Addressing Cybersecurity Policy at Your Plant

If cybersecurity policy at your power plants is not a major concern, it should be. On December 23, 2015, hackers took control of parts of the Ukraine grid network, taking about 30 substations offline and plunging over 230,000 customers into darkness. They also disabled backup power supplies to two of three distribution centers. Plant managers must take steps to ensure security as attacks become more sophisticated and potentially dangerous. Reported incidents have helped identify areas of risk, including insider action, unintended consequences, commercial hacking, and government hacking.

Recent Threats

In October 2016, there was a Denial of Service (DoS) attack against Dyn, in which a host was targeted with a flood of requests intended to overload the system and prevent legitimate users accessing the system and disrupting services. Dyn controls much of the domain name system (DNS) infrastructure, and, during the attack, many sites in the US and Europe were brought down, including CNN, Netflix, Reddit, and Twitter.

In 2014, hackers stole data from the commercial network of Korea Hydro and Nuclear Power, demanding money not to release the data. The hackers gained access by sending phishing emails to employees, some of whom clicked on the links and downloaded the malware.

There's concern about a growing new threat, called a hybrid threat, in which a low-level cyberattack enables another form of attack. For example, a cyber attack can be used to access employee information, which is then used to enable unauthorized access to the site, possibly to install malware. Hybrid threats are harder to protect against than a simple, direct attack, as they can take many forms.

Prevention: Air Gapping and Passwords

Operational managers must ensure a strong cybersecurity policy is carried out to protect their facilities against these potentially harmful cyber threats. The first line of defense is identifying malicious content before it reaches the servers. And, the key to defense against a potential infection is to maintain air-gap protection, isolating a system from the public internet. Air-gapping alone is not sufficient and can provide a false sense of security, so additional steps must also be taken. Air gaps can be breached by contractor connections, operator overrides (accidental or intentional), and wireless transmissions. USBs and flash drives can also circumvent air-gap protection, so access points must be controlled and unauthorized flash drive use must be eliminated. Strong passwords and logging in systems also improve security. If password setting and logging in is made too cumbersome, operators might try to find short cuts, defeating the original objective.

As devices interact with each other more, an increasing concern is incompatible software updates. In 2008, a contractor update to a power plant's business network was installed, intended to synchronize it with the industrial control system network. However, the update resets the control system's data to zero briefly, which put the plant into automatic shutdown. The best protection against this kind of attack is a stepwise introduction. Software updates should be trialed before they reach a facility, but this doesn't always reveal everything. Installing piecewise can take a bit longer, but it can also avoid catastrophic failure. Operators must never download phishing attachments to emails and plants must maintain solid firewalls.

Treatment: Virus Protection Communication and Response Plan

A cyber attack can happen quickly, and, as such, there isn't time to consider responses once an attack has started. All plants should have a cyber incident response team in place, whose main responsibility is to create a response plan. The plan must identify potential scenarios, prepare strategies to prevent intrusions from spreading through the network, and set out appropriate responses, such as isolating infected areas, eliminating threats, checking for corrupted data, and restoring the system. Once the threat has been dealt with, it should be investigated thoroughly in order to upgrade the protection plan and identify the source of the intrusion.

Deliberate cyber threats are designed to propagate, conceal themselves, and avoid anti-virus protection once they have infected a system. Viruses are also constantly upgraded. Plants must have robust, up-to-date anti-virus systems in place ready to filter out malicious content that's found its way in. You can't solely rely on virus protections to provide security, however. Communication between facilities about detected threats and effective response plans can help provide increased security. This communication can take place through conferences on the subject, reports to official bodies, and collaboration between plants or informal contacts.

The right balance between security and convenience may vary from facility to facility. Achieving the best protection against cyber threats means having a strong cybersecurity policy in place and maintaining constant vigilance against inappropriate access.