Within the power industry, there has been a lot of noise, chatter, and discussion from many different government agencies regarding known nation-state threat actors trying to infiltrate the United States power grid and critical infrastructure. This level of attack is without a doubt the ultimate doomsday scenario we all need to collectively work to mitigate. However, we need to ensure we do not ignore the less sophisticated levels of threats that are itching to penetrate our firewalls and steal our lunch money. In Figure 1, we highlight the four primary levels of cybersecurity threats that facilities need to protect against. In this article we will dive deeper into each of these four threats and how to best protect and mitigate the possibility of an attack. As organizations start to integrate more remote connectivity throughout their facility’s operations, it is critical to fully understand the inherent level of risk that has been introduced to their business by simply being accessible from the Internet.
Understanding the Threats: They Are Not All Equal
The different levels of sophistication of cybersecurity threats that we are collectively facing all require different strategies to mitigate the inherited risks from each level of threat. Each of these individual strategies can help an organization build a strong cybersecurity posture by implementing fundamental controls that mitigate the impact and likelihood of unsophisticated/sophisticated attacks. Developing this strong cybersecurity posture will also help fortify your systems against higher level attacks.
Unsophisticated & Sophisticated Attackers: What Do They Want From You?
You do not need a team of experts to do a detailed risk assessment to understand the basic inherent risks of being connected to the Internet. The most common example of an ‘unsophisticated attack’ would be the use of a “botnet,” an automated computer program, that constantly scans the internet for potential vulnerabilities that can exploited. Once a vulnerability has been identified these botnets have the ability to exploit your vulnerability or send it to a criminal hacker for further review. These criminal hackers are interested in exploiting the identified vulnerability with the intent of monetary gain. Until recently, there was
not a great way for the criminal hackers to monetize attacks on the electric grid. However, with the advent of ransomware, that all changed overnight. One of the most common ways to fall victim to a ransomware attack is insecure remote access controls, specifically allowing Remote Desktop Protocol (RDP) access from the Internet.
Corporate Espionage & Nation-State Threats: What Do They Want From You?
The next two threats on the spectrum are often more difficult to predict and prepare for because of the unpredictability and nefariousness of the attacks. As an industry, we typically focused on fortifying our facilities’ outside perimeters (keeping bad things out) but have not paid enough attention to what people and things have access inside our four walls (or firewalls). This traditional perimeter approach to cybersecurity has made facilities susceptible to insider threats or espionage. The industry is now starting to encourage a Zero Trust approach to cybersecurity, which means that organizations are implementing a more granular and active approach to managing users inside the bounds of their facilities.
The final threat on the spectrum is arguably the most feared and publicized: Nation-State Threats (or terrorist attacks). This threat is the most difficult to mitigate and has the most dire implications since the objective of nation state threats is to cause disruption to our nation’s critical infrastructure. However, before an organization can begin protecting against the nation state risk, it must master the fundamentals of cybersecurity hygiene.
Understanding Your Primary Objectives for Implementing Cybersecurity Controls
We understand that cybersecurity is not typically a primary objective or priority for many companies and often can be seen as a “speedbump” that will negatively affect the organization’s productivity and operations. Unfortunately, many cybersecurity and IT professionals can often advise organizations to jump to very technical solutions, which consequently can be very dangerous and risky for a multitude of reasons. First of all, this approach tends to keep cybersecurity at a purely technical (or in the weeds) discussion rather than an evolving area of business risk that the organization needs to collectively manage and mitigate. These quick leaps to technical solutions can also cause organizations to invest in technology and resources that are not helping the organization effectively or efficiently meet their primary business objectives. Our best advice to clients that are currently navigating the dilemma of choosing appropriate solutions without impacting business objectives is to assess and manage their organization’s cybersecurity inherent and residual risk in the same way you would manage other business risks. Once you have identified your organization’s specific risks, you can choose to ‘transfer’ this risk by using insurance coverage to mitigate exposure/liability, choose to ‘mitigate’ your risk by implementing security controls, or choose to roll the dice and accept that risk and do nothing. Unfortunately, there is not a one-size-fits-all solution for cybersecurity which makes the exercise of understanding your organization’s inherent and residual risks extremely vital to any cybersecurity program. This approach along with the mastery of the fundamental critical controls listed below will help ensure that your organization keeps your facilities secure without negatively impacting operations.
Top 20 Fundamental Cybersecurity Controls
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- Maintenance, Monitoring and Analysis of Audit Logs
- Email and Web Browser Protections
- Malware Defenses
- Limitation and Control of Network Ports, Protocols and Services
- Data Recovery Capabilities
- Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
- Boundary Defense
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
- Implement a Security Awareness and Training Program
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
GridSME understands that navigating this huge “sea” of solutions can be intimidating any organization. To support our clients and the industry, the GridSME team offers services that range from basic advisory services on choosing the right path for your situation to turn-key managed cybersecurity services. If you would like to learn more about any of our services or schedule a call to talk to one of our experts, you can visit us at www.gridsme.com.