by Bob Shively, Enerdynamics President and Lead Instructor

It seems you can’t turn on the news lately without hearing the latest report about hacking and cyberspies.  And sadly, digging beyond the news makes it appear that the issue isn’t just media hype.  For instance, Christian Science Monitor recently reported that cyberspies “targeted nearly two dozen U.S. natural gas pipeline operators over a recent six-month period, stealing information that could be used to sabotage U.S. gas pipelines, according to a restricted U.S. government report and a source familiar with the government investigation”[1].

And similar concerning events have occurred on the electric grid[2].  Clearly gas and electric infrastructure companies are scrambling to respond by beefing up security.  This is made more difficult by multiple factors including:

• much of the IT systems used were designed before security was a high concern;
• the push for smart grid has resulted in more and more portions of the grid being interconnected and thus potentially vulnerable;
• and employees are using more and more interconnected devices at work and at home.

So how do companies address cyber security?  The SANS Institute [3], a cooperative research and education organization that works with key government agencies and private organizations, has developed a framework that identifies 20 key steps:

1. Inventory of authorized and unauthorized devices on the network
2. Inventory of authorized and unauthorized software on the network
3. Set secure configurations for all hardware and software
4. Perform continuous vulnerability assessment and remediation
5. Install malware defenses
6. Only buy new software that is designed for security and replace or rewrite existing software that isn’t
7. Perform rigorous wireless device control
8. Build and maintain data recovery capability
9. Perform security skills assessment for all your workforce and require appropriate training to fill gaps
10. Require and verify secure configurations for network devices such as firewalls, routers, and switches
11. Continuously limit and control network ports, protocols, and services
12. Control use of administration privileges
13. Maintain boundary defenses between internal and external devices
14. Continuously maintain, monitor, and analyze security audit logs
15. Control access based on need to know
16. Monitor and control employee accounts
17. Identify, monitor, and protect critical databases
18. Develop incident response capability
19. Design for secure network engineering
20. Perform penetration tests and attack drills

If this sounds like a lot of work, it is.  But the alternative is to risk making the headlines as being the first energy provider brought down by a cyber attack.

Related articles

• Chinese Cyberspies Attacked Natural Gas Pipeline Operators For Six Months Straight (businessinsider.com)
• Cyberattack leaves natural gas pipelines vulnerable to sabotage (rawstory.com)
• ‘Catastrophic’ cyberattack could hit utilities like PG&E (mercurynews.com)