Energy Cybersecurity Regulatory Brief

Transcription

1 Energy Understand the regulations that impact the energy industry and accelerate information security initiatives.

2 Contents Overview 3 A Highly Vulnerable Energy Industry 4 Key Regulations to Consider 5 Cybersecurity Management 5 Energy Organization Management 6 Risks 7 How AccessData Can Help 8 Benefits to Energy Organizations 9 Contact/Sales Information 10 2

3 Overview The energy industry is among the largest and most important industries in many industrialized nations. Of the ten largest companies in the world, seven are energy producers and/or related providers 1 ; in the United States, four of the Fortune 500 top ten are energy-related companies 2. The electrical infrastructure in the United States is valued in excess of $1 trillion in assets, with roughly 1,075 gigawatts of generating capacity and more than 200,000 miles of transmission facilities. The United States has traditional electric utility power plants and 1,738 non-utility power producers 3, as well as more than 100 oil companies. As of 2012, there were more than 43 million smart meters in use in the United States, most of which were in residential installations 4. The energy industry in the United States employs approximately 600,000 people and accounts for annual sales of more than $500 billion. Because the energy industry possesses so much highly confidential and proprietary information and is integral to the health and vitality of the economies in which it operates, it represents an enormous target for cybercriminals. While energy companies need to adhere to a growing body of regulations focused on maintaining records and managing their business properly, the more immediate issue and one that represents an imminent threat is protecting the security of the wide range of assets that energy and related companies operate. This includes protecting against everything from malware that might enter the utility grid through a smart meter to government-sponsored cyberattacks designed to shut down nuclear power plants. FACT: Web drive-by downloads and spear-phishing are often the initial intrusion points. 5 Learn more 3

4 A Highly Vulnerable Energy Industry The energy industry presents unique attributes that make it more vulnerable than others to cyberattack. In fact, one source found that two-thirds of energy companies had experienced some form of brute force attack twice the percentage of companies in other industries 5. Examples of areas of vulnerability include: FACT: 61 percent of energy and utility executives consider security to currently be a big problem for the smart grid and 64 percent believed that the grid is not prepared for security threats Abundance of Potential Ingress Points There are millions of potential ingress points for malware, hacking attempts and other incursions from legitimate employee use of the internet for normal day-to-day business activities, to the prevalence of BYOD and contractor access. 2. Vulnerable Smart Grid The existing smart grid technology had originally been developed with the intention that it would stand apart, in locked industrial site and control centers making it unavailable to outside tampering. Those parameters have changed and now connecting that legacy technology to current technology opens it up to all kinds of hacks. But who is doing the attacking? It might not be what you think. PWC found that while attacks backed by nation-states are making the headlines, utilities are more likely to be hit by other outsiders including 7 : Hackers Competitors Activists/activist groups/hacktivists Organized crime Terrorists Foreign entities/organizations Foreign nation states 4

5 Key Regulations to Consider There are a number of regulations focused on the energy industry that decision makers need to consider in the context of managing their business, but more importantly protecting themselves and their customers from the growing threat of cyberattack. Cybersecurity Management In the United States, the only industry that has mandated enforceable cybersecurity standards is the electric power industry, which includes the nuclear power industry. These standards are embodied in the Critical Infrastructure Protection (CIP) standards, which were developed by the North American Electric Reliability Corporation (NERC), and address the security of cyber assets essential to the reliable operation of the electric grid. The CIP standards impose a number of requirements on companies in the energy space, including: CIP requires companies to develop and maintain security management controls to protect critical network and other assets. CIP requires the development of an Electronic Security Perimeter that must disable unnecessary ports and services, monitor and log access on a 24x7 basis, perform vulnerability assessments at least once each year, and document changes in the network. CIP requires that network and system events be monitored using automated systems, and that alerts be sent to individuals managing the systems. Additional requirements include that only necessary ports and services are enabled (R2), that anti-malware capabilities are used (R4), and that the risk of unauthorized access be minimized (R5). CIP requires that a disaster recovery plan should be developed and that it be tested at least once a year. FERC was enabled by the Energy Policy Act of 2005 to oversee the reliability and security of the US electrical grid. While the primary intent of FERC was the reliability of the grid, FERC has increasingly focused on cybersecurity. In September 2012, FERC established the Office of Energy 5

6 Infrastructure Security (OEIS), the focus of which, among other things is to develop recommendations for identifying, communicating and mitigating potential cyber and physical security threats and vulnerabilities to FERC-jurisdictional energy facilities using the Commission s existing statutory authority, and to provide assistance, expertise and advice to other federal and state agencies, jurisdictional utilities and Congress in identifying, communicating and mitigating potential cyber and physical threats and vulnerabilities to FERC-jurisdictional energy facilities. 8 The Nuclear Energy Institute has developed a comprehensive cybersecurity program for the protection of nuclear power plants. This program was adopted by all US nuclear power plants in 2006 and all of them had implemented the program two years later 9. US nuclear power plants have implemented various protections against cybersecurity threats, including controls over how portable devices are used, isolation of critical control systems using air gaps or hardware-based isolation solutions, improved employee training, employee monitoring, and robust change management procedures. The US Department of Energy issued Cybersecurity Procurement Language for Energy Delivery Systems in April This document, while not defining specific regulations, offers a set of useful guidelines for energy-related companies to use when procuring new equipment. Executive Order 13636, Improving Critical Infrastructure Security, provides a framework for improving the security of key elements of the national infrastructure, including communications, water systems and energy. The goal of the Order includes promotion of better cybersecurity practices, development of a framework for technology-neutral cybersecurity, and improved sharing of threat information Energy Organization Management FERC Order No. 717 This order imposes a number of rules on regulated and vertically integrated utilities. Its goal is to create an ethical wall between the marketing and transmission functions of vertically integrated companies that distribute natural gas and electricity between states (the No-Conduit rule). FERC 717 makes it necessary for these companies to manage 6

7 their communication in such a way so that they do not give preferential treatment to their affiliates. A key element of this order is that all communications between transmissionrelated and marketing-related employees of a vertically integrated provider must be retained for long periods of time. FERC Part 125 Published under the Federal Power Act and Natural Gas Act, this ruling mandates specific retention periods for records that are maintained by public utilities and their affiliated companies. For example, stockholder-related meeting minutes must be kept for five years, procurement agreements must be retained for six years, and plant ledgers must be kept for 25 years. Risks The risks of cyberattack in the energy industry are enormous and are by no means a new phenomenon, as illustrated by the following examples: Of the 200 or so hacking incidents investigated by the US Department of Homeland Security cybersecurity team in 2013, more than 40% of them were directed against energyrelated assets. Underscoring just how vulnerable the US electrical system has become, a US federal government analysis that was revealed in March 2014 found that disabling only nine of the 55,000 transmission substations could initiate a widespread blackout in the United States 11. The results of a poll published in MIT Tech Review found that 70% of individuals focused on critical infrastructure report that their Supervisory Control and Data Acquisition (SCADA) systems are at high or severe security risk 12. A report from early 2009 discussed the fact that Russian, Chinese and other hackers had successfully penetrated the US electrical grid and were able to install malware within power grid systems13. In a 2013 report, one electric utility reports that it endures roughly 10,000 attempted cyber intrusions on a monthly basis 14. In 2012, Saudi Aramco was attacked by hackers who were able to infect 30,000 of the company s computers with the What s at Stake? Public and customer trust Energy reliability Reputation Regulator scrutiny Competitiveness 7

8 Shamoon worm. Although gas and oil production was not disrupted, the company s networks were brought down by the attack 15. The Stuxnet worm, first discovered in June 2010 and most likely a US and Israeli attempt to disrupt the Iranian nuclear program, clearly demonstrated that worms and related types of malware can successfully infiltrate programmable logic controllers or other types of hardware and cause significant damage. One source estimated that 20% of Iran s centrifuges were destroyed by Stuxnet 16. The importance of Stuxnet in the context of potential power plant, oil refinery and other energy-related security should not be underestimated. Not only can this type of malware alter the operation of key control systems with potentially disastrous consequences, a Stuxnet-like worm has already done so. In October 2012, a contractor at a US power plant accidentally infected a turbine control system with a worm delivered via a USB drive and took the power plant offline for three weeks 17. How AccessData Can Help AccessData s ResolutionOne Platform integrates network, endpoint and malware analysis, threat intelligence and remediation capabilities into a single solution that doesn t just deliver rapid detection and response; it delivers Continuous Automated Incident Resolution. ResolutionOne enables your organization to: Immediately identify when a sensitive data leak is occurring so you can quickly resolve the issue. Fully integrate with existing security infrastructure such as SIEMs, next-generation firewalls, alerting tools, monitoring solutions - to reduce the time it takes to identify critical security incidents and get the most out of your existing investments. Automate manual processes to free up valuable resources and focus on more business critical tasks. Cull through the noise in order to quickly confirm and prioritize true threats. The ResolutionOne Platform from AccessData, as well as AccessData s solutions portfolio, can help energyrelated organizations to understand how information flows within an organization and across its network of Business Associates. 8

9 Benefits to Energy Organizations Dealing with highly focused and highly skilled attackers who perpetrate sophisticated incursions into the energy infrastructure, requires a robust and integrated set of capabilities. AccessData s offerings can be used to detect cybercriminal activity and respond quickly to suspicious behavior and resolve the issue at hand. Benefits include: Identify suspicious binary files based on their unusual behavior even in the absence of signatures that have been designed to detect known malware. Isolate and examine suspect code without the use of sandboxing, dynamic analysis or traditional heuristic analysis. Determine the presence of malware and whether or not it has already executed on infected machines. Monitor and analyze the behavior of mobile devices that are used by employees. Automate the malware triage process and quickly identify, isolate and remediate cyberattacks, malware incursions, data leaks and other threats more quickly than is possible with manual processes. Measure your security team s efficiency with key performance indicators embedded within the platform, such as Mean Time to Validate (MTV) and Mean Time to Respond (MTR). Automate the process of malware triage. Identify, isolate and remediate cyberattacks, malware incursions and other threats more efficiently than contemporary manual processes with the ResolutionOne Platform. References PWC, Power & Utilities Key findings from The Global State of Information Security Survey

10 Learn more about how AccessData can help accelerate information security initiatives at AccessData Group makes the world s most advanced and intuitive incident resolution solutions. AccessData technology delivers real-time insight, analysis, response and resolution of data incidents, including cyber threats, insider threats, mobile and BYOD risk, GRC (Governance Risk and Compliance) and ediscovery events. Over 130,000 users in law enforcement, government agencies, corporations and law firms around the world rely on AccessData software to protect them against the risks present in today s environment of continuous compromise. AccessData is a registered trademark of AccessData Group. ResolutionOne is a trademark of AccessData Group AccessData Group. All Rights Reserved. GLOBAL HEADQUARTERS Alma Street Menlo Park, CA USA NORTH AMERICAN SALES Fax: sales@accessdata.com INTERNATIONAL SALES