By Allen Kent, NERC CIP Specialist, NAES Corporation
Fear is a strong motivator for most people – which is why it gets used a lot in security presentations. “The sky is falling!” cried Chicken Little. Sometimes the sky really is falling, and sometimes there is just a preface to, or potential for, an attack. Here are a few cyber security myths that are commonly found in the power sector – exposed once and for all!
“We don’t have anything that an attacker would want” or “Nobody would want to attack us.”
In cyber security, any device with a connection to a network – the Internet, for example – can be used to attack others. For this reason and many others, it’s important to secure your systems. Imagine leaving your loaded firearm lying around. Are you responsible if someone picks it up and accidentally or intentionally uses it to hurt others? Likely yes! But under today’s interpretation of cyber security, you are often not held accountable for improperly securing your system, even if it allows an attacker to use it against others. However, security negligence will likely not be the norm for long as the legal and/or regulatory landscape continues to evolve. Businesses are already being held accountable when they lose the confidentiality of their hosted customer or asset data. Consider the recent NERC Notice of Penalty (accompanied by a $2.7 million fine) that was served to a Western entity that hadn’t taken sufficient measures to protect its data from being mishandled by a third-party vendor.
“If I’m compliant with the standards, then I’m doing enough to ensure security.”
Businesses need to be profitable if they intend to stay in business. The return on investment for additional security controls may be difficult to measure, but the cost of failing to properly secure cyber systems is growing. Management should analyze the risk of potential exploitation and determine the tolerance that their businesses can accept, but this analysis will continue to change as the threats evolve. In the power sector, we are outmatched by our adversaries. Other nations are targeting our sector – as a form of warfare – to find weaknesses that can be exploited. These are professional attackers who are being paid to find ways into your networks. While the CIP Standards serve as good baseline protections, merely checking the box on these security regulations is not enough to combat the threats; more is needed. What we call ‘eggshell security’ – strong on the perimeter (i.e., CIP-003 low impact controls) but soft on the inside – is not effective security.
“Our firewall protects us.”
A firewall is generally required if you are connecting a computer to the Internet, but it certainly does not serve to stop all cyber-attacks. Typically, certain communication is allowed in (e.g., to your email or web servers) and some communication is allowed out (e.g., web access from your desktops). However, both of these examples create holes in the firewall’s protection that can be exploited by a cyber attacker to gain access, as does any software vulnerability in the firewall itself.
Most organizations therefore need to consider more protections. What can you do to prepare? At a minimum, meet all applicable current and upcoming NERC CIP compliance requirements, especially your firewalls review. In addition, work with your management to add an annual budget item for incremental increases in cyber security that go beyond these minimum requirements. Your best first addition would be a Security Information and Event Management (SIEM) solution, which can help detect when someone has gained or is attempting to gain unauthorized access to your systems. All in all, understanding the reality of these common cyber security myths will help you better prepare for the day when the sky actually is falling.