CSO Perspectives (Pro) 5.3.21
Ep 45 | 5.3.21

Security in different verticals: Energy.


Rick Howard: I'm currently driving down the old Virginia Road 600 on my way to visit the bath County Pumped Storage Station just this side of the border between West Virginia and Virginia. This place started generating electricity back in 1985 and is owned by Dominion Power and First Energy and generates enough electricity for over 750,000 homes in Virginia. It has more electrical producing capacity than the Hoover Dam that sits on the Colorado River. Who knew?

Rick Howard: All right. So I'm pulling into the facility, pulling into the parking lot. Let me get out of here. Find a place to park. Nobody's here.

Rick Howard: So, I made this trip on this beautiful spring Saturday, mostly because of my wife wanted to go antiquing, but also, because in this episode, we're talking about how to think strategically and tactically about securing the energy sector in cyberspace. And I wanted to see just why many security professionals think that the energy sector is so unique that it requires different strategies than all the other the verticals.

Rick Howard: Walking over here. This is a beautiful place.

Rick Howard: All right. And according to the literature, this is the largest pump storage facility in the world. But you wouldn't know what to look at it. The only thing that gives it away is a relatively small concrete building called the powerhouse and some giant transmission lines crossing one of the lakes. The lovely Allegheny mountains tower over everything.

Rick Howard: There's about 35 acres of beautiful trees that make up this facility. Two fishing creeks, Back Creek and Little Back Creek and I see two fly fishermen over there. There's a recreation area and a public beach is sitting over there on the side. Like I said, it doesn't look like the Hoover Dam that's because all of the engineering work is underground. There is an upper and a lower reservoir of water and 12 miles of giant tunnels and spinning turbines under the mountains. Amazing. It certainly doesn't look like any data center that I have ever seen and maybe that's why it needs a different strategy.

Rick Howard: My name is Rick Howard. You are listening toCSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis.

Rick Howard: In the first two episodes of Season 5, we talked to experts in the financial sector and the healthcare sector about how they wrap their heads around strategy and tactics in each of those verticals. Of the six people we talked to, they were all of like mind that strategies the security community uses to defend ourselves in cyberspace are universal. In other words, they don't change because you serve a different industry.

Rick Howard: That said, all of our experts were in violent agreement that the tactics each vertical uses and the priorities they establish are completely different.

Rick Howard: I was talking to Steve Winterfeld about this. He is the Akamai Advisory CISO, a regular visitor at the Hash Table, and he just so happens to be my best friend. And as always, we were arguing about our crazy ideas. In this case, can cybersecurity leaders overload the military's definitions of strategy, operations, and tactics, and apply them in a non-military setting.

Steve Winterfeld: The problem is you're asking a question on the presumption that you can transition what is appropriate in a military context over to the commercial context. 

Rick Howard: Not at all.  

Steve Winterfeld: There might be a fallacy there.

Rick Howard: Not at all. There's I'm asking you the definition between strategy.  

Steve Winterfeld: my question. 

Rick Howard: and tactics. 

Steve Winterfeld: question in a way that is, is most helpful to you since you're a little slow. 

Steve Winterfeld: And so. 

Rick Howard: Okay.

Steve Winterfeld:  I hope your sound guy doesn't have to listen to this.  

Steve Winterfeld: Strategy, operations, and tactics. When you ask the two in a military context, without the third, you do the military, a disservice. Strategy is ends and means. It is the larger picture. Operations is the capabilities which you will use to do that. And tactics is a way you deploy those capabilities.

Rick Howard: Marc Sachs is currently the Deputy Director of Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security. This is his first time at the Hash Table. So be gentle. Marc and I go way back. In fact, Steve, Marc and I were all doing cybersecurity for the Army back in the day, you know, sometime in the early 2000s. But the reason I wanted him to come to the Hash Table was that he was the Chief Security Officer for the NERC for three years. That's the North American Electric Reliability Corporation. And at the same time, he had oversight of the E-ISAC, the Electricity Information Sharing and Analysis Center. I asked him to take a swing at defining strategy in the commercial space.

Marc Sachs: Strategic thinking,  longterm, big muscle movements,  bold,  it tells you where you're going to go. It's like looking over the horizon.  As a military guy,  my strategy is to defeat the enemy, how I defeat the enemy is the tactical piece of it. On the ground. Do I move this unit to the left or to the right, so forth. If you are thinking strategically, you're looking at a very, very big picture.

Rick Howard: Helen Patton is the Advisory CISO for Duo Security at Cisco. She is also the Cybersecurity Canon Committee Chairman and another regular at the Hash Table. I asked her the question that I asked the other vertical thought leaders. Is energy so much different that you need a completely different strategy to defend it?

Helen Patton: There's not anything in there that is to me, radically different than any other vertical. 

Helen Patton: If you look at the NERC CIP regulations, at least at a high level, the kinds of things they're asking of the security programs, they're not radically different from any other vertical. 

Helen Patton: When you get down into what does the architecture of the security stack look like? It will change based on industry segment. And it will also change based on the size of the organization, and the age of the organization, but the basic principles of  mitigating the impact of a cyber event, those I think are universal principles.

Rick Howard: Whenever you discuss energy systems, you inevitably start hearing strange and unfamiliar terms that refer to the automation of those systems. Here's Steve. 

Steve Winterfeld: Typically, you're managing some physical aspects, gas lines, electric lines, something like that. The OT is the larger environment. The operational technology that manages everything SCADA is the portion that is  controlling the PLCs. Generally you'll see the OTB in the larger circle with a SCADA and ICS being sub circles.

Rick Howard: According to Graham Williamson at the Kuppinger Cole Analysts blog, think of operational technology or OT as a giant set of IT and security activity that manages industrial operations as opposed to traditional administrative operations, think oil and gas monitoring versus windows endpoints. Industrial control systems or ICS fall within a subset of OT. And they specifically manage mission critical applications like mine site conveyor belts and power consumption on electricity grids, things that have to run, or the business stops producing. Organizations manage these mission critical industrial control systems with SCADA devices or supervisory control and data acquisition that either provide continuous process monitoring and management via programmable logic controllers or PLCs or discreet process control systems or DPCs that might use a PLC or some other batch process control device. Whew. Did you get all that? All right. Just one more time. Here's the alphabet soup again: OT, ICS, SCADA, PLC, and DPC. No wonder energy security executives think they are unique. 

Rick Howard: I asked Helen if she could provide some context to all of that and to assess the actual security threat to these new kinds of environments. 

Helen Patton: You've got a higher propensity of operational technologies as opposed to informational technologies. Most security folks would, agree with me that  the legacy of OT , I'm going to put a whole bunch of stuff into that heading: Internet of Things, sensors, ICS, SCADA. All of those kinds of technologies tend to be a little bit older, tend to be a little less secured, and we have tended to manage those by network segmentation which in the hybrid cloud everything's  internet-enabled or becoming internet-enabled, it becomes less of a valid strategy.

Helen Patton: On the other hand, I think the kinds of technologies in the OT space are a little less ubiquitous in terms of hacking targets. People go after Windows cause everybody's got Windows, and  they're starting to go after Macs because more and more people have Macs. 

Helen Patton: Not everybody's running around with some kind of SCADA controller from Siemens. It's certainly a vector, but it's just not as subject to  the whim  of random script kiddies  and other sort of opportunistic threat actors. 

Rick Howard: With those preliminaries out of the way, I began to wonder just what exactly is the energy sector? For help, I turned to the famous Verizon DBIR or Data Breach Investigation Report. Verizon has been producing this annual report for well over a decade now and as a trusted source for breach intelligence on specific sectors like finance and healthcare. Interestingly, in the 2020 report from last year, Verizon decided to replace the energy sector category with a new category that combines mining, quarrying, oil and gas extraction, with the utilities industries. I asked Helen to explain what's going on here.  

Helen Patton: It's changing a little bit. I would certainly be looking  at things like big oil and gas coming out of Texas, or out of the middle East. I'd be looking at electric companies, but there's a lot more that's going into this. When you're dealing with water, there's also a big public private  partnership kind of things that go into this. There are certainly a lot of little mom and pop suppliers and aftermarket suppliers in that ecosystem. 

Helen Patton: It's not just the big companies in the big names that you've heard about. There  are emerging energy sectors that we haven't seen a whole bunch of yet. Renewable energies, solar, Tesla's in this market if you've got your Teslas roof panels on your house. When you really sit and pay attention to it, it's, it's pretty amazing how big the industry actually is.

Rick Howard: And if the energy sector isn't money enough, there is an entire compliance piece that is unique to those environments. Here's Steve.

Steve Winterfeld: When we talk about energy  and  I say energy, but a lot of this would apply to really any of the broader  industrial control systems, or supervisory control and data acquisition, SCADA systems. The Department of Energy has a Federal Energy Regulatory Commission, the FERC, which uses,  the NERC,  which is the North America Electrical Reliability Corporation. They have a standard called CIP, which is a Critical Infrastructure Protection.  It's a series,  just like any of the others that provides  all the things you have to do. It is an industry that you can get fines in. It has special call-outs like the Nuclear Regulatory Commission. That even has,  its own security clearance, a Q Clearance, which is different than a top secret. 

Rick Howard: The practical side to all of this regulation forces energy companies into a very specific kind of security posture.

Helen Patton:  Our regulators would push us towards the defensive controls. If I use the NIST language, things that help us identify assets, protect assets, and so forth. That's where the regulations sit.  

Helen Patton: If you're in a really heavily regulated industry, you're still focused right there. But I think that mature security functions and strategies and teams are actually focused on the detection and response side of the equation. And if you're a finance  organization on Wall Street, where you've already invested in all your defensive controls, you can, even though you're regulated, pivot and look at detection and response and recovery kinds of elements within your strategy. But if you're a new company, you're an underfunded company, those kinds of things, you can't get away from the defensive controls, because that's where the regulators want you to be, enough to be able to spend your time in detection and response. And I think with the kinds of nation state attacks and those kinds of things, we have to be in the detect and respond side of things, but our regulators won't let us get there very easily. 

Rick Howard: Because of all the specialized operational technology involved in managing these systems, Marc says that the attack surface is just bigger than your typical environments in other sectors.

Marc Sachs: For energy, the interdependency is not pure cyber. As you might know the power grid for example, the Eastern half of the United States is a big, huge machine. It's all in sync with each other, all the spinning generators and,  power delivery. Same thing with the Western half of the United States is all synchronous with itself. State of Texas that has its own grid. But if you just take the East coast, for example, you've got a dozen or more independent organizations that all work together, and it's not a cyber thing. Now we're talking electro-mechanical, but a cyber attack against  part of that grid could lead to grid failure across the grid, but not because of cyber, but because of the electromechanical  interdependencies. 

Marc Sachs: It's  a risk area that could be caused by cyber, but could cascade because of the way you're interdependent. And that same thing you might find an airline industries, you might find  in banking and others where  you're really dependent on somebody else to have their cyber act together.  If they don't, it could cause you to have a very bad day even if  you're doing your attack surface zero trust stuff perfectly.

Rick Howard: Even with all the complexities involved with the alphabet soup of OT environments, and the mind numbing collection of compliance regulations and the exponentially large attack surface compared to other verticals, all three of our Hash Table experts today agree. And don't think that the energy sector needs a different set of strategies to secure these environments compared to the other verticals. Here's Helen, again, to sum it up. 

Helen Patton: I agree that it is larger than other verticals. Where I disagree is that it requires different strategies.  If you look at the NERC CIP regulations, at least at a high level, the kinds of things they're asking of the security programs, they're not radically different from any other vertical.  

Rick Howard: We did have some disagreement around the Hash Table about the future of IT and security in the energy sector. The question is whether or not this vertical was going to follow the same path of every other vertical by moving more and more workloads to the cloud and moving away from buying and maintaining dedicated networking pipes in favor of using the super fast shared networking pipes provided by the likes of Google, Amazon, and Microsoft. 

Rick Howard:Both Steve and I, who admittedly have never worked in the energy sector, believe that it's inevitable that this vertical adopt the same path as everyone else. We think that senior leadership will not be able to resist the efficiencies gained by making such a move over the added security risk of remaining not connected. Here's Steve.

Steve Winterfeld: I'm not sure you won't see the IT and OT become more and more blended,  just for operational efficiencies.  There are aspects of this that, that may end up in the cloud You're starting to see the IT network and the OT network collapsed.  The days  of the OT or SCADA network being truly isolated are largely gone in my opinion.   

Rick Howard: Marc was adamant that this wasn't so. And again, he was the Chief Security Officer of the NERC for three years, the North American Electric Reliability Corporation. He's the recognized authority here. 

Marc Sachs: The computer controls  that are running the grid and keeping it balanced and keeping it synchronous and so forth are in closed environments, not connected to the internet. And in fact, the regulatory measures in place, they can fine these organizations up to a million dollars a day if they're in violation.  And one of the very clear standards is no path to the internet, no connection.  

Marc Sachs: You really reduced your attack surface there by the fact that you're isolated, but the change that's coming up as we get into what's called distributed energy. Think of solar panels and wind turbines and people's homes that are generating power that they can sell back into the bulk power market. And even further that's large appliances like air conditioners and refrigerators and dryers and so forth that are internet connected and can be possibly attacked by an adversary who could manipulate the demand as an attack and then cause grid disruptions. So yes, that attack surface today is fairly closed, not available to an internet style attacker, but tomorrow will be absolutely a problem.

Marc Sachs: It's something the energy community is very aware of are these new distributed energy and this new control plane  and highly connected IoT devices that are a big grid users. Is that a new attack problem that the security community is going to have to worry about? And think about what I'm saying here, if I'm the CISO at a power company, I have no control over you as a customer, whether  you're connecting your  heavy duty appliance to the internet. If you have an IoT device that you're now plugging into my electrical network and you're plugging into your router, I can't control that. And there's certainly no regulations on the books that require your device that's now interconnecting with a public utility to be secure. 

Rick Howard: But when I pointed out that was exactly what Steve and I were thinking that this slow march to internet efficiency would drive this configuration and it would be inevitable that those OT systems would be connected to the internet, Marc was still determined that this should not be so.

Marc Sachs: I disagree. I disagree Rick. There's a difference between being connected for email and for, regular business purposes and interconnecting the control systems.  

Marc Sachs: The same argument would be said is, okay, well, why don't we interconnect the flight control computer on every airplane out there to the internet. We don't do that. 

Marc Sachs: Or same thing with banks, the banking transactions. Why don't we just run them over the internet? We don't, we have private networks for that. And you can go on and on with where there are private control networks that do not connect to the public internet. 

Marc Sachs: I'm not agreeing with the argument that says that the power companies have to connect their control systems to the internet it makes no sense.

Marc Sachs: Look at the rollout,  here in the U.S. of 4G and 5G, and then coming down the road, they're already talking 6G. If you have  5G connections through a solar panel, you don't have to use the internet to talk to that solar panel. It's very easy through that 5G network to have an IP-based infrastructure that talks to the solar panel and still is not connected to the internet because the comm backbone is there.

Marc Sachs: The point I'm trying to make is the public internet, which has grown out of the original ARPANET of,  the late 60s, early 70s, has its place for humans to communicate, but it's not the place for machines to talk to each other. 

Marc Sachs: You talk about strategic. Is strategically how do we build out networks that machines can talk to each other, can do it safely, and we can ensure a level of security that we can't do on the public internet, because it is a public place, a public commons. In the physical world, we have fences and gates and guards and borders and things to, to keep security contained. And then we have the public sidewalk and the public square and  public roads.  

Marc Sachs: We've got to think about that as well from a cyber perspective that the public internet is no different than the public highways. And there are times when you need private infrastructure, because what you're trying to communicate with  requires that level of security.

Marc Sachs: It's like the federal government has their private clouds as well. You can use cloud technologies for storing classified data. But it's not your Google cloud. It's not your public Google cloud or your public AWS or your public Microsoft Azure. These are all private corners of these commercial providers. They're not available to the general public.  

Marc Sachs: It can be done. Rick. It's absolutely can be done. The danger is just saying, I'm going to use the internet. The internet. The public internet is not the same as the communication infrastructure that you can connect to and move bits and bytes cross. 

Rick Howard: I get it Marc is essentially talking about using our zero trust strategy to limit who and what has access to his industrial control systems. In other words, ensure that grandma's refrigerator can't talk to the Virginia Bath County Pump Storage Station and in doing so perhaps preventing a Sandworm-level attack on U.S. critical infrastructure. 

Rick Howard: And that's a wrap. Since we brought up the subject of OT and IoT systems, this episode. For our next week show, we are inviting experts to the Hash Table to discuss whether or not the responsibility of securing those environments has moved over to the CISO's list of balls in the air they can't drop. You won't want to miss that.

Rick Howard: And as always, if you agree or disagree with anything I've said, or anything our guests have said, hit me up on LinkedIn or Twitter and we can continue the conversation there.

Rick Howard: The CyberWire CSO Perspectives is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design, and original score. And I am Rick Howard. Thanks for listening.