Cybersecurity and Physical Security

Working together to improve utility cyber defenses

The deluge of high profile ransomware attacks affecting airlines, banks, utilities, and other critical systems are an urgent warning for the necessity of robust compliance and cybersecurity strategies that protect and monitor back-end servers and mobility devices. It is a warning that the leadership of public power utilities need to heed by ramping up cybersecurity defenses.

A single breach can devastate an organization’s reputation and harm customer confidence. While large corporations can mount large-scale defensive cyber resources, municipal and public utility districts are often challenged by a lack of in-house cybersecurity experts and lean budgets.

This challenge is why utilities and other critical infrastructure systems make it a priority to participate in cybersecurity information sharing. Sharing information on threats, recommended patches, and effective responses helps these institutions have a unified front against cyber attacks – and helps entities leverage and share cybersecurity expertise.

State, local, tribal and territorial governments (SLTTs) use the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), a partnership between the Center for Internet Security® (CIS®) and the Office of Cybersecurity and Communications within the U.S. Department of Homeland Security (DHS), for cyber information sharing. The MS-ISAC has more than 2,000 members, including public power utilities.

Cybersecurity analysts and incident response team members monitor for the misuse of any member-provided domains or IP addresses by constantly analyzing cyber threat information from multiple sources, and then share any identified threats with members. The MS-ISAC Security Operations Center operates 24 hours a day, 365 days a year.

Timothy Pospisil, director of corporate security and CSO at Nebraska Public Power District, shared how the public power utility receives a daily threat briefing, weekly list of bad IP addresses, and monthly perimeter scanning from MS-ISAC. 

Pospisil noted how this information, particularly the perimeter scanning, gives a utility “visibility” it otherwise does not have.

As a specific example, Pospisil recalled that in the second month NPPD got a perimeter scan report, which uncovered a system that had not gotten properly patched. Pospisil said that, thankfully, there was not an incident due to the flaw, but that the process pointed out a “weakness that we didn’t even see.”

Pospisil shared a common concern among cybersecurity professionals that there is never enough manpower to do everything that they want to do. He advises utilities to look for every opportunity to use tools and automation to help with cybersecurity efforts, and mentioned how the reports and alerts from MS-ISAC are among a number of sources NPPD relies on to help mitigate threats.

Pospisil reflected on how NPPD created a dedicated cybersecurity department back in 2003, and how the environment for utility cybersecurity has become much more complex since then.

Importantly, Pospisil stressed that the MS-ISAC tools and reports quickly digest information in a way that allows staff to easily ingest and respond to threats without needing to have a highly technical background. Pospisil said that NPPD has not needed to add any new technology or staff resources to take advantage of the reports and services.

Utilities might benefit from reviewing the cybersecurity best practices that CIS outlines, such as the CIS Benchmarks™ and the CIS Controls™, which form the foundation of basic cyber hygiene to protect an organization’s networks, operating systems, and software.

Speaking about the CIS Controls, Pospisil noted that, “It is yet another set of analytics that you can use to assess yourself,” said Pospisil. “It also confirms that you are doing some of the right things.”

Membership in the MS-ISAC is free and open to all U.S. SLTT government entities. To learn more about membership for your public power utility, visit https://www.cisecurity.org/ms-isac/.  

Note: The American Public Power Association encourages public power utilities to also sign up for the free Electricity Information Sharing and Analysis Center portal run by the North American Electric Reliability Corporation. The E-ISAC portal monitors threats specific to the nation’s electric grid and sends alerts to all subscribed utilities. Sign up at www.eisac.com.

Tags