White Paper. April Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks

Transcription

1 White Paper April 2006 Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks

2 According to a recent Harris Interactive survey, the country s leading business executives consider the threat posed by viruses and IT security breaches and the threat of power outages to be two of the top concerns they face today. While these are separate issues for most businesses, the risks are much greater and real for utilities management organizations responsible for service delivery and the protection of their own critical business infrastructure. As a utility management organization, securing your information systems is the biggest challenge of your operations today, and the task is exceedingly difficult. On one hand, your systems are vital to the delivery of reliable services to your customers. Your organization is an essential link in a nationwide network relied on all the time, by everyone. On the other hand, your IT infrastructure is under constant attack from malicious software, hackers and other Internet threats. You remain a potential terrorist target. And finally, compliance standards requirements complicate matters and place increased pressure on your ability to operate a profitable business. The Risks of an Unsecured Network Without superior protection for your SCADA systems and your internal business networks, you risk financial loss, legal risks and a myriad of other consequences that can dramatically impact the continuity of your operations. A brief network outage could result in catastrophic shutdown of entire communities. Damage to internal systems could create disruptions or inaccurate billing, resulting in fines or legal ramifications. To prevent disaster from occurring in your organization and to ensure you are meeting all current and emerging compliance requirements for your IT security (including those proposed by the NERC, which will likely become the new standards for utility security regulation), you need to have a firm grasp on the risks posed by today s threats to your SCADA and business networks and to identify a more cost-effective and proactive solution for meeting your ongoing IT security challenges. Threats to Business Operations As the threats and vulnerabilities facing the health and reliability of your network continue to increase, you need to protect your bottom line. Technology has revolutionized the utilities management industry, helping you to increase efficiency and to lower your business costs, but it comes with risks. Unauthorized Access to Your Network While improvements such as automated and wireless meter reading and integrated financials have created an automated system for billing customers, these same improvements have created new risks associated with the weaknesses found within the Internet environment and within the software systems used to power your businesses. Reports vary when it comes to the severity of the volume of hacker attacks against utilities. While some industry experts predict hacker attacks occur against utilities each year, publications such as InformationWeek recently reported that utilities face hundreds of hacker attacks each day. Regardless of the accuracy and reality of the data, it s evident that the number will continue to climb as utility companies switch from internal control systems to Windows-based networks that are easier for hackers to penetrate. Reports on unauthorized users gaining access to utilities are becoming more common, especially those with wireless capabilities. International headlines included two Russian hackers that took control of a gas pipeline for 24 hours by penetrating the electronic control system and the story of a disgruntled employee in Australia that released 250 million tons of raw sewage by attacking a waste water management control system. 1 None of these examples is the catastrophic, terrorist attack on which so many are focused. Nevertheless, they created an enormous financial burden for the utilities involved, damaged their reputation with customers and most likely resulted in employee lay-offs. Organizations need to be proactive in protecting themselves from new and emerging threats before they cause critical disruption to their operations. 1 On the Net: SCADA vs. the Hackers, Mechanical Engineering Magazine site: backissues/dec02/features/scadavs/scadavs.html Page 1

3 The Threat of Worms and Viruses Hackers are only part of the problem when it comes to the risks that affect the performance of information systems. A recent survey of enterprise security decision-makers found that 63 percent of organizations have been attacked by viruses or worms in the past year. More than 45 percent have been affected by Trojans and backdoor viruses, and 35 percent have been victims of internal attacks according to research conducted by Amplitude Research. As utilities become more technologically advanced to streamline operations and reduce costs, they have become a prime target for malicious attacks by hackers that want to disrupt or cripple critical information systems. The Vulnerabilities of SCADA Systems It s estimated that more than 85 percent of utility management organizations have implemented web-integrated Supervisory Control and Data Acquisition (SCADA) systems to streamline operations and reduce costs. While this is major progress for the industry, new generation SCADA systems incorporate open standards, including Internet protocols and networked communications, which increase the risks posed by constant hacker attacks. To mitigate the risk of potential service disruptions, process redirection or manipulation of operational data that could result in public safety concerns, organizations are now putting SCADA security at the top of their IT priority lists for the coming year. While SCADA systems are meant to improve monitoring and security, experienced hackers can access those systems that operate over the Internet. Securing the SCADA infrastructure is of critical importance to the energy industry. Improving the security environment for SCADA communications is essential to national security and new standards will be put into place beginning June 1, Regardless of how new your SCADA system is, or what steps you have taken to secure it, you most likely have vulnerabilities that hackers can exploit. Most common are: Remote Access anytime you provide access to your critical systems from outside your organization, you increase the likeliness that your system can be accessed by unauthorized users Network Configurations if a firewall is bypassed or configured incorrectly, you can create a door for hackers to enter Disgruntled Employees no security measure can prevent an attack from within; it s essential to take internal threats into consideration when preparing a comprehensive security plan Security holes, patches, viruses third party security holes in operating systems, commercial databases and other applications can become security issues for SCADA systems Communication protocols not encrypted older solutions that might still be in place are more vulnerable to attack Partners like SecureWorks help utilities proactively detect and prevent malicious attacks against the infrastructure of computers and applications to exceed security requirements of North American Electric Reliability Council (NERC) Critical Infrastructure Protection (CIP) and other emerging requirements. Protecting Business Continuity Inadequate security can severely handicap the dayto-day operations of a utility. From automated meter reading (AMR), to customer record management, to online bill pay, both uptime and back-up are critical to maintaining your business. In addition, recent legislation means you can now face legal ramifications for failing to protect consumer information. Utilities are responsible and accountable for the accuracy of their meters. The International Utilities Protection Association (IURPA) estimates that utility companies lose up to two percent in potential revenue per year due to energy theft. Utilities are instituting tighter controls to protect their income, including tighter monitoring of meter security. In order to eliminate financial losses and remain compliant, utilities need tighter controls on their information security. Compliance is also crucial to your business, both for receiving subsidies from the government and for meeting the new requirements set forth by the ERO. As more customers migrate to the use of online bill pay and self-service account management, utilities have the added risk and responsibility of protecting sensitive personal financial information from falling Page 2

4 into the wrong hands. Your information security strategy must incorporate solutions for protecting against data theft and loss, and from infiltration from hackers seeking consumer information for identity theft and online fraud. SecureWorks has the expertise and services designed to keep your business running, and will ensure that you don t lose time or money because of faulty network security. A Picture of Today s Security for Utilities Typical Internet security measures at utility management organizations include firewalls and antivirus software, intrusion-detection software, patch management, access management and monitoring, and regular penetration testing. Though most utilities organizations are reluctant to share data on security violations with the public due to the negative publicity and the business implications, a recent confidential survey of utility IT management found that four percent have been infiltrated by a hacker in the past year. In reality, this number is larger, yet unreported because of the reluctance to report security breaches. 71 percent of all organizations in the U.S. reported unauthorized computer system use last year, with 28 percent of organizations reporting that they don t know if they have been infiltrated, according to the July 2005 report published by The Computer Security Institute with participation from the FBI. Current federal and state standards for utility management organizations focus heavily on physical security measurements and disaster recovery preparedness and information security compliance requirements have increased. Many organizations believe that compliance to security standards is required to safeguard the utility infrastructure of the United States. Tighter restrictions and increased standards will be created through partnerships with the government and industry. How SecureWorks Helps Utilities What if you could add 75 security experts to your staff overnight? Hundreds of utilities have tapped into the power of the SecureWorks team of security experts to do just that. SecureWorks acts as an outsourced security team, protecting both your SCADA and business networks by detecting and preventing attacks through efficient and cost-effective solutions. Our experts quickly identify your risks and assist you in assessing, targeting and repairing gaps to your system at the perimeter, preventing network intrusion. In addition, we can help you design a Disaster Recovery Plan that meets ERO requirements. SecureWorks can help you: Comply with government and industry regulations and compliance requirements such as ERO, DHS, NERC and FERC Proactively manage your risks of network outages by preventing malicious viruses, hackers and Distributed Denial of Service (DDoS) attacks Avoid costly network outages and disruption of services Demonstrate disaster recovery and prevention preparedness Realize greater return on investment and lower total cost of management from a comprehensive outsourced solution What if you could anticipate attacks before they happen? SecureWorks believes in pro-action, not reaction. Instead of patching problems as they occur, we continuously look for potential problems, providing the necessary updates as we find them. Protecting more than 1200 networks globally gives us more than 1200 different viewpoints and allows us to identify trends and stop attacks before they get to you. What SecureWorks Will Do For Your Utility Seal your network from attacks. SecureWorks Intrusion Prevention contains three levels of protection. First, the isensor appliance stops attacks real-time; we manage any necessary updates. Second, our expert security analysts continuously monitor your network, taking action as needed. Lastly, you ll receive detailed, yet easyto-understand reports that can be shared throughout departments. Page 3

5 Take a preventative approach to network security. SecureWorks Network Vulnerability Assessment tool reviews all aspects of your network from behind the firewall and identifies potential gaps. The SecureWorks Vulnerability Assessment analyzes every IP address, computer, server and networked device on your utility network and also checks all operating systems, Web server platforms, mail servers, routers, switches and hubs. The process takes less than an hour and at the end you ll receive a detailed explanation with recommended fixes for any vulnerabilities found. Whether you are looking for a partner to secure your SCADA, business or Internet network environment, SecureWorks has industry-specific information security experts and solutions to meet your needs. As the threats and vulnerabilities facing the health and reliability of your network continue to increase, you need a partner that understands your industry and has specific solutions to solve new and emerging challenges. Stop Attacks Before They Even Get to the Door. SecureWorks Firewall Management includes policy design, installation, configuration, reporting and emergency response and our security operations center is a state-of-the-art facility constructed with network, power and system redundancies. Comprehensive firewall monitoring is conducted by our security experts twenty-four hours a day, seven days a week. Let the experts do the work. SecureWorks Professional Services team provides the expertise and analysis to help you assess your compliance and security posture and to recommend improvements. Our team helps you comply with government and industry regulations and compliance requirements, such as ERO, DHS, NERC and FERC. Strengthen the entire network. Utilities are linked to others from all sides, whether it is the grid back to your electric provider or the connection to the company you use to offer online bill pay. This linkage creates greater risk for your network and greater responsibility for your security. Plus, your network is open to attack twenty-four hours a day, seven days a week. Make sure you have a way of protecting it. SecureWorks provides comprehensive services to protect your network on every level. Our experts, coupled with our cost-efficient solutions, provide you with a one-stop resource for total network security with constant network monitoring. Page 4