Ottawa should follow a U.S government program to have electric utilities carry out a so-called 100-day sprint look at and improve the readiness of their industrial control systems to resist cyberattacks, according to an expert in cybersecurity for critical systems.
“It is absolutely something Canada should do,” Mark Fabro, president and chief security scientist at Lofty Perch, Inc., a Markham, Ont.-based consultancy, said in an interview.
But, he emphasized, it shouldn’t be seen as an admission that industrial controls systems (ICS) on the operational technology (OT) side of the North American electrical system are in serious trouble.
“I really don’t want the creation of this program to be interpreted as an element of fear, uncertainty and doubt to suggest there is an irreparable problem out there.” Rather, he said, it’s a good idea for utilities and political leaders in both countries to know what the state of OT systems is.
His support was echoed by Robert Wong, former CIO of Toronto Hydro, who is now a cybersecurity advisor to the Ontario government.
“I think a concerted effort by all utilities to gain greater visibility into OT cybersecurity risks and potential vulnerabilities is a good thing,” he said in an email. “Having said that, I am skeptical that a 100-day sprint approach will actually yield significant improvements. Focusing more on detection and response, as opposed to just prevention, makes good sense, and I strongly support that. However, for any meaningful improvements, it will take much longer to upgrade or replace legacy OT software systems; implement specialized OT cybersecurity tools to monitor, analyze and protect OT systems; isolate OT networks from corporate networks; upgrade firewalls; etc.”
Wong pointed out that utilities manage widely distributed assets, many of which consist of legacy endpoint devices that run out-of-support software like Windows XP. Replacing these is very costly and time-consuming.
“Nevertheless, I do support a national approach to strengthening the cybersecurity posture of Canadian utilities’ OT systems. Ensuring the reliable delivery of electricity, water, gas, and telecom services is critical to national security,” he noted.
Earlier this week, the U.S. Department of Energy announced the so-called 100-day sprint to enhance the cybersecurity of electric utilities’ industrial control systems (ICS) and secure the energy sector supply chain. The action is a coordinated effort between the country’s energy department, the electricity industry, and the U.S. Cybersecurity and Infrastructure Security Agency.
“The United States faces a well-documented and increasing cyber threat from malicious actors seeking to disrupt the electricity Americans rely on to power our homes and businesses,” said Energy Secretary Jennifer Granholm. “It’s up to both government and industry to prevent possible harms—that’s why we’re working together to take these decisive measures so Americans can rely on a resilient, secure, and clean energy system.”
According to the energy department’s website, the program will:
- Encourage energy owners and operators to implement measures or technology that enhance their threat detection, mitigation, and forensic capabilities.
- Reinforce the cybersecurity posture of critical infrastructure information technology (IT) networks.
- Includes a voluntary industry effort to deploy technologies to increase the visibility of threats in ICS and OT systems.
- Includes “concrete milestones over the next 100 days for owners and operators to identify and deploy technologies and systems that enable near real time situational awareness and response capabilities in the critical industrial control system (ICS) and operational technology (OT) networks.”
However, those milestones have not been made public, and details remain scarce. That’s one reason why a U.S. news site says cybersecurity vendors in the U.S. are trying to make sense of the plan.
Fabro had testified before the U.S. Congress on cybersecurity for critical infrastructure and helped developed standards for several sectors.
Many cybersecurity experts have warned cybersecurity for OT systems in any industry isn’t as advanced as protection for IT systems. This is for several reasons, including legacy equipment that isn’t designed to be patched.
The leading evidence experts point to when it comes to unsecured OT systems are the 2015 and 2016 cyberattacks on Ukraine’s power generators, which knocked out electricity for hours. The latest incident was the attempt in February to seize control of a Florida water treatment plant.
In November 2020, the government’s Canadian Centre for Cyber Security issued a threat bulletin summarizing risks to the country’s electricity sector said it is unlikely state-sponsored threat actors will intentionally try to disrupt the power grid. But, it added cybercriminals are “increasingly likely to attempt to access, map and exploit” ICS systems for extortion with customized ransomware.
It also warned highly sophisticated threat actors would target supply chains and managed service providers to learn about the ICS of a utility.
The idea of making U.S. electric providers look closely at their OT systems isn’t new, Fabro said, which is one reason why he wasn’t surprised by this week’s announcement.
“The fact that this is specific to electrical utilities but makes specific reference to improving operational technology with milestones, that’s great. Because now you’re actually talking about what’s being done at the level that is running the grids.”
“I don’t believe it is meant to imply there is a sweeping immaturity across the sector that demands this to be looked at,” he added.
In fact, he praised the work done by the North American Electrical Reliability Council (NERC), which implements and enforces the critical infrastructure protection (CIP) standards. Most of the standards are cybersecurity-related, he said. Canadian and American bulk power suppliers are obliged to adhere to those standards.”
Bulk power suppliers are large utilities that create, transmit, and in some cases, distribute electricity. They are separate from local utilities largely responsible for local power distribution. They may not be obliged to follow NERC standards
”Canada and the bulk electric system from the perspective of cybersecurity are exceptionally mature and forward-leaning insofar as understanding cybersecurity risk and threat mitigation for their mission-critical control systems,” Fabro said. “It would be a mistake to assume that in Canada, the significant utilities responsible for bulk power operations don’t have a level of maturity. They do. I think this (U.S.) program is an excellent idea that should be considered at the Canadian level because it should dovetail into current best practices as being performed by Canadian electric sector stakeholders.”
Washington is not telling U.S. utilities, “you have to do these things,” he emphasized. He believes the plan says there are now cybersecurity detection and visibility technologies for ICS that work, and utilities should take the next 100 days considering how to implement them.
“This has been proven to work. This is why we haven’t seen massive incidents,” he said. “We’ve got utilities that are doing this. Some of the large, more mature utilities are doing this.”