The NIST Cybersecurity Framework Applies to You!

Cybersecurity is certainly not a new concern for the energy and utility industries, but it continues to grow in importance. The consequences of security breaches are very public and can have a deep impact on an organization well beyond the first few days of chaos they cause.

While a Utility or Energy producer might not be a federal agency, the NIST (National Institute of Standards and Technology) Cybersecurity Framework may very well apply! It is crucial that the organization be aware of the cybersecurity rules, requirements, and regulations that they must follow. Audit results/findings and potential penalties can reach into the millions of dollars that would be better spent elsewhere.

It is incumbent upon the Utility or Energy producer to not only be aware of their specific organization’s requirements, but to also seek out software solutions that are certified to meet or exceed the specific security regulations in play. The good news is that for utilities and energy concerns, Total Resource Management (TRM) has the high-security cloud solutions needed to be proactive and compliant whether commercial, state, or federal.

But we are just using the CMMS/EAM to process work orders. Why is security so important?

Cybercriminals are very aware of the numerous entry points that the typical energy or utility has simply due to the nature of the system. Facilities are often in remote and unattended areas, including access to “the network,” as needed. Given the proliferation of remote monitoring, Edge computing, and leveraging equipment telemetry for analysis and decision-making, the opportunity for nefarious activity is greatly increased. What may appear as a simple additional network access point may just be what is needed to cause much havoc.

Keep in mind that the CMMS/EAM system may be ingesting data from these far-flung sources of data, meaning that there is a network connection/path between the two. Proactive security procedures are necessary along the entire path, no matter what that path is made up of.

A good example of this is piloting the capture of equipment data for the purpose of analysis. The devices capturing the data may be hardwired with network cable, but they can also be wireless. In addition, the computing devices that are capturing, storing, and transmitting the data will be on a network of some kind. Just because the pilot may be for a limited period, does not mean they are exempt from the organizations cybersecurity policies and procedures. In fact, they should be under greater scrutiny!

Beyond that, cybercriminals also know the economic value of not only the equipment, but also the product it produces. There is significant motivation to not only disrupt, but to also benefit financially from their keystrokes.

It is a fact, with real data in support, and our own gut feelings, that cyberattacks are on the increase and continue to be creative in their approaches. Just because the local network is, “air-gapped,” is not a 100% preventive solution!

Tucker Bailey from McKinsey & Company says this, “Electric-power and gas companies are especially vulnerable to cyberattacks, but a structured approach that applies communication, organizational, and process frameworks can significantly reduce cyber-related risks.”

As a bit of a side note, it is not unusual that a business unit desires to implement a software solution with, “Little to no involvement of the IT Department.” This has increased a bit with the availability of cloud solutions. Allow us to state that not only does ignoring the IT Department sets the organization up for potential disaster, but it also puts the organization at an increased risk of a cyber-breach, especially if you are considering going to the cloud. (It is also possible to get fired!) Just because the software is running in the cloud and being looked after by a capable third-party, does not mean it meets the security requirements the organization must follow. Maurice Mugo provides an example of what is becoming a common implementation… drones… that could fall into this trap, “While the convenience and efficiency of these drones are undeniable, the silent and substantial risk of data breaches cannot be neglected.”

From Voluntary to Mandatory and Proactive

The days of voluntary compliance standards have been waning quickly. Now the expectation is not only mandatory adherence to a standard, but also adopting a proactive approach to your cybersecurity efforts. The reporting of incidents has been further defined and levels set as to what shall be reported or not. PwC provides an Outlook that might be helpful as well as an article on better breach reporting to be required by law.

Built into the acts and standards in the above links is a degree of protection (as detailed in their supporting documentation) for those organizations who do adhere and report accordingly, which offers a carrot that the previous voluntary approach lacked.

For organizations willing to take a more active detection approach rather than simply putting into place preventive controls, their goal should be to detect an intrusion or other unwanted activities while it is happening vs. cleaning up the mess afterwards. There will always be some degree of recovery needed from an attack, but by taking a more proactive approach, the degree and cost of recovery is expected to be reduced. The North American Electric Reliability Corporation – Critical Infrastructure Protection (NERC CIP) says regarding the area of internal monitoring, “In the event of a successful attack, improved internal monitoring would increase the probability of early detection of malicious activities and would allow for quicker mitigation and recovery from an attack.”

The Impact on Budgets

Of course, along with the need for these mandatory programs there will be an impact on the budgets to support them. It is no surprise that organizations are seeing increases in their cybersecurity budgets year over year. It is also not a surprise to see “cybersecurity related activities,” as line items in proposals.

For example, when establishing the budget for a Computerized Maintenance Management System/Enterprise Asset Management (CMMS/EAM) implementation, cybersecurity tasks, documentation, and testing should be line items unto themselves vs. simply blended in with other tasks. Further, there may be significant differences in the budget between an on-premises implementation and one occurring in the cloud.

State and Federal

As regulations from federal and state agencies have been put into place, industry groups have created tools and methods to assist in the assessment of the state of cybersecurity at a facility. While these tools may have industry specific nuances, they clearly flow up to and are in support of the NIST Cybersecurity Framework. One example is the American Water Works Association (AWWA) Cybersecurity Guidance and Assessment Tool. State utility commissions have been using state law to address cybersecurity across the energy sector and the infrastructure it and their constituents rely upon.

As the energy infrastructure continues to be targeted by malicious actors, the federal government is working to help industry. This is critical because electrical distribution systems are typically under the jurisdiction of the state. Daniel Shea from the NCSL tells us that, “A number of states have already taken action to bolster cyber-protections for the grid assets outside of the bulk power system, in addition to other energy systems and critical infrastructure.”

Cybersecurity is not a one-time check

Back to the federal level, organizations like the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) have the never-ending task to research, develop, and demonstrate cybersecurity solutions. The focus is on the energy infrastructure of our nation, given the increasing risks and attacks that do not seem to be diminishing. Cybersecurity regulations and requirements may be several years behind the actual risks present today, so it makes sense to be acutely aware of what is happening in this space. This points us back to the proactive approach to cybersecurity that is being mandated. It is no longer reasonable to wait for the regulatory process to form the approach.

Best practices that come from agencies such as CESER are, for example, the definition of vulnerability zones across an organization. From the field operations all the way into the corporate data center, there can be defined different levels of security required. It is important to understand that the typical CMMS/EAM solution may cross multiple security zones and access structured accordingly.

Here are a few of the other organizations that work to provide not only coordination between industry and government, but to also provide assistance and expertise in preventing and recovering from incidents. There are many more and it is important to be familiar with those working within your industry:

Electricity Subsector Coordinating Council (ESCC),

Electricity Information Sharing and Analysis Center (E-ISAC) that is operated by NERC

How to proceed?

The first step is to recognize that cybersecurity is a serious subject and the prevention of an attack or opening of a vulnerability is largely up to the individual. It is not just the responsibility of the IT department to keep the company safe. No matter the software/hardware solutions being implemented, the security requirements in play must be understood by those inside the organization who can help navigate their implementation.

The next step, given this new knowledge, is to make clear the organization’s cybersecurity requirements to all vendors, current and potential. This comes in the form of written requirements for request for proposal, market inquiries, etc. Knowing ahead of time that a potential solution meets the cybersecurity requirements can be a huge time saver for not only the organization but also the vendor list.

The NIST Cybersecurity Framework, with focus on 800-53, provides standards, processes, and procedures to ensure the business and technology solutions are in step with the risk that are present.

TRM has been hosting software solutions in a variety of secure environments, including NIST-53 and FedRAMP for many years. (TRM manages and operates the FedRAMP Authorized Maximo SaaS solution for IBM) Our Cloud customer base includes federal agencies and contractors, investor-owned and municipal utilities, and various commercial interests with heightened cyber security concerns.

We are also an ISO 27001 registered cloud host. (ISO 27001 is an international standard to manage information security)

We are uniquely qualified to implement a software solution, such as our High-Security Cloud, that meets the most rigorous cybersecurity requirements.