challenges with confidence, and ensure their cyber security risks are managed in the enterprise and across the operational technology (OT) domain.

This document details:

• approach to cyber security risk management

• best practice approach to managing industrial control system security risks

• Where to start? PA’s Industrial Control System Security Health Check.

PA’s approach to cyber security risk management

Our clients have the confidence they are adequately protected against cyber threats because we help them to better understand the security risks, improve and maintain security, and be confident they can respond quickly and effectively to incidents.

Understand security risks

When engaging with the security journey, operators need to appreciate the risks they want to protect against. This includes understanding the critical business and operational assets that need protecting; identifying the threats (from untargeted and deliberate attacks); considering how these

threats could exploit potential vulnerabilities and contemplating the impact they could have on operations, reputation, competitive positioning and financial stability. Together with a good understanding of the vulnerabilities, this provides a clear and comprehensive picture of the risk profile.

Understanding Security Risks

Improve and maintain security

Respond to incidents

4 5TACKLING THE CHALLENGES OF CYBER SECURITYTACKLING THE CHALLENGES OF CYBER SECURITY

Improve and maintain securityOnce the risks are understood, operators can define their security strategy and identify the priorities, quick wins and stages that will form part of their security improvement programmes. To ensure maximum effectiveness, these key areas need to be considered:

• adopting a holistic approach to security across the physical, logical, human and organisational dimensions

• building consistent capabilities across prevention, protection, detection and recovery measures

• providing defence in depth with several layers of countermeasures

• developing strategies which are compatible with industrial control systems operational, safety and availability constraints

• creating a security culture as an enabler to rooting the changes in the organisation.

Strengthening security governance through appropriate allocation of ownership and responsibilities, and the definition of a security framework embedded in business and operational processes are key to ensure security will be maintained in the face of evolving threats, vulnerabilities and future operational changes.

Respond to incidents

Total security is not achievable – there will always be vulnerabilities, highly motivated attackers and human and technical failures that can allow incidents to occur. Organisations need to be prepared to identify and respond to these events, which requires security event monitoring tools and detailed technical configuration deployed on the infrastructure, clear and tested response processes, and the right level of staff training and awareness. The objectives are to ensure:

• incidents can be detected and their impact analysed

• recovery can happen in conditions acceptable to the business

• remediation actions are applied

• the organisation learns from past incidents.

PA’s best practice approach to managing industrial control system security risks

Historically, process control, SCADA and industrial automation systems were designed and built using proprietary technologies and installed in isolation from ordinary IT systems. Recent trends have been to base newer industrial control systems, such as distributed control systems (DCS) and SCADA systems, on open standard and more cost-effective platforms, eg Intel/Windows. The desire for management information and remote control has led to adoption of common network protocols, such as TCP/IP, and the connection of many of these systems to the corporate IT network.

How can organisations continue to capitalise on the opportunities presented by integrated systems while securing their businesses against this increasing cyber security threat?

Any successful approach to tackling the cyber security threat to industrial control systems must identify and understand the key security risks, and then ensure ongoing protection.

Through years of supporting our customers to implement security in the most demanding environments, we have developed a seven-step approach that allows organisations to understand and address cyber security risk to industrial control systems. This best practice model has been adopted by the UK Government’s Centre for Protection of National Infrastructure as the model to protect the nation’s Critical National Infrastructure (CNI).

6 7TACKLING THE CHALLENGES OF CYBER SECURITYTACKLING THE CHALLENGES OF CYBER SECURITY

Establish Governance

Improve Awareness and Skills

Understand Business Risk

Manage Third Party

Engage Projects

Implement Secure Architecture

Establish Response Capability

Figure 1: PA’s seven step process approach to industrial control systems security

1. Understand the business risk The first step is to establish a clear picture of what systems are in place, how they are connected, what the vulnerabilities are, what the impact of system failure would be and what security measures are in operation.

2. Select and implement secure architecture

Many simple, low-cost actions, such as removing unauthorised connections, can provide fast and significant security improvements. However, more detailed planning is required for long-term improvements, such as network segregation and implementation of security zones.

3. Ensure effective incident response

Incident management plans rarely cover cyber security events, such as the systemic failure of entire systems or technologies. Organisations must enhance their plans to address the particular characteristics of industrial control system security incidents and to ensure a rapid response to cyber-attacks.

4. Raise awareness and skills A greater understanding of security amongst control and SCADA engineers will help to ensure security issues are managed as ‘business as usual’. Furthermore, building bridges between the IT, engineering and

operations communities can help to create a strong team that collectively has the required skills needed to manage these risks.

5. Manage third-party risks With systems and support arrangements increasingly being outsourced, organisations must be confident that vendors and suppliers are aware of security risks, operate good practices themselves and have mechanisms for alerting customers when new vulnerabilities are discovered. Threats from partner companies in the supply chain also need to be addressed.

6. Build in security early on the project lifecycle

Bolting on security into projects late in the lifecycle of a project is often difficult and costly. So security measures must be incorporated into the specification, design and development of new systems at the earliest possible stage.

7. Establish ongoing governance

Standards and guidelines for industrial control system security provide a degree of assurance that security practices will be maintained. However, an ongoing assurance process is necessary to ensure the standards reflect the latest threats and that compliance is maintained.

8 9TACKLING THE CHALLENGES OF CYBER SECURITYTACKLING THE CHALLENGES OF CYBER SECURITY

1234

UNDERSTANDSYSTEMS

UNDERSTANDTHREATS

UNDERSTANDIMPACTS

UNDERSTANDVULNERABILITIES

Identify sites and the control system used

Identify threat sources – are there specific sources that are unique to your business?

Analyse potential scenarios and understand possible impacts

Analyse all the technical, procedural and management vulnerabilities in the control system

High Level Risk Reduction

Business Risk Prioritised Vulnerabilities

Figure 2: PA’s Industrial Control System Health Check Process

Where to start? PA’s Process Control Security Health Check

Our Health Check provides you with a rapid understanding of the risks that are faced from process control cyber threats. It offers a risk-based picture of the major aspects of industrial control system security against best industry practice, and can be used for a single system or many systems across an entire enterprise.

The Health Check consists of four steps as summarised in Figure 2.

1. Understand the systems – create a thorough understanding of scope, operation and protection of the control systems. This includes identifying all existing control systems and interfaces used, their location, connectivity, ownership and accountabilities, access rights, business criticality.

2. Understand the threats – identify and understand all cyber security threats using a variety of ‘what if’ scenarios. This covers identification of threat sources, understanding the ways these might present themselves and assessing the probabilities of threat realisation.

3. Understand the impacts – analyse potential cyber security events for their impacts so appropriate security measures can be implemented. This involves an evaluation of a predetermined series of cyber security scenarios, covering all situations which have a detrimental impact on operations – initially and over time. This leads to an understanding of the overall business consequences of breaches.

4. Understand the vulnerabilities – identify and analyse all the technical, procedural and management vulnerabilities in the control systems to assess overall business risk (Figure 2). A prioritised list of vulnerabilities is then developed to communicate to management for action.

10 11TACKLING THE CHALLENGES OF CYBER SECURITYTACKLING THE CHALLENGES OF CYBER SECURITY

PA’s capabilities and services

Working with our world-class technical security services practice, 7Safe, we provide expertise and services that fully support your cyber security programmes from any stage in their lifecycle:

• security strategy, leadership and governance – coaching and advice to ensure you have a properly informed, risk and resilience-led security strategy with clear accountability and responsibility

• risk management and assurance – audits and assessments against all industry and regulatory standards, such as ISO27001 and PCI DSS. We support your compliance initiatives by identifying areas for improvement and helping you deliver your improvement plans

• technical security services – penetration testing; computer forensics; biometrics and identity management; cryptography; e-Discovery; secure coding and infrastructure. We also offer practical support with implementing and testing security solutions to ensure confidence in your controls

• security culture development services – pragmatic and effective solutions to reduce the cyber risk created by the actions of your people, including social engineering vulnerability assessment, behavioural analysis and developing effective security cultures

• specialist cyber education services – university accredited, hands-on technical training in the fields of information security, ethical hacking and computer forensics to give your people the deep technical knowledge and awareness they need to perform their role

• operational technology and industrial control system security – comprehensive cyber security services for industrial control, process control, SCADA and automation systems across the energy and utilities sector from, a highly experienced team of control engineers and security specialists.

Figure 3

The Health Check process output includes:

• a summary of the business risk

• an analysis of the key vulnerabilities together with any identified ‘quick wins’

• a high level risk reduction plan.

12 13TACKLING THE CHALLENGES OF CYBER SECURITYTACKLING THE CHALLENGES OF CYBER SECURITY

We have over 12 years’ experience in helping energy and utility companies manage the developing cyber security risks

UK Government’s Centre for Protection of National Infrastructure

We joined forces with the UK Government to define its best practice guidance on securing the nation’s industrial control systems that form the UK’s Critical National Infrastructure.

Authority for Electricity Regulation, Oman

We assisted the Authority for Electricity Regulation of Oman to develop cyber security regulations for their electricity sector. We carried out sectoral cyber security assessments, a study of international best practices and defined a regulatory framework and baseline standard.

BP

We worked with BP to improve industrial control system security at more than 300 sites worldwide. We collaborated closely with systems vendors and staff to understand the security options

available for existing systems, and to influence the development of future security measures. This initiative enabled BP to improve security and integrity of operating assets and avoid significant health, safety or environmental incidents – and the associated damage to its reputation.

A major water utility

We used our experience in industrial control system security, and our Health Check, to carry out a security assessment of the company’s assets. This included the telemetry system and plant automation systems to define a plan addressing the identified security gaps.

A UK water company

7Safe, PA’s technical security practice, conducted a series of penetration tests, including a review of external facing infrastructure. This involved firewalls, VPN access point, web applications, external facing Citrix environment and field operational

support equipment to identify any areas of concern and propose mitigation actions.

Newbuild Nuclear Power Plants

Over the last two years, we have been helping a new nuclear operator with establishing its cyber security programme to protect the safety, security, safeguards and emergency preparedness functions and systems in line with stringent regulatory requirements.

UK’s smart metering infrastructure

We helped identify the security and data privacy risks related to the development of smart metering – which will be a complex countrywide system that will form part of the UK’s critical national infrastructure. We developed a security framework to ensure consumer’s information will be appropriately protected and that the system will be secured against potential attackers.

We have also been helping an electricity supplier design and deploy the security systems to leverage the benefits of smart metering.

NERC CIP

We assisted this major US utility to understand and reduce the risk of regulatory noncompliance.

A leading oil and gas drilling company

We worked with this drilling contractor to secure its mission and safety critical drilling operations, and improved safety and operational effectiveness through a comprehensive digital oilfield security and communications infrastructure.

A major UK utility

We helped a major UK utility develop secure a novel smart grid solution – enabling the use of renewable power generation.

Cyber security programme review

For this national infrastructure operator, we conducted a comprehensive gap analysis against best practice using the recently developed PAS 555 standard and the CPNI industrial control system good practice guides. We also developed a comprehensive cyber security improvement programme based on the findings.

14 15TACKLING THE CHALLENGES OF CYBER SECURITYTACKLING THE CHALLENGES OF CYBER SECURITY

Corporate headquarters

123 Buckingham Palace Road London SW1W 9SR United Kingdom +44 20 7730 9000

paconsulting.com

This document has been prepared by PA. The contents of this document do not constitute any form of commitment or recommendation on the part of PA and speak as at the date of their preparation.

© PA Knowledge Limited 2014. All rights reserved.

No part of this documentation may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying or otherwise without the written permission of PA Consulting Group.

We are an employee-owned firm of over 2,500 people, operating globally from offices across North America, Europe, the Nordics, the Gulf and Asia Pacific.

We are experts in energy, financial services, life sciences and healthcare, manufacturing, government and public services, defence and security, telecommunications, transport and logistics.

Our deep industry knowledge together with skills in management consulting, technology and innovation allows us to challenge conventional thinking and deliver exceptional results with lasting impact. 01

973-

16