The Current Situation
One year ago, I wrote that “every industry should shift … focus from connectedness to secure connectedness, ensuring risk management of our industrial plants and infrastructure.” Sage advice, if I do say so myself.
One year later, I can state confidently that digital connectivity in industry, for better or for worse, is here to stay. Critical infrastructure companies are joining the digital revolution. The Industrial Internet of Things (IIoT) is ushering in a new era of innovation. Emerging technologies, such as big data analytics, artificial intelligence, cloud computing, and more, are enabling industrial companies to grow and transform in ways never imagined. Digitalization has tremendous potential to deliver shareholder, customer, and environmental value. Moreover, as one might expect, new technologies and business models present both opportunities and risk.
By providing increased access to industrial process data, digital innovations allow energy organizations (EOs) to make better business decisions. Additionally, EOs have extended their supply chain processes and systems beyond their organization to include supplier and customer processes and systems. Although these developments improve business productivity, companies have become more reliant on the security posture of suppliers and consumers. Disruption to these systems can directly impact the process flow between suppliers and consumers. Information Technology (IT) security specialists still struggle to understand the industrial processes supported by industrial control systems (ICS). Similarly, ICS specialists may be aware of IT security risks, but often do not truly understand them. As a result, companies are often not aware of, nor prepared to, address the full range of security and business risks that stem from connected industry, including OT/ICS/SCADA environments.
The Sum Is Greater Than the Parts
While all organizations have a role and responsibility in managing the cyber risks affecting the organization, individual efforts are not enough. In the current connected ecosystem, a cyber-attack or incident on one entity, or on the grid itself, can easily cascade and affect many. This underscores the reality that organizations must collaborate with one another, across public and private sectors. The need exists to develop, adopt and share best practices that will keep the good guys on the winning side. This was a core driver for the creation of Siemens’ Charter of Trust for the global industry. If you’re not familiar with the Charter of Trust, I highly recommend you take some time to review it and consider its impacts on your organization.
A lack of security awareness and proper safeguards can have serious consequences. While years of effort may be invested in reaping the benefits of convergence and digitalization, a serious cyber incident—in a matter of minutes, hours or days—could erode or even eliminate these gains by causing revenue loss, brand damage or loss of customer trust, theft of intellectual property, safety issues, and even loss of life. While the costs of analyzing and repairing technical damage can be significant, the loss of operations, impact on safety, and ongoing litigation can be even greater. With the rise of malicious nation-state actors with geopolitical vendettas, attacks have the potential for catastrophic consequences, impacting national economies, triggering environmental calamities and even costing lives.
For these reasons and many more, risk management has become an integral part of the business for EOs. EOs must ensure essential risk management, inclusive of cyber resilience, is treated as a long term, strategic investment that not only helps them achieve an early project ROI, but also other long-term benefits for years to come. Just in case you’re not familiar with the term cyber resilience, Wikipedia defines it as - an entity's ability to continuously deliver the intended outcome despite adverse cyber events. I would add to that - the combination of people, process and technology implemented by an organization that enables a level of operational reliability which lessens, limits or eliminates unplanned downtime or impact to safety as a direct or indirect result of a cyber-related incident.
What is Status Quo for EOs Today?
The answer, sadly, is managing compliance versus being cyber-resilient. In early 2019, the North American Electric Reliability Corporation (NERC) imposed the largest Critical Infrastructure Protection (CIP) regulatory fine in history against a single entity. NERC identified more than a hundred violations ranging from minimal to serious, all of these tied to a single organization. NERC cited elevated risk due to “violations involving long duration, multiple instances of noncompliance, and repeated failures to implement physical and cybersecurity precautions.” While NERC’s announcement did not name the company, other media outlets eventually identified the company as Duke Energy.
In the case of Duke, NERC determined that the risk was magnified by a compliance culture. Having worked in this industry for more than a decade, it’s been my experience that this compliance culture issue is not at all unique to Duke Energy. Rather, I would venture to say that it is widespread and commonplace across the industry. Rest assured, there is a distinct difference between being compliant and being secure. Increasingly, EOs need to demand both. The reality, though, is that many EOsstillfear regulatory fines more than they fear the tangible risks posed by cyber incidents to their organization, their supply chain, the US grid, and consumers.
When you stop to think about it, $10 million is a drop in the bucket compared to the cost Duke may have incurred if their flawed critical infrastructure protection compliance would have enabled someone to hack into the system and cause cascading blackouts on the grid. However, the same risks threaten all entities of all sizes at all levels.
Perhaps these fines will finally serve as a wake-up call to utilities and other EOs. Potential threats to the electricity infrastructure and cyber systems are greater and more pervasive than ever before. Electricity providers and transmission operations companies must do more than check off compliance boxes and file their safety and regulatory documents properly. EOs must develop a mature culture and work to achieve sustainable compliance that not only complies with current regulations but also fosters continuous attention to reliability and safety. At the same time, the systems and solutions they implement must be capable of evolving with changes in regulatory requirements and technology.
Cyber Resilience and Compliance Delivered as a Managed Service
As one of the most highly targeted industries, EOs face high stake. This is due, at least partially, to –
* the ever-increasing and accelerating threat landscape
* a global shortage of cybersecurity talent (required to deal with the ongoing threat landscape)
* the challenges of asset visibility and reduced situational awareness due to proprietary systems
* the pervasiveness of less-than-adequate technology solutions and robust processes to address the risk.
These increased risks, including the widening talent gap, will outstrip organizational investment and human capital, leaving organizations no choice but to seek third-party solutions (e.g., Managed Security Services) to bridge the gap. Enterprising companies (e.g., Siemens) projected this would happen years ago and rapidly acted to address the issue.
To speed time to market, Siemens inked a few key strategic partnerships with best-of-breed technology companies such as PAS Global, Tenable and Darktrace; placed key human capital investments (e.g., data scientists, dual OT, and cybersecurity experts, etc.);and leveraged internal innovation to build a managed service capability that delivers cyber resilience and automated compliance as a business outcome. The resultant managed service represents a strategic investment into both cyber resilience, as well as sustainable compliance, as the solution automates a variety of the most key and essential CIP reporting elements, closely monitored by regulators.
How Does it Work?
Analysts utilize high-quality, integrated data from a variety of sources, which are correlated and fed into a centralized platform. These data sources provide various dimensions of risk and resilience, including –
• OT Asset Management – classifies all assets in the fleet, across vendors and systems.
• Vulnerability Management – detects vulnerabilities on the network, including exploited.
• OT Network & Communications Monitoring – identifies unusual activity on the network.
• Other data sources – are combined with the “big three” use case data for further correlation, prioritization, and ranking.
Once the data is collected, the platform correlates it into a single event, automates relationships within the data for investigation, and manages ticketing. Analysts are then able to investigate events using an operational context as opposed to a network or security-only context. This means that Siemens’ analysts perform their actions and deliver recommendations based on the overall reliability and resilience of the operating environment first and foremost. Analysts filter events to those of greatest risk, and then prioritize actions based on plant operations and/or risk to safety.EOs benefit in a variety of ways including –
• Rapid implementation and project ROI- achieved from experts implementing based on best practices (and continuous improvement) versus a one-off implementation by non-experts.
• Pre-integration investment– an enormous amount of investment has been born by Siemens, on behalf of the customer, in the core technology platform itself. This technology platform features pre-integration of the big three use cases and technologies cited above, in addition to other pre-built technological and data-related integration points. In comparable projects, it’s not uncommon to see this level of integration cost customers as much or more than the core technology itself, roughly doubling project costs. By leveraging the pre-integration afforded by the core managed services platform, customers avoid heavy one-off professional services costs.
• Automated compliance- delivered by the service streamlines and improves the efficiency of CIP related tracking and reporting, lessening the risk of regulatory fines. Operators within EOs access internally facing dashboards and reports that aptly report results of continuous regulatory (e.g., NERC CIP) tracking and reporting. The platform continuously tracks and audits the assets at a reasonably deep level, including changes made to assets, and whether the proper management of change approvals occurred or not. Without a similar platform or managed service in place, this is an area wrought with human error, strained processes, and poor technological solutions historically, and represents a very real and present risk to companies in the form of regulatory fines, compromised systems, and even impact to consumers and brand.
• Force Multiplier – with cyber resilience and previously cited benefits coming from the service provider; customers are free to focus on their core business and doing what they do best.
Risk management (and regulatory compliance for utilities) are essential for energy organizations. Within overall risk management, cyber resilience has become a high priority given all the focus and benefits realized by Digitalization projects. However, a variety of challenges and risks exist that hamper utilities and EOs from mitigating risk (remain safe and secure), meeting compliance, and achieving competitive advantage.
Just in time, service providers are leveraging a range of Digitalization capabilities such as analytics, artificial intelligence, and cloud computing, to implement turn-key solutions that achieve these business outcomes for customers. Given that the service providers routinely perform these services, customers enjoy white glove service from experienced practitioners, a pre-integrated technology platform. And usually, realize a higher project ROI versus if they were to implement similar solutions themselves.
These services deliver real benefits and customer outcomes while EOs remain focused on what they do best. Combined, these solutions are helping EOs deliver real shareholder, customer, and environmental value.
Only time will tell how many EOs are able to implement these managed services capabilities to achieve cyber resilience while simultaneously addressing compliance… finally becoming resilient and secure, in addition to compliant.