8 Feb 2014

Lessons on cybersecurity from the defense industry

Last November’s Knowledge Summit brought together CIOs, CEOs and utility executives to discuss the major issues, hurdles and accomplishments in three major areas: IT, customer service and operations. One of the major hurdles utilities faced in 2013—and have faced in the years before and will face in the years to come—is cybersecurity.
We asked ViaSat’s Brett Luedde, director of critical infrastructure protection, to answer a few questions on mission assurance, advice and lessons from the defense industry that utilities should take to heart.
Intelligent Utility: How does your experience with the defense industry apply to your new work in the electricity sector?
Luedde: Over the past 10-15 years, the US military has undergone a significant transformation in its communication, using highly networked systems and advanced technology in place of the old siloed command and control model. ViaSat has been an integral part of enabling the military to take full advantage of the efficiency gains and networked system architecture by providing the highest grade information assurance and secure communication technologies, as well as the most advanced cybersecurity monitoring, detection, and response systems. In recent years we have worked with the military and government to allow us to provide these capabilities to critical infrastructure owners and operators. We started working with the electric utility industry first because the electrical grid is the most fundamental layer of infrastructure and the industry is facing the same daunting task that our military faced 10-15 years ago: going from siloed and non-networked systems to fully networked and secure, highly automated systems. We believe that we have unparalleled expertise in this area.
Intelligent Utility: You often say that ViaSat delivers a platform that gives “mission assurance.” What does that mean, and why is that so important?
Luedde: It is a reference to our heritage with the military in providing the tools, technology, and systems that allow our troops to achieve their mission goals. In the electric utility industry for us it means something very similar and simple: enabling electric utilities to be resilient in the face of grid events, or more simply, keeping the lights on. Based on our experience we know and understand that operationally there are many complex decisions that must be made with confidence based on an operator’s ability to trust the information it is receiving. Establishing the basis for that trust and giving the operators the ability to act quickly and decisively is critical. That’s what we mean by mission assurance.
Intelligent Utility: Why is the ability to visualize also important?
Luedde: Because operators need trusted actionable information and situational awareness about their systems and equipment, and they need it in real time. With all of the advanced and intelligent devices being deployed in operational networks there is a glut of data. Literally terabytes of data that is really great for post event analysis, but not very helpful when you have a handful of seconds to respond to anomalous or suspicious behavior in your systems. When you can see the network acting and reacting in real time, with simple, highly-effective visual cues, you can focus on what is happening, what you need to do to respond, and take that action quickly and decisively.
Intelligent Utility: What advice would you give utilities looking to securely retrofit architectures and networks?
Luedde: This is a bigger issue with more complexity than you probably think it is. Your networks are systems of systems, and you need to really assess what you’ve got end to end before you can get to the work of adding security and deploying the right solutions. It is critically important that you have a clear picture of where you want to go and how to get there. Having said that, we understand that electric utilities are faced with evolving compliance requirements at the same time that they are hoping to take advantage of advanced automation technology and its promise of greater operational efficiencies. Without proper security that addresses how these devices will talk to each other securely, how the older assets with lots of good useful life remaining can talk to the newest most advanced devices, and establishing trust in the data, the full promise of automation technology can’t be realized. In addition, the newer devices and networked communication increases what we call the attack surface of your systems and operations. This needs to be addressed with a system that can monitor networks and identify threats whether they originate inside or outside your systems.
Intelligent Utility: What are utilities doing wrong in their current approach to cybersecurity within their operations? Where should they invest instead?
Luedde: Well, first off, let’s not focus on what utilities are doing “wrong” and rather turn the focus to the need to do more and to learn to think differently about threats an vulnerabilities. All of the current IT-based security measures are good and necessary, but in our opinion they are not sufficient. Security must be thought of from a holistic perspective. A larger system of systems and practices that create multiple layers of defense and enables the company to deal with both known and unknown threats that originate inside the organization, outside the organization, or both. I think that utilities are beginning to understand this more and more, and are also coming to understand that security (or lack thereof) impacts their ability to deploy more advanced grid control equipment and systems, as well as being resilient to any kind of event.
Intelligent Utility: Are internal or external threats more dangerous for utilities?
Luedde: They are both dangerous, and there are well-documented cases of both in the utility sector. It is a well-known fact that humans are typically the most vulnerable points in a company. Insider threats come in two types: inadvertent (think spearphishing victims) and intentional (think disgruntled employees or former employees). External threats can range from natural disasters to kids just trying to solve a puzzle to hacktivists to nation state level sabotage. Wherever the threat comes from utilities need to be able to quickly detect the anomalous behavior, respond appropriately, and restore the systems to steady state. Having a robust, holistic security capability enables this kind of resiliency that is so critical to our utility industry.
Intelligent Utility: You’ve noted that there is a difference between compliance and security. Can those be at odd purposes for a utility, and how do utilities bring them into balance, in your opinion?
Luedde: There is a vast difference between being compliant and being secure. Being compliant means that you’ve satisfied your regulators and met certain requirements. From a security perspective the problem is that by the time security requirements become compliance requirements they often don’t even meet the criteria to be considered basic good security hygiene: you are still very vulnerable. What I mean is that being compliant has very little to do with being secure. Our belief is that utility companies should look at the problem from the opposite perspective: what is good security practice and what do I need to do to be secure, and being compliant will be a natural result because you will have gone beyond whatever the current security compliance requirements are. Taking the latter approach is proactive and risk management based. It is looking at utility operations holistically and seeing that good security is a business enabler and not a hindrance. Good security allows the business to serve its customers, its stakeholders, and support industry sector and even national security concerns AND be compliant. The challenge for companies is that good security is a dynamic and evolving thing because the threat landscape is always changing and evolving. This brings me back to an important point: it is not enough to just hope that you can put up more firewalls and hope your castle walls are impenetrable, you need to be able to monitor your networks and detect anomalous and suspicious behaviors quickly and respond decisively and with confidence.

http://www.intelligentutility.com/magazine/article/343079/lessons-cybersecurity-defense-industry