Powering up: How the world's power plants fend off cybersecurity threats
Last month’s widely publicized WannaCry ransomware attack was notable in its broad reach, impacting 100,000 organizations, including critical infrastructure companies. The WannaCry ransomware crippled utilities as well, including West Bengal Power Utility in Kolkata, India, which in turn affected over 800,000 households.
As a vital component of a nation’s infrastructure network, power plants often operate with the highest and most technologically-advanced security levels. But according to digital technology multinational firm ABB, much of the risks and vulnerabilities faced by power plants are a result of the very same technological advances that allow them to operate in the first place.
The cost of automation
Some of the technological advances achieved in the power industry have been gained through connecting previously isolated control systems. Increasingly interconnected utility networks have provided utility customers with lower emissions, improved reliability and lower power cost. In contrast to 20 years ago, most plants have open industrial standards as well as ethernet and TCP-IP-based communication protocols.
“These allow connectivity to external networks such as the office intranet and the internet. No doubt these changes in technology bring huge advantages from an operational perspective. However, they also introduce cyber security concerns, making industrial systems vulnerable to the same threats faced by IT sector” said Arup Sen, ABB’s Vice President for Marketing and Sales, Asia Pacific HUB, Power Generation and Water business.
According to a study by the privacy, data protection, and information security policy research group Ponemon Institute, the cross-industry average cost of a data breach in 2016 was $4 million, with 48% caused by malicious or criminal attack, 27% due to system glitch, and 25% human error.
With cyber threats mounting and executive leadership gaining awareness of associated enterprise risks, power industry executives have mandated measures to systems and operations, applying traditional IT security measures to enhance resiliency against cyber threats. However, traditional IT security measures may not be enough, and unfortunately, can even prove counter-productive in the “Operational Technology” space. “Traditional IT approaches present challenges when applied in industrial environments. For instance, when a user is locked out of a work PC, they can simply call a HelpDesk. But imagine a plant operator, on nightshift, punching in an incorrect password and getting locked out of the control system that is critical to operating the plant. A significant time delay is not acceptable in real-time process plant environment,” Sen said.
So how exactly can power plants effectively deter cyberattacks and prevent widespread damage and chaos? “Having a well-defined cybersecurity strategy can mitigate your risk of employee mistakes, system errors and targeted cyberattacks,” Sen noted, adding that this includes implementing a pro-active stance when it comes to creating a resilient security posture.
“Security cannot be achieved with an insall-and-forget approach. It is an ongoing operational effort which includes a defined focus on securing people, process and technology,” Sen said. Further, end-users must be more discriminating and demand strict security features, while vendors, on the other hand, must be ready to provide them in their respective product offerings.
“Security starts with vendors adopting a secure development method for industrial automation solutions, which include critical security controls out of the box. End users must insist on security requirements in their procurement. End user demand is an important signal to the market that they expect industrial automation products and services to be secure by design,” Sen added.
The ABB Cyber Security Workplace
ABB, a pioneer in industrial cybersecurity, was one of the earliest adopters of secure development lifecycle in its portfolio, Sen explained. “ABB takes cybersecurity very seriously and fully understands the responsibility to advance the security of control systems used in the power sector. Thus, ABB had embedded its cybersecurity solutions in each product portfolio lifecycle, which starts from the very beginning in the design stage, to development and maintenance stages. Within ABB Ability™ DCS Symphony Plus, we developed effective non-invasive tools (the Cyber Security Benchmark, The Cyber Security Fingerprint and the Cyber Security Monitoring Service) that diagnose potential cyber risks, reduce them, give alarms and provide the support to safeguard control systems investment.” Sen said.
In addition to addressing secure development lifecycle in its industrial products, ABB has developed tailored industrial cyber security offerings to work in critical infrastructure environments without being disruptive to core processes. For example, ABB Cyber Security Workplace is an integrated suite of security applications and tools for accessing and strengthening cyber protection. These include fingerprinting to gauge a control system’s security posture patch delivery to evaluate and apply software updates, and application whitelisting to ensure only approved software and processes are allowed to run. A combination of assessment and remediation services can be scheduled on a periodic or continuous basis, which include system hardening, patch and antivirus deployment and backup restoration.
“Delivered as a scalable solution, Cyber Security Workplace, a part of ABB Power Generation Care enterprise level maintenance solution, can be phased in to meet your plant or fleet-wide security and compliance needs today while providing the platform from which to grow and expand as requirements evolve and change,” Sen says. Cyber Security Workplace’s security controls, in conjunction with a strong focus on people and process, help customers build a comprehensive security strategy, which substantively can enhance a power plant’s resiliency to cyber threats.