Meeting the Cybersecurity Challenge
By Scott Self, CIO, Tennessee Valley Authority
In an unassuming room anywhere in the world, a shadowy figure faces a computer screen. He isn’t armed with a gun or a bomb, because he doesn’t need one; he is a criminal who does his work with a keyboard and mouse. And if he is able, he can use his skills to hack into a power company’s entire system not just computers, but electric power infrastructure and create harm.
"In addition to protect customer and employee personal information, utilities must be concerned about cyber espionage and protecting critical systems and infrastructure"
Although this sounds like something out of a movie, this keeps security personnel in the utility industry awake at night. Connectivity has enabled smart grids, distributed generation, rapid load shift management and ability to spot issues that were unimaginable 20 years age.
However, this interconnectivity also creates vulnerabilities. As technology becomes increasingly interconnected, so do the risks. “Cyber security is a top concern for our nation’s utilities,” said Scott Self, CIO, and Tennessee Valley Authority. “Utility IT professionals understand that, and they must be on the cyber security front lines in order to protect the nation’s power grid.
The media has written a lot recently about concerns over utility cyber security, raising fears. But, what the public may not realize is that cyber security for the utility industry is highly regulated and compliance is not an option. For example, all utilities in the United States must comply with the standards set forth by the North American Electric Reliability Corporation, the Critical Infrastructure Protection Standards, among others.
Utilities recognize that today the cyber security game has changed. According to the ICS-CERT Monitor Newsletter, a publication of the U.S. Department of Homeland Security, 32 percent of the 245 reported cyber incidents that happened in 2014 occurred in the energy sector. In the past, cybercriminals looked to exploit information for financial gain or to attack a company’s reputation. In addition to protect customer and employee personal information, utilities must be concerned about cyber espionage and protecting critical systems and infrastructure.
Why utilities are considered cyber targets?
Unlike other industries, utilities are one of the few businesses, where the cyber and physical worlds intersect. For example, a utility’s network supports many important physical assets within energy delivery systems generating facilities, substations, switch yards, power lines and oil or gas pipelines. Protecting these systems keeps utility IT professionals laser-focused on security every day. Therefore, the “new normal” in utility industry is to use advanced technology to secure both physical and cyber assets equally.
As the largest public power utility in the United States, Tennessee Valley Authority serves nine million people across seven states with a 99.999 percent reliability rating. Any interruption in power could result in serious health and safety risks and threaten hardship across the entire Tennessee Valley.
TVA fully understands the environment and takes cybersecurity extremely seriously. “We recognize that there is no single solution to cybersecurity. Protecting the TVA network from multiple threat vectors takes extensive planning, flawless execution and constant diligence,” said Philip Propes, TVA’s Chief Information Security Officer, adding that TVA’s goal is to blend cyber-security and physical-security for predictive modeling and analysis.
Managing cyber threats requires TVA to go beyond the compliance standard through robust, layered security protocols. A strong cybersecurity strategy and culture is key along with tactics such as:
• Risk-based multi-tiered threat analysis
• Highly skilled cybersecurity professionals
• 24/7 enterprise-wide monitoring control center
• Strong network security and authenticating
• Predictive analytics and analysis
• Resilient systems
“TVA believes in a defense-in-depth security approach that has proper segmentation, monitoring and redundancies that will allow us to address a wide-range of cyber-scenarios,” said self. While there are many facets to the TVA security program, the company is sharing some of their best practices.
Clear Organizational Security Structure
“While each utility may manage their cybersecurity differently, we found that a mix of centralized and decentralized security functions works best for our business,” said Self. Monitoring, incident response, forensics and intelligence are more efficient when they are centralized. On the other hand, functions such as server maintenance, patching and antivirus updates work better as decentralized functions. The key takeaway is that utilities must understand and implement security processes that work best for their organization.
Information Security Training
Another best practice TVA follows is maintaining an aware and well-trained workforce. TVA’s cybersecurity team works directly with their HR department to help develop a strong information security culture. This security culture is supported by clear information security policies as well as training developed by the cybersecurity team.
“Information security is not a spectator sport. Everyone at all levels of TVA is engaged and understands that they are part of the security solution,” said Self. Each year TVA employees and contractors receive mandatory annual training on recognizing and reporting perceived cyber threats. Additional training may be required for some employees’ roles within the organization.
This training is especially important now, because while the number of emails containing spam has fallen recently, the amount of malware discovered has spiked, almost doubling from 29.2 million in April 2015 to 57.9 million in June 2015.
“Our goal at TVA is to educate our workforce to prevent them from falling victim to phishing attacks and clicking on malicious links that download malware or spyware,” Self explained. Employees are encouraged to report cybersecurity issues through TVA’s “See Something, Say Something” philosophy.In addition, TVA’s information security policy addresses the use of hardware, such as prohibiting employees from plugging in unapproved USB devices into company computers.
Preparation and Drilling
Constant drilling is another lesson learned at TVA. According to a 2015 survey released by Lieberman Software, 63 percent of companies run cybersecurity drills. Drills keep recovery plans updated and build relationships within organizations. “The first time you meet your business partners should not be on the day you tell them that there is a problem,” said self.
In addition to coordinating national drills like GRIDEX - the utility industry’s crisis response to simulated coordinated cybersecurity and physical security threats – TVA conducts internal “red-team exercises” in which TVA teams probe computer systems to test reactions and the remediation processes. These exercises provide a safe environment that allows TVA’s cybersecurity specialists to be prepared to aggressively respond in the event an attacker gets through countermeasures. Lessons learned are incorporated back into TVA’s processes, creating a cycle of continuous improvement.
Outreach, Educate, Share
TVA works with the cybersecurity teams from a variety of local, state and federal government agencies to share information. As a government agency, TVA is in a unique position to collect and share information to others in the utility industry. TVA regularly meets with governmental peers and local power company customers to stay informed about emerging issues and to support organizations who need assistance solving problems.
While TVA cannot reveal details of its security program, there are many actions TVA is taking, to protect its power grid and the people who depend on it.
Scott Self explained, “Growing our knowledge in cybersecurity is vital to our industry. As an industry, we need to work together to reduce vulnerabilities and put safeguards in place to ensure the security of our generating and transmission systems.”
“As technology changes, so must cybersecurity. We will stay ahead of the curve and maintain our focus to move beyond security compliance to proactively address emerging issues.”