The power and energy industry is trying to address the shortcomings, to abridge the cyber gaps and is also trying to put in a programmed and calculated approach to prepare for the cyber threat in the context of the increasing Industry 4.0 and digitalization scenarios - more so with the advent of IIOT transducers as well as with the introduction of the cloud.
-
Some Nath Kundu, CISO, Engineering, NTPC, describes cybersecurity as a journey and explains that this long journey requires mapping the compliance requirement with the available solution at hand, understanding the shortcomings, adding countermeasures to overcome the shortcomings, creating a maturity model, developing & implementing it and finally maintaining the same, in this insightful interview with Niranjan Mudholkar, Editorial Director, Pro MFG Media. The interview is very well supplemented by the expert inputs from Kartik Shahani, Country Manager, Tenable India.
The increasing use of digital technologies is bringing a new wave of cyber complexity. Does the industry have adequate cybersecurity programs in place to address these risks?
The target landscape has increased to a large extent with the need for data, connecting OT with enterprise for the data and with the advent of Industry 4.0 revolution. With regards to the power and energy sector, the level of cyber awareness is quite diverse in terms of different organizations. With new cyber programmes and government thrust, some are more aware while some might have constraints in terms of resources and people. So we are on a varied cyber canvas. But overall, the industry sector has to travel a long way to be prepared adequately enough to address the cyber risks. There is a dearth of skilled cyber personnel in the OT sector. A cyber work force needs to be created and overall awareness as well as skill levels have to be increased through targeted trainings and programmes. On the bright side, the industry is trying to address the shortcomings, to abridge the cyber gaps and is also trying to put in a programmed and calculated approach to prepare for the cyber threat in the context of the increasing Industry 4.0 and digitalization scenarios - more so with the advent of IIOT transducers as well as with the introduction of the cloud.
The interconnectedness of the OT and the IT is further exposing people, equipment, processes, and intellectual property to cyber threats. How can we stay a step ahead in this situation?
Since we are talking about the interconnectedness of OT and IT, there is a myth that OT processes are air gapped. People assume that hackers don’t have the knowledge of OT and thus attack is least likely. This misconception needs to be broken down. Many times, the interconnections between the OT and the IT are actually hidden and they need to be clearly identified. Visibility of these assets is very important. The emphasis should be towards building in-depth defence architecture with state-of-the-art protection schemes. Real time monitoring will help us in understanding any breach and reduce the time of response. In this context, we must touch upon four key points like resource protection, configuration management, change management and patching & clearing of the vulnerability.
We also need to understand that the cyber Security of OT is not just about implementing security measures at the OT level or at the IT-OT interconnections. Let me give you an analogy to explain. Let us assume that few people are living in a state-of-the-art well designed secured house having very advanced locking features. But the entire security of the house largely lies in the fact that the people residing inside the house know how to use the security features and the locks properly. The same principle works in our industry as well. That is why having competent resources that are consistently sensitized, trained, and up-skilled is of utmost importance when it comes to staying a step ahead. For me, the people factor is the main aspect in this matrix. Everyone should be aware of what the business need of the organization is and what his or her role is in that canvas. We should try to create a workforce of subject matter experts with respect to cybersecurity. Importantly, the cyber security staff should not stop updating themselves. In the cyber world, if we stop updating ourselves with regards to the everyday scenario then it is as bad as not being cyber secure. So, it is not only the professional qualifications and skills that matter; but getting regularly updated is also equally important.
What are the key challenges when it comes to implementing security measures at the OT level and how can we address them?
The OT processes are not identical or uniform. They vary in the type of process or criticalities. There are a lot of intricacies which come into the picture based upon the OEM of OT automation. Because of the plethora of complexity, type of processes and OEM dependencies, asset identification as well as understanding the different business processes and their interconnections is very important. It is definitely one of the challenges. Herein, building zones of these processes with conduits of interconnection and multilayer protection schemes will be the first part.
The second part is based upon the criticality of the process. Risk analysis should be done and the risk matrix should be drawn; we should also keep the business informed about the risk. It is only after we have proper visibility of the interconnections that we will understand how to develop and implement countermeasures to enhance security.
Unlike with IT, ensuring the availability of the OT process is very critical. The other challenge in case of the OT is dealing with the difficult aspects like patching up your legacy system. For example, few of the OT might still be working on old obsolete Windows OS. One solution can be replacing the legacy system. But that will disturb the business for some time. Replacing it with the latest system will also have a huge blow on availability and will also incur huge commercial implications besides the drastic changes it needs to make to the overall infrastructure. Now, in a process driven industry, strict decisions are required to be taken to stop a process and change the infrastructure all of a sudden for the sake of cybersecurity.
Then we have the other challenge of implementing countermeasures. And when you talk about countermeasures, you have the original equipment manufacturers (OEMs) in the picture. The dependency on the OEM is huge for ensuring accurate and safe auto operation of the process in which the production is going on. Under such circumstances, implementing proven countermeasures and patches holds the key. And that requires a huge amount of time. In this context, my practical experience tells me that it would require a huge timeline because the OEMs need to go back to their labs, do rigorous testing, come up with the proven patches and then those patches will address the vulnerabilities.
There is a huge evolution gap between IT and OT. Let’s say Microsoft introduces a new and secure OS environment. The change may be simple for the IT but the same doesn’t hold good for the OT because it will require at least four to five years for the application software manufacturer (OEM) to fine tune the software and to prove its repeatability in the labs with regards to the safety of the process. So maybe in a Windows OS lifecycle of ten years, the OT software will only have five years of application life because five years have been lost in the proveness.
When it comes to the OT environments, we often find organizations following the ‘Regulatory compliance equals security’ mentality. What are your views on this common security pitfall?
Today, in our industry sector, a lot of thrust is given to cyber security governance and the Government framework. The Government has taken up a lot of initiatives to strengthen OT cyber security by proposing and implementing a new Cyber Security framework and guidelines. New regulations are also being implemented. If we adhere to the regulatory compliances then I think we will still be doing a good amount of work in terms of patching up the many gaps already present in the OT cyber security area. Strict compliance with the latest guidelines and frameworks as laid down by the Ministry of Power will help in creating a matured Cyber security OT posture for any organization. Obviously, the organization’s cyber management needs to be more aligned with the cyber security solutions with regards to adopting the best practices and conducting regular audits. That is the key as far as technology is concerned.
However, just the regulatory compliance mentality does not suffice. We have to be aware about what we are actually doing. This raises a few questions. What is the status of the latest audit compliances? What is our cyber posture at present? How to deal with the difficult problem of changing from non-compliance to compliance through the help of a system integrator or the OEM? That’s the main trick! Until and unless we have a good hold over the OEM, vulnerabilities are not easy to patch in the case of OT. A sufficient budget also needs to be allocated for enhancing the overall cyber security. This long journey requires mapping the compliance requirement with the available solution at hand, understanding the shortcomings, adding countermeasures to overcome the shortcomings, creating a maturity model, developing & implementing it and finally maintaining the same. Well, it might be very easy for IT with a lot of ready security solutions and functionalities but it is not that straight forward for the OT side. You need to follow regulations in the true spirit and ensure that the compliance reaches out to the last level of the OT as well as to the last employee in the organization responsible for any particular role. For me, security is never a destination; it has to be a journey.
Expert Inputs: Kartik Shahani, Country Manager, Tenable India
Preparing for the cyber-risks
Power utilities are rapidly digitizing their power plants and grids to enhance efficiency, reduce costs and ensure regulatory compliance. This has resulted in a convergence of their once separate OT and IT environments. The growing adoption of smart grid technologies and distributed energy resources has increased the need for interconnection which yields a much wider attack surface with the capacity to easily move from one provider to the next. Therefore, grid-based industrial cyber threats have become core risks to safety, reliability and business continuity.
Unlike attacks on IT networks that target information theft, cyber-attacks on power grids involve sending commands to controllers, relays and IEDs to disrupt normal grid operations. These disruptions can have dire consequences on employee and public safety.
CISOs need to work with OT operators to have total visibility into the attack surface. This includes visibility of all assets, firmware version, patch level, state, configuration and vulnerability positions of everything that’s present within the operational technology infrastructure.
A full inventory of communications patterns within the OT environment for the purposes of baselining what is “normal” and identifying suspicious activities must also be performed. This is important because within an OT environment communications are predictable and use a finite number of OT specific protocols.
Constant monitoring of asset inventory and network activity is essential as no environment ever remains completely static. A “snapshot” approach will give you the state of the environment and should be able to notify you when configurations change as it could be an indication of malware, ransomware or some other sort of attack. Concurrently, real-time alerting capabilities and audit trails are a must both from a security as well as from a compliance perspective.
Good cyber hygiene practices and processes
To effectively secure grid environments, it is essential to go beyond compliance recommendations, which should always be considered a minimum standard. Some crucial elements should include:
Gain full visibility and control: Attacks should be identified long before the last mile. Timely detection requires constant monitoring of traffic anywhere in the network. Event reports should be clearly understood and incorporate enough situational awareness to discern if the breach was malicious for grid-specific environments or part of regular operations. Comprehensive visibility eliminates potential attacks before they begin migrating across the interconnected grid infrastructure. This can be achieved by leveraging a multi-threat detection engine encompassing policy, anomaly and signature-based detection.
Identify every instance of physical tampering: Unlike traditional IT networks, grid topologies are by design geographically distributed. Substations or remote facilities are usually the least protected yet may be the prime entry point for an attack. Security solutions must not only listen to the network but also query individual devices at all locations to identify if any changes have been performed. It is especially important to be able to query all intelligent electronic devices (IEDs) in the network as they control regular grid operations. This is in addition to servers, workstations, networking equipment, gateways, and any other devices. For locations where it is impossible or impractical to deploy physical appliances, cloud-based OT security can be deployed to ensure comprehensive security across the entire environment.
Manage your assets: Grid environments tend to have large and interconnected infrastructures. Many different devices are spread across a vast area and sometimes across several networks. Networks generally have multiple generations of devices as well as a variety of makes and models. Operators need a solution that provides a real-time accounting of what is on the network down to the patch levels and firmware information. Extensive asset audits allow you to pinpoint devices that need to be addressed if a common vulnerability and exposure (CVE) is issued; they can also help identify devices that are in need of maintenance or replacement.
Facing the threats in 2022
SolarWinds style attacks on SaaS and shared services are imminent: We believe that attacks against commonly used SaaS and other software platforms will accelerate in 2022. Therefore, organisations must take precautions to adequately ensure that their third-party vendors are secure and implement audited industry best practices. This highlights how critical it is to ensure that third-party software and services have best security practices. It also highlights the need to utilize a security solution that provides appropriate visibility, security and control across the converged infrastructure.
Colonial Pipeline set the table for improvement: Attacks like Colonial Pipeline made security tangible for non-security professionals. Spikes in gas prices and lines at the pump are something that the everyday citizen, CEO and policymaker can understand. Every board of directors is now interested in what the cyber risk is to their company. Stakeholders are more invested than ever, and policymakers are no exception. If the government and private sector can acknowledge their shared priorities and work together toward a more secure world, 2022 will bring a promising climate for improvement.
