Utility companies – and the services they provide – play a crucial role in our day-to-day lives. However, these organizations are frequently the targets of sophisticated cybersecurity threats. Attacks can cripple a utility company in a moment and leave customers without power, heat, or running water.
The best way utilities can counter cybersecurity attacks is with a centralized, well-equipped security operations center. In this blog, we’ll take a closer look at why utility companies need SOCs, along with the key role these command centers play in both blue and dark sky events.
Why Does Cybersecurity for Utility Companies Matter?
Many utility companies have expanded their physical and cybersecurity monitoring and response over the past few years, but it can still be difficult to keep up with ever-evolving threats. Utilities are particularly vulnerable to cybersecurity breaches due to three main factors:
- The interconnected physical and cyber infrastructure of utility companies makes them more susceptible to fraud.
- An increasing number of cybercriminals and “hacktivists” target utilities to demonstrate opposition and protest. Many state-sponsored attacks (primarily from Russia and China) are designed to cripple U.S. infrastructure, and utilities are considered “soft” targets due to their growing digitalization.
- The geographic and organizational size and complexity of utilities creates more attack surfaces for cybercriminals.
North American Electric Reliability Corporation-Critical Infrastructure Protection (NERC CIP)
NERC CIP is the “presiding set of standards that govern [the] Bulk Electric System (BES) in the United States and protect all those who use it from cyber threats.” NERC CIP is heavily influenced by the National Institute of Standards & Technology Cybersecurity Framework and “its risk management capabilities to measure reliable functioning operation using cybersecurity best practices.”
NERC has been certified by the Federal Energy Regulatory Commission (FERC) as the United States’ Electric Reliability Organization. FERC enforces critical infrastructure protection standards as part of mandatory compliance for bulk electric systems that must be followed to stay in reliable operation.
Ultimately, NERC CIP is designed to mitigate the potential cybersecurity risks of operating in the United States BES. As critical cybersecurity incidents become increasingly common, compliance standards protect consumers and utilities alike from the potentially disastrous effects of misuse.
How to Ensure Compliance with NERC CIP Standards
While NERC CIP currently contains 17 standards, only 11 of these rules are actively enforced. If you’re unsure whether your utility is in compliance, consult the list below:
- Bulk electric system cybersystem categorization helps you identify your most important cybersystems and critical assets, along with the potential risks of system misuse.
- Cybersecurity management control identifies who has access to security management controls in order to hold personnel responsible in the event of misoperation.
- Cybersecurity personnel and training protects the BES from the effects of misuse and inoperation through employee risk assessment, training, and security awareness.
- Cybersecurity electronic security perimeters measure the scope and actions required to protect against the potential vulnerabilities associated with remote access.
- Physical security of bulk electric system cybersystems requires a comprehensive plan that ensures the integrity of your utility operation’s physical security.
- Cybersecurity system security management involves the creation, implementation, and explanation of your utility’s security procedures for both critical and non-critical assets.
- Cybersecurity incident reporting and response planning includes personnel roles, individual actions, and the handling and reporting of incidents to governing bodies.
- Recovery plans for bulk electric system cybersystems ensure your utility’s critical cyber assets contain recovery procedures that are compliant with disaster recovery best practices.
- Cybersecurity configuration change management and vulnerability assessments prove that your entity has a system in place to identify unauthorized changes within the BES.
- Cybersecurity information protection demonstrates that your confidential BES cyber information is protected against unauthorized access that could create instability.
- Physical security is required to identify and protect transmission stations, substations, and their primary control centers against instability, uncontrolled separation, and cascading.
What is a Security Operations Center?
A security operations center is exactly what it sounds like: a central command post that prevents, detects, analyzes, and responds to cybersecurity threats. These 24/7 rooms gather information from across your utility company, including your networks, devices, and servers. Ultimately, SOC personnel are tasked with gathering threats and determining how they can be managed and mitigated.
Common Cybersecurity Operations Center Personnel
SOCs are staffed with a highly-trained group of professionals who are solely focused on security. You can learn a bit more about each of these individuals below:
- Incident responders react to security breaches on the ground.
- Analysts collect and analyze data during or after a breach to take corrective action.
- Investigators work closely with responders post-breach to determine the root cause(s).
- Auditors stay on top of legislation and other mandates to ensure compliance.
- The SOC manager oversees overall security operations, but can fill any role if necessary.
- The chief information security officer (CISO) is responsible for both risk and compliance and typically reports directly to the chief information officer or chief executive officer.
What Are Security Operations Centers Responsible For?
Cybersecurity operations centers are responsible for a variety of essential functions within your utility company. They’re an integral part of your daily operations and are engineered to help minimize your vulnerability to cyberattacks. In this section, we’ll review the most important responsibilities of SOCs to give you a better understanding of why they matter.
1. Account for Available Resources
The primary goal of any security operations center is to generate a comprehensive view of your threat landscape, including software, endpoints, and services both on- and off-premises. This starts with securing the devices, applications, and processes that facilitate your operations. However, your SOC should also be armed with the defensive tools necessary to anticipate and respond to threats.
2. Proactive Monitoring
Because they monitor your network around the clock, your SOC can immediately detect and begin mitigating potential threats. Their toolbox includes SIEM (security information and event management) software and endpoint detection and response (EDR), both of which we’ll discuss below. These applications are designed to minimize the manual analysis that must be performed by your operators, making them a valuable addition to any SOC.
3. Preventative Maintenance
It’s essential that your SOC personnel are aware of the newest cybercrime trends and threats. Even more importantly, they should apply that knowledge to preventative maintenance like firewall updates, whitelisting and blacklisting applications, and patching weaknesses.
4. Alert Management
Your security operations center personnel must closely analyze every alert to determine whether a threat needs to be addressed. A well-outfitted SOC gives them the ability to rank threats by urgency and handle them in order of importance.
5. Threat Response
Once a threat has been triaged and confirmed, your SOC is the first line of defense against damage. This typically involves shutting down (or isolating) endpoints, deleting files, and terminating or preventing harmful processes.
6. Log Management
Your SOC is also responsible for gathering, maintaining, and reviewing all of your communications and network activity. This creates an activity baseline and can uncover threats, along with being used for remediation in the event of a breach.
7. Remediation & Recovery
Utility SOCs are also responsible for restoring systems and recovering data that was lost or compromised. This includes restarting, wiping, or reconfiguring endpoints or backing up systems to outmaneuver ransomware. Ultimately, your SOC should return your network to its pre-breach state.
8. Root Cause Investigation
In the wake of a security incident, your SOC’s most important job is determining exactly what happened, along with how and why it took place. This involves using log data to uncover the source of the problem, which can help you prevent similar threats from materializing in the future.
9. Security Improvements
Cybercriminals never stop developing and refining their techniques, so it’s crucial that your SOC remains vigilant. Security improvements go hand-in-hand with preventative maintenance and can include red, blue, and purple teaming, along with hands-on training.
10. Managing Compliance
While many SOC processes are informed by best practices, some may be governed by various compliance requirements. Along with helping you protect your data, compliance management can protect you from any legal challenges or reputational damage caused by a security breach.
Optimizing Security Operations Centers at Your Utility
While cybersecurity for utility companies may seem overwhelming at first, there are a number of steps you can take to safeguard your organization. Here are just a few ways to maximize the effectiveness of your SOC and overcome common issues faced by security operations:
- Choose a security framework that allows you to blend threat intelligence and security solutions into a single process.
- Incorporate actionable dashboards that help you easily stay on top of evolving threats and security activities.
- Evaluate your processes by studying your strengths and weaknesses, along with your risk profile and how you use collected data.
- Create an adaptive architecture that helps you strategize and incorporate optimized security protocols that enhance your organization.
- Embrace automation, integration, and orchestration that allows you to reduce the amount of manual hours your team expends.
- Ensure your threat management plan includes discovery, triage, analysis, and scoping of any potential security issues.
It’s also essential to ensure your compliance with the NERC CIP standards we mentioned earlier. Your personnel should have a comprehensive understanding of all 11 standards, and they should be implemented into your SOC optimization procedures. Along with protecting your utility from dangerous cyberthreats, CIP rules benefit end users by ensuring continuous service.
What is SIEM (Security Information & Event Management)?
Security information and event management software blends security information management (SIM) and security event management (SEM) to improve an IT environment’s overall security awareness. By gathering and analyzing real-time and historical data (and data sources), SIEM systems improve threat detection, management, and compliance.
Most SIEM software follows a hub-and-spoke model by collecting and correlating data from multiple security inputs. These sources may include:
- Vulnerability assessment applications
- Governance, risk, and compliance (GRC) systems
- Database and application scanners
- User and entity behavior analytics (UEBA)
- Intrusion prevention systems
- Threat intelligence platforms (TIPS)
- Endpoint detection and response (EDR)
Once incidents or threats are identified, your SIEM software will notify the appropriate personnel. These systems also allow you to analyze an internal event log, which can help improve your security and user activity monitoring. Additionally, SIEM software provides auditors with insight into your utility’s compliance status through ongoing monitoring and reporting.
What is Endpoint Detection & Response (EDR)?
Also known as endpoint threat detection and response (ETDR), endpoint detection and response combines real-time endpoint data monitoring with automated response and analysis. Cybercriminals often view endpoints as the easiest way to infiltrate a network, and there are more network endpoints than ever before. All of this makes EDR security of the utmost importance, especially for utilities.
Endpoint detection and response systems are responsible for a variety of tasks, including:
- Monitoring and collecting data from threatened endpoints
- Analyzing data to identify potential threat patterns
- Automatically responding to threats by removing them
- Containing threats and notifying SOC personnel
- Researching identified threats and monitoring suspicious activity
While there are a wide range of potential endpoints, some of the most common include servers, desktops, laptops, tablets, smartphones, IoT devices, and digital assistants.