Cybersecurity: The Issue, The Risk and Shared Responsibility
• By Jessica C. Lumpkin, Associate Editor
Cybersecurity, also referred to as information technology security, focuses on protecting computers, networks, programs and data from unintended or unauthorized access, change or destruction. Cybersecurity involves protecting information and systems from major threats, such as terrorism, warfare, and espionage. In their most disruptive form, cyber threats take aim at secret, political, military, or infrastructure assets of a nation, or its people. Cybersecurity is therefore a critical part of any government security strategy.
“Cybersecurity’s purpose is not about information security for information security’s sake,” said Garnie Holmes, Director of Marketing and Communications at Florida Municipal Electric Association. “Instead, cybersecurity’s purpose is to help agencies and industries achieve its ultimate mission of serving citizens.”
According to the Edison Electric Institute, “the electric power industry’s top priorities are to protect the nation’s electric grid and ensure a reliable supply of energy. The power grid is a complex, interconnected network of generation, transmission, distribution, control, and communication technologies, which can be damaged by natural events—such as severe storms—and by malicious events such as cyber and physical attacks.” The electric utility sector, including nuclear plants, is the only critical infrastructure sector subject to federal mandatory, enforceable cybersecurity standards. The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection or “CIP” standards provide for the classification of cyber systems that are used to control the grid into three tiers—high, medium, and low impact—based on how critical they are to bulk electric system reliability.
The Various views of Cybersecurity
In 2015, the need for cybersecurity seems obvious, but like most areas of danger, when it comes to the electric utility industry’s approach toward cyber preparedness, one of its greatest obstacles resides in the common attitude, “who would want to do anything to me?,” said Sue Kelly, president & CEO of The American Public Power Association (APPA). “Some utilities think that ‘my system is too small.’” But on a visit to the Department of Homeland Security, Kelly had the opportunity to tour the crisis center for cyber-attacks. “I looked up on the screen of current situations that they’re dealing with, and the first crisis on the list was one of my members—a small utility in the Midwest. They had a big enough problem that they were on the screen at the Department of Homeland Security in Arlington, Va., due to a ransomware attack. Somebody from Russia basically came in and took over their system and said that ‘we’ve got all your data, you don’t have it anymore. If you want it back, pay some money.’ That can happen.”
“Cybersecurity is one of the most prolific and misunderstood terms in the Information Technology (IT) industry,” said Tino J. Anthony, information technology director for the City of Leesburg. “It encompasses everything and everyone that creates, processes, stores, and otherwise interfaces with any set or subset of data, at any time, from anywhere,” added Network Manager Mike Andrews. “We bear the responsibility to our organization to keep our systems and data secure, but more importantly, we bear that responsibility to the customers, constituents, visitors and guests to the City of Leesburg.”
According to APPA the best way to enhance security of critical infrastructure is to improve information sharing between the federal government and the owners and operators of that infrastructure. The Electricity Sub-Sector Coordinating Council (ESCC) is a CEO-level group composed of trade association executives representing investor-owned utilities, public power utilities and electric cooperatives, the Tennessee Valley Authority, and the Power Marketing Administrations.
ESCC members coordinate with and periodically meet with officials from the White House, Department of Energy, Department of Homeland Security, federal law enforcement and national security organizations to address grid security issues. The ESCC is working on increased information sharing between government and industry and dissemination of tools and technologies to address system threats. The ESCC has become a model of industry-government cooperation for other critical infrastructure sectors.
Grid security has two critical aspects, physical and cyber. While physical security addresses threats to electric utility infrastructure, such as transmission lines and substations, cybersecurity addresses threats to utility data and control systems. Whether it is a physical or cyber breach, the result can be damage to the grid and the loss of service to customers. “In both types of attack—if they’re large enough, a utility will work with local law enforcement,” said Puesh Kumar, director of engineering and operations at APPA. “It’s important to have a relationship with government officials for both physical and cyber breaches.”
Recognizing the continuing cyber threat to the nation’s power grid, the federal government is working to address security issues facing the nation’s utilities. “I appreciate what the federal government is trying to do with NERC regulations, increasing cybersecurity awareness and making businesses adopt certain standards in their control centers for safety,” said Jim Harnois, supervisory control and data acquisition (SCADA) and communications supervisor for Kissimmee Utility Authority. “But the government can’t do it themselves.” Harnois, who has been studying cybersecurity since 2004, describes cybersecurity as an uphill battle because most measures and practices to attain cyber protection are reactive rather than proactive.
Many industries have also taken great steps enhancing their security. At the federal level plans were drawn to better equip smaller organizations, create new partnerships, and streamline their internal systems to achieve greater security at less cost. Cyber threats are constantly evolving. Utility data and control systems—and the threats to them—are changing at a rapid pace. At a slower pace, new generation and transmission facilities are also changing the physical infrastructure that needs to be protected.
“Cybersecurity should be of maximum importance to anyone who owns a computing device,” said Susan Noell, director of information systems and customer affairs for the City of Bushnell. “From personal data to the largest corporation in the world, society’s increasing reliance on computer systems makes our private and sensitive information available to anyone who can successfully login to a computer.”
The Year of the Breach
Many news outlets declared 2014 to be “The Year of the Breach.” In 2014, the U.S. Postal Service, the Nuclear Regulatory Commission, the State Department, and even the White House fell victim to successful hacks that resulted in sensitive information being exposed to adversaries and the public. Nearly every state experienced a government network breach during 2014, while simultaneously managing disruptions in commerce caused by hacks of companies such as Home Depot, Staples, and Target.
“Security breaches can come in many forms, some are less malicious and only are in place to cause a disruption, and others install malware on your computer or hijack your email address book,” said the City of Bushnell’s Noell. “Then there are those that can cause disastrous harm, like the Target and Home Depot issues where customer’s account information was obtained.”
Randy Hahn, manager of compliance for the City of Ocala Electric Utility (OEU) said that “OEU is not aware of any cybersecurity breaches that have impacted the operational capability of electric power generation or delivery within Florida.” Several years ago it was widely reported that JEA was the target of a denial-of- service attack that impacted their enterprise networks, but had no operational impact. “Most utility networks are continuously “probed” to some extent,” said Hahn, “whether by generally scanning, novice curiosity, or by entities with more serious and malicious intent.“
At the City of Leesburg, there have been no detected or reported cybersecurity breaches. “We do see numerous attempts to exploit well known vulnerabilities across various systems, SQL Injection attacks—a code injection technique used to attack data-driven applications, in which malicious structured query language is inserted into an entry field for execution attacks; web buffer overflow—when more data is put into a fixed-length buffer than the buffer can handle and adjacent memory spaces becomes overwritten and corrupted; port scans—a technique used to identify open ports and services available on a network host; and SIP Brute Force attacks which attack session initiation protocol servers and make unauthorized outbound calls at another’s expense, to name a few,” said Anthony, IT director at the City of Leesburg. Network Manager Mike Andrews added that, “In most 24 hour periods we detect and block nearly 350 different attacks which typically originate in the United States, Germany, Colombia, France, and China. Some of these attacks are blocked by edge firewalls, and the others by an intrusion prevention system.”
“The NERC standards initially helped to spotlight an area of awareness that most of our employees may have thought was ‘not my job’, with respect to sabotage reporting,” said OEU’s Hahn. “OEU used its annual all-personnel Sabotage Awareness training to eventually include a focus on basic Cybersecurity Awareness. All employees within the utility are important and directly impact our ability to provide high quality reliable service to our citizens, customers, and visitors. Likewise, all employees can have an impact on the various data networks used by the utility.”
Like many utilities, OEU began using annual basic cyber awareness training to inform all electric employees of the various methods that could be used to compromise electronic networks, and how every employee’s actions can inadvertently facilitate that risk. “We remind employees of phishing threats that use email or malicious websites to solicit personal information from an individual or company by posing as a trustworthy organization or entity USB device malware, social media activities, open Wi-Fi networks, and other less conventional threat vectors,” said Hahn. “The IT department frequently sends out alerts for identified dangerous email threats, and other current malicious cyber activities. We provide enhanced awareness training for employees with direct access to operations networks.”
At the City of Leesburg, “It is very important for anyone who interfaces with our organization to be aware of cybersecurity,” said Leesburg’s Anthony. “Most of our focus is on our employees, and we disseminate information to them electronically. This information is usually focused on emerging threats and vulnerabilities, what type of attack vectors they are likely to encounter, and how to deal with those attempted attacks,” said Andrews, network manager.
No individual, business or government entity is solely responsible for safeguarding the Internet. Everyone has a role in securing their part of cyberspace, including the devices and networks they use. Users are often on the front lines for attacks, and the more aware of cyber threats they are while using the computer, the less likely they will be to fall victim to an attack.
“Individual actions have a collective impact and when we use the Internet safely, we make it more secure for everyone,” said Barry Moline, executive director at the Florida Municipal Electric Association. “If each of us does our part—implementing stronger security practices, raising community awareness, educating young people or training employees—together we will be a digital society safer and more resistant from attacks and more resilient if an attack occurs.“