TODAY’S STUDY: PROTECTING THE GRID FROM HACKERS

Roadmap to Achieve Energy Delivery Systems Cybersecurity
September 2011 9Energy Sector Control Systems Working Group)

Executive Summary

Energy delivery systems are critical to the effective and reliable operation of North America’s energy infrastructure. Our way of life is made possible by a vast network of processes that produce, transfer, and distribute energy as well as the interconnected electronic components, communication devices, and people that monitor and control those processes. Today’s highly reliable and flexible energy infrastructure depends on the ability of energy delivery systems to provide timely, accurate information to system operators and automated control over a large, dispersed network of assets and components. This vast and distributed control requires communication among millions of nodes and devices across multiple domains, exposing energy systems and other dependent infrastructures to potential harm from accidental and malevolent cyber attacks.

Cybersecurity is a serious and ongoing challenge for the energy sector. Cyber threats to energy delivery systems can impact national security, public safety, and the national economy. Because the private sector owns and operates most of the energy sector’s critical assets and infrastructure, and governments are responsible for national security, securing energy delivery systems against cyber threats is a shared responsibility of both the public and private sectors. A common vision and a framework for achieving that vision are needed to guide the public-private partnerships that will secure energy delivery systems.

click to enlarge

An Updated Roadmap to Address Progress and Change

Starting in 2005, the U.S. Department of Energy Office of Electricity Delivery and Energy Reliability, the U.S. Department of Homeland Security Science and Technology Directorate, and the Energy Infrastructure Protection Division of Natural Resources Canada facilitated the development of the Roadmap to Secure Control Systems in the Energy Sector (hereafter referred to as the 2006 Roadmap) to enhance cybersecurity across the energy sector. The 2006 Roadmap established a common vision and strategic framework for industry and government to develop, deploy, and maintain control systems that could survive an intentional cyber assault without loss of critical functions. The 2006 Roadmap was constructed using the collective insights of the control systems community, including owners and operators, commercial vendors, national laboratories, industry associations, academia, government agencies, and members of the international community. As a result, a number of diverse efforts and ideas aligned toward common goals and the knowledge and resources of other sector stakeholders were better leveraged.

The release of the 2006 Roadmap marked the beginning of a national and international collaborative public-private partnership for increased cybersecurity in the energy sector. The sector has made notable progress, as tracked and detailed in Appendix B and the Interactive Energy Roadmap website ([ieRoadmap] www.controlsystemsroadmap. net). The Roadmap to Achieve Energy Delivery Systems Cybersecurity is an update to the 2006 Roadmap; it reflects subsequent cybersecurity and other technology advances and the evolving needs of the sector. The update includes the following:

• Changing landscape. The roadmap now has a broader focus on energy delivery systems, including control systems, smart grid technologies, and the interface of cyber and physical security—where physical access to system components can impact cybersecurity. This update recognizes that smart technologies (e.g., smart meters, phasor measurement units), new infrastructure components, the increased use of mobile devices, and new applications are changing the way that energy information is communicated and controlled while introducing new vulnerabilities and creating new needs for the protection of consumer and energy market information.

click to enlarge

• Building on successes and addressing gaps. The roadmap reflects new priorities identified by roadmap update participants: enhancing vulnerability disclosure between government, researchers, and industry; optimizing the limited time and resources of stakeholders through innovative partnerships; improving the measurement of progress made toward milestones; and addressing gaps to further advance technologies. While the 2006 Roadmap provided a solid foundation that aligned multiple public and private programs, research and development (R&D) investments, interoperability and cybersecurity standards development and adoption, advanced training, and accelerated product development, there is more work to do in tackling persistent and emerging challenges.

• Advancing threat capabilities. The roadmap recognizes that cyber threats to energy delivery systems are real and are becoming increasingly innovative, complex, and sophisticated. Adversaries have pursued progressively innovative techniques to exploit flaws in system components, telecommunication methods, and common operating systems found in modern energy delivery systems with the intent to infiltrate and sabotage them. The Stuxnet worm, which was found to have targeted a specific industrial control system, a programmable logic controller, is an example of a threat designed to reprogram and take control of a system component that is also used by critical energy infrastructure…

• Emphasizing a culture of security. The roadmap recognizes that achieving resilient energy delivery systems requires more than a focus on compliance; a culture focused on security that permeates the sector is needed. While regulations and standards can be used to raise security baselines, sustaining a secure and resilient energy infrastructure will not be possible without people trained in developing and implementing the best available security policies, procedures, and technologies tailored to the energy delivery systems operational environment.

click to enlarge

The Vision

The strategies to achieve this vision confront the formidable technical, business, and institutional challenges that lie ahead in protecting critical systems against increasingly sophisticated and persistent cyber attacks. Energy companies have long recognized that it is neither practical nor feasible to fully protect all energy assets from natural, accidental, or intentional damage. However, the sector’s track record of excellent reliability reflects an effective protective approach that balances preventive measures with rapid response and recovery. Accordingly, the industry’s vision for securing energy delivery systems focuses on critical functions that, if lost, could result in loss of life, public endangerment, environmental damage, loss of public confidence, or severe economic damage. This prioritized approach is a product of risk-management principles in use throughout the energy sector.

click to enlarge

Strategic Framework

Five strategies must be pursued to achieve the energy sector’s vision:

• Build a Culture of Security. In a culture of security, extensive dialogue about the meaning of security and the consequences of operating under certain levels of risk is ongoing, by various means, among citizens and stakeholders. When integrated with reliability practices, a culture of security ensures sound risk management practices are periodically reviewed and challenged to confirm that established security controls remain in place and changes in the energy delivery system or emerging threats do not diminish their effectiveness. Implementing this strategy will help the sector achieve the following goal: Cybersecurity practices are reflexive and expected among all energy sector stakeholders.

• Assess and Monitor Risk. Assessing and monitoring risk gives companies a thorough understanding of their current security posture, enabling them to continually assess evolving cyber threats and vulnerabilities, their risks, and responses to those risks. Implementing this strategy will help the sector achieve the following goal: Continuous security state monitoring of all energy delivery system architecture levels and across cyber-physical domains is widely adopted by energy sector asset owners and operators.

• Develop and Implement New Protective Measures to Reduce Risk. In this strategy, new protective measures are developed and implemented to reduce system risks to an acceptable level as security risks—including vulnerabilities and emerging threats—are identified or anticipated. These security solutions are built into next-generation energy delivery systems, and appropriate solutions are devised for legacy systems.

Implementing this strategy will help the sector achieve the following goal: Next-generation energy delivery system architectures provide “defense in depth” and employ components that are interoperable, extensible, and able to continue operating in a degraded condition during a cyber incident.

• Manage Incidents. Managing incidents is a critical strategy because cyber assaults can be sophisticated and dynamic and any system can become vulnerable to emerging threats as absolute security is not possible. When proactive and protective measures fail to prevent a cyber incident, detection, remediation, recovery, and restoration activities minimize the impact of an incident on an energy delivery system. Post-incident analysis and forensics enable energy sector stakeholders to learn from the incident. Implementing this strategy will help the sector achieve the following goal: Energy sector stakeholders are able to mitigate a cyber incident as it unfolds, quickly return to normal operations, and derive lessons learned from incidents and changes in the energy delivery systems environment.

• Sustain Security Improvements. Sustaining aggressive and proactive energy delivery systems security improvements over the long term requires a strong and enduring commitment of resources, clear incentives, and close collaboration among stakeholders. Energy sector collaboration provides the resources and incentives required for facilitating and increasing sector resilience. Implementing this strategy will help the sector achieve the following goal: Collaboration between industry, academia, and government maintains cybersecurity advances.

The strategies form the core of a strategic framework (Exhibit E.1), tied to distinct milestones and time frames, that will coordinate efforts currently under way in the public and private sectors and help align new projects to advance energy delivery systems security

click to enlarge

Key Challenges

The energy sector faces a number of challenges to achieving the milestones. The challenges described below and in Exhibit E.1 are not prioritized; each is key to realizing the sector’s vision. However, these are not the only challenges the sector must overcome; further barriers are described in Section 4.

Although the ability of energy companies to assess and monitor cybersecurity posture has improved since the 2006 Roadmap, real-time solutions are needed to keep pace with increasingly sophisticated cyber threats that are unpredictable and evolve faster than the sector’s ability to develop and deploy countermeasures. The dynamic landscape complicates the creation of consistent metrics and advanced tools for measuring risks.

Upgrading legacy systems often requires replacing technology to implement the needed security capabilities due to inherent limitations of existing equipment and architectures or degradation of system performance caused by the security upgrades. New architectures with built-in, end-to-end security require multidisciplinary efforts, significant resources, and years to develop and deploy throughout the energy sector. Information about attacks that occur, consequences, and lessons learned often are not shared beyond the organization experiencing the incident. Outside the energy delivery community, cybersecurity problems, their implications, and the need for solutions tailored to energy delivery systems are still not well understood.

Making a strong business case for cybersecurity investment is complicated by the difficulty of quantifying risk in an environment of rapidly changing, unpredictable threats with consequences that are hard to demonstrate. Regulatory uncertainty caused by changing and new regulations can also introduce risk for private sector cybersecurity investments. As recognized by the U.S. Government Accountability Office (GAO), the “existing federal and state regulatory environment creates a culture within the utility industry of focusing on compliance with cybersecurity requirements, instead of a culture focused on achieving comprehensive and effective cybersecurity.” 3

click to enlarge

Roadmap Implementation

Implementing this roadmap requires the collective commitment of government, industry, academia, researchers, vendors and other solution providers, and asset owners and operators. These stakeholders bring distinct skills and capabilities for improving energy delivery systems security today and in the future. Industry organizations and government agencies can provide the needed coordination, leadership, and investments to address important barriers and gaps. Researchers at government laboratories and universities also play a key role in exploring long-term solutions and developing tools to assist industry.

click to enlarge

Asset owners and operators bear the chief responsibility for ensuring that systems are secure, investing appropriately, and implementing protective measures. They are supported by the software and hardware vendors, contractors, IT and telecommunications service providers, and technology designers who develop and deliver products and services tailored to energy delivery systems.

Measuring progress is critical to success; however, progress depends on the actions of many stakeholders, dispersed throughout North America, working to achieve a common goal. Manually polling these stakeholders to identify and document advancements is highly time consuming and resource intensive. To address this issue, the Energy Sector Control Systems Working Group (ESCSWG) encourages stakeholders to use the ieRoadmap to record actions they are taking to enhance cybersecurity. Using the ieRoadmap, energy stakeholders can align resources, partner to develop and implement strategic and tactical approaches to achieve roadmap milestones, and evaluate and communicate progress each year. The ESCSWG will help coordinate and measure the sector’s progress towards meeting the roadmap vision.