Headlines about the latest cyber attack are now commonplace across a wide swath of businesses. This year, the biggest stories have centered on healthcare-related attacks. This is particularly difficult to accept during a pandemic and is very disconcerting.
Of course, all attacks are concerning especially when lives could be at stake. One such marketplace that is vulnerable is the USNAE electric grid. An attack in this sector could be devastating and debilitating on many different levels. This is why the North American Energy Standards Board (NAESB) recently re-certified GlobalSign’s Authorized Certificate Authority (ACA) accreditation. GlobalSign’s reauthorization comes at a time when energy operators are increasingly dealing with state-sponsored attacks, and more recently, domestic bad actors looking to hold grid providers at ransom through a variety of attacks.
GlobalSign’s journey with NAESB began in 2012 through our introduction by ISO New England. Aside from our ACA certification, GlobalSign joined the NAESB Cybersecurity Sub-committee (CSS) sitting side-by-side with industry experts shaping cybersecurity standards for over 8 years. The CSS helped develop the WEQ-012 PKI standard and ACA accreditation requirements addressing the unique and strict cybersecurity requirements of the Wholesale Electric Quadrant. One of the CSC’s esteemed industry leaders is Richard (Dick) Brooks, former Principal Systems Architect at ISO N.E ISO New England and now CEO of Reliable Energy Analytics LLC.
We asked Richard for his thoughts regarding the current threat landscape and mitigating strategies facing the energy sector:
Lila Kee: As an expert in energy and cybersecurity, what in your opinion are the biggest concerns for electricity providers today?
Richard Brooks: I think the May 1 emergency Executive Order provides a clear understanding of the inherent risks facing all industry stakeholders from the supply chain attack vector. Federal Energy Regulatory Commission (FERC) Order 850 requires Bulk Electric System (BES) responsible entities to implement supply chain risk controls by October 1, 2020 to prevent harmful software objects from being installed in critical cyber assets used in grid management. One suggested best practice is to have software vendors apply digital signatures to their software objects, using certificates from reputable Certificate Authorities, as one of the recommended forms of mitigation to prevent nefarious software from being installed in the BES. As was pointed out in a previous GlobalSign blog by Lila, malware is a high risk which can result in a company spending millions of dollars in recovery efforts.
Lila Kee: What advice would you give electric grid operators in terms of cybersecurity protection?
Richard Brooks: Supply chain threats are real and an effective defense plan is your best option. The plan must include ongoing risk assessments and appropriate mitigations to address vendor and product supply chain risks that are continually evolving. Require your software vendors to sign their software products using digital certificates acquired from a reputable Certificate Authority (CA) that understands the high risks facing the energy industry and is dedicated to the energy industry, such as those CA vendors that are accredited through NAESB’s ACA program. There are many CA vendors that will issue a digital certificate without proper vetting and these certificates should never be trusted when it comes to installing software in the BES.
Lila Kee: As a forum for standards development addressing the unique requirements and challenges facing the energy sector, what are the most relevant benefits of NAESB membership from a cybersecurity perspective?
Richard Brooks: NAESB has a long-standing record of delivering standards that become FERC regulations, embodied in the Code of Federal Regulations (CFR). FERC does not blindly adopt any industry standard, so it means something very special to have FERC adopt a NAESB standard by reference. It means that NAESB has done a good job at reaching a consensus solution among all industry stakeholders with a vested interest in a standard. It should be stated that one NAESB standard, OASIS, is used in the scheduling of inter-area electricity transactions over the Internet, using digital certificates for authentication acquired from NAESB ACA’s, and there has not been a single reported cybersecurity incursion within this PKI protected application ecosystem since it began almost 15 years ago. It’s tough to argue against success!
I’ve personally benefitted both financially, as a vendor starting in 1995, and as an industry stakeholder during my time at ISO New England, from my participation in NAESB and membership is open to any party that wishes to contribute to the development of these standards. So many standards get developed and sit on the shelf, but that’s not the case with NAESB standards; it’s truly gratifying to see a NAESB standard you’ve worked on still in daily operation as a FERC regulation after 25 years.
Cyber attacks with serious consequences
Sample of energy-related cyber attacks around the world over the past 10 years
Image: BCG. Source: press reports and BCG analysis Via: World Economic Forum
As discussed in this World Economic Forum article last November, over the last decade the electricity sector has increasingly experienced significant cyber attacks. In 2010, the Stuxnet computer virus caused significant damage to Iran’s nuclear power centrifuges (a move that supposedly put Iran’s nuclear efforts on hold for several years.) In 2014, a team of hackers cancelled approximately $650,000 of electricity bills from a Turkish energy company. In 2015, control systems at three Ukrainian energy companies were compromised leaving 225,000 customers in the dark. A malware attack caused a second cyber-related blackout in Ukraine the following year.
One interesting aspect is how the electricity sector is “heavily interconnected with interdependencies across the supply chain” and that this will likely increase over time. What this means is more risk to the electric grid. Which is why it is so important for the NAESB to protect its assets.
Just how bad could the attacks get? The Lawfare blog recently covered this topic. The article also points out that attackers could manage to “lock engineers out of systems, falsify data, or turn off alarms intended to flag errors and abnormalities in grid behavior and performance for system maintenance or inspection.”
Staying vigilant – and helping your community
If you’re a part of the electric grid community and experience a threat or actual attack, it’s important to communicate it to the community so your ecosystem is aware of activity that could impact them. Educating your workforce on the most common ways in which malware is distributed – through phishing and spear-phishing type emails.
Steps company leaders should absolutely take:
- Train end users to always view the sender’s domain by hovering over the “from address,” carefully checking all links and attachments before clicking and leveraging IT teams to inspect anything that looks remotely suspicious
- Run fully patched virus and malware detection scans
- Encourage partners and external users to digitally sign their emails using a trusted S/MIME certificate
- Have an up-to-date and fully tested Business Resumption Plan so even in the worst-case scenario the impact can be contained
- Back up your data and don’t leave your network vulnerable to ransom attacks
- Recognize all people, machines, and devices that touch the network should be authenticated and look to automated PKI solutions as scalable and easy to manage security measures
- Invest in hardening your infrastructure as the threat environment will only increase especially as Smart grid components are increasingly attached to networks
Trusted solutions for the energy grid sector
GlobalSign's Public Key Infrastructure (PKI) experts understand the unique security requirements of the power grid. By using GlobalSign's digital certificates, NAESB members such as wholesale and retail electric distributers, wholesale and retail gas distributors, and other market participants can increase the security of their online transactions and maintain standards. The digital certificates are delivered via a Managed PKI platform which allows compliance and security officers affiliated with NAESB to easily issue and manage their certificates.
Our trusted PKI-based solutions are essential to help protect critical infrastructure like the electric grid from damaging attacks. GlobalSign’s digital certificates can be used for multiple use cases, including secure authentication to online portals such as ISO-NE, where authorized market participants and Independent System Operators (ISO) can access real-time and historical data to make informed decisions around energy trading. Further, NAESB certificates issued by GlobalSign enable high assurance digital credentials used for accessing critical energy services such as the EIR Web Registry, a central repository for information required to support commercial, scheduling, and transmission management operations for North American natural gas and electricity providers.
Like any business sector, energy can be vulnerable. But if we remain vigilant and put the correct security measures in place, the number– and impact of – attacks can be greatly diminished. Everyone has to do their part!