Roadmap to Secure Control Systems in the Energy Sector
Full Title of Reference
Roadmap to Secure Control Systems in the Energy Sector
Energetics Inc., Roadmap to Secure Control Systems in the Energy Sector (2006). Web
- Resource by Type: Independent Reports
- Threats and Actors: Electricity, Oil and Natural Gas; Private Critical Infrastructure
- Issues: Public-Private Cooperation
Control systems form the central nervous system of the North American energy infrastructure. They encompass vast networks of interconnected electronic devices that are essential in monitoring and controlling the production and distribution of energy in the electric grid and the oil and gas infrastructure. The ability of these cyber systems to provide automated control over a large, dispersed network of assets and components has helped to create the highly reliable and flexible energy infrastructure we have today. However, this span of control requires control systems to communicate with thousands of nodes and numerous information systems—thus exposing energy systems and other dependent infrastructures to potential harm from malevolent cyber attack or accidents.
An Urgent Need
Energy control systems are subject to targeted cyber attacks. Potential adversaries have pursued progressively devious means to exploit flaws in system components, telecommunication methods, and common operating systems found in modern energy systems with the intent to infiltrate and sabotage vulnerable control systems. Sophisticated cyber attack tools require little technical knowledge to use and can be found on the Internet, as can manufacturers’ technical specifications for popular control system equipment. Commercial software used in conventional IT systems, which offers operators good value and performance but poor security, is beginning to replace custom-designed control system software.
Efforts by the energy sector to uncover system vulnerabilities and develop effective countermeasures have so far prevented serious damage. However, attacks on energy control systems have been successful. The need to safeguard our energy networks is readily apparent: energy systems are integral to daily commerce and the safe and reliable operation of our critical infrastructures. Any prolonged or widespread distruption of energy supplies could produce devastating human and economic consequences.
The urgent need to protect our energy control systems from cyber attack has prompted industry and government leaders to step forward and develop an organized strategy for providing that protection. Their efforts have produced this Roadmap to Secure Control Systems in the Energy Sector, which presents a vision and supporting framework of goals and milestones for protecting control systems over the next ten years. This strategic framework enables industry and government to align their programs and investments to improve cyber security in an expedient and efficient manner. The Roadmap integrates the insights and ideas of a broad cross-section of asset owners and operators, control system experts, and government leaders who met for a two-day workshop in July 2005 and contributed to subsequent reviews. Their purpose was simple: create an effective plan and execute it.
Asset owners and operators believe that within ten years control systems throughout the U.S. energy sector will be able to survive an intentional cyber assault with no loss of critical function in critical applications. This is a bold vision that confronts the formidable technical, business, and institutional challenges that lie ahead in protecting critical systems against increasingly sophisticated cyber attacks.
Utilities and energy companies have long recognized that it is neither practical nor feasible to fully protect all energy assets from natural, accidental, or intentional damage. However, the sector’s track record of excellent reliability reflects an effective protective approach that balances preventive measures with rapid response and recovery in a competitive business environment. Accordingly, the industry’s vision for securing energy control systems focuses on critical functions of the most critical applications. These are the functions that, if lost, could result in loss of life, public endangerment, environmental damage, loss of public confidence, or severe economic damage. This risk-based approach builds on the established risk-management principles now in use throughout the energy sector.
A Strategic Framework
To achieve this vision, the Roadmap outlines a strategic framework featuring four main goals that represent the essential pillars of an effective protective strategy:
Measure and Assess Security Posture. Companies should thoroughly understand their current security posture to determine system vulnerabilities and the actions required to address them.
Within 10 years, the sector will help ensure that energy asset owners have the ability and commitment to perform fully automated security state monitoring of their control system networks with real-time remediation capability.
Develop and Integrate Protective Measures. As security risks are identified, protective measures should be developed and applied to reduce system risks.
Security solutions will be developed for legacy systems, but options will be constrained by the limitations of existing equipment and configurations. Within 10 years, next-generation control system components and architectures that offer built-in, end-to-end security will replace many older legacy systems.
Detect Intrusion and Implement Response Strategies. Because few systems can be made totally impervious to cyber attacks all the time, companies should possess sophisticated intrusion detection systems and a sound response strategy.
Within 10 years, the energy sector will operate control system networks that automatically provide contingency and remedial actions in response to attempted intrusions into the control systems.
Sustain Security Improvements. Maintaining aggressive and proactive control system security over the long term will require a strong and enduring commitment of resources, clear incentives, and close collaboration among stakeholders.
Over the next 10 years, energy asset owners and operators are committed to working collaboratively with government and sector stakeholders to accelerate security advances.
To achieve these four goals, the Roadmap contains key milestones tied to distinct time frames. This structure introduces a coherent framework for mapping efforts currently underway in the public and private sectors and helping to launch new projects that advance the security of control systems.
The Challenges Ahead
Achieving these milestones will be challenging. Many energy companies today have limited ability to measure and assess their cyber security posture. They lack consistent metrics or reliable tools for measuring their risks and vulnerabilities. Threats, when known, are often difficult to demonstrate and quantify in terms that are meaningful for decision makers. Control systems are becoming increasingly interconnected and often operate on open software platforms with known vulnerabilities and risks. Poorly designed connections between control systems and enterprise networks introduce further risks. Security upgrades for legacy systems may degrade performance due to the inherent limitations of existing equipment and architectures. New architectures with built-in, end-to-end security will take years to develop and even longer to deploy throughout the energy sector.
Cyber intrusion tools are becoming increasingly sophisticated. When attacks occur, information about the attack, consequences, and lessons learned are often not shared beyond the company. Outside the control system community, there is poor understanding of cyber security problems, their implications, and need for solutions. Coordination and information sharing between industry and government is also inadequate, primarily due to uncertainties in how information will be used, disseminated, and protected. Finally, even when risks, costs, and potential consequences are understood, it is difficult to make a strong business case for cyber security investment because attacks on control systems so far have not caused significant damage.
A Call to Action
Implementing this Roadmap will require the collective commitment of key stakeholders throughout the control systems value chain. Asset owners and operators bear the chief responsibility for ensuring that systems are secure, making the appropriate investments, and implementing protective measures. They are supported by the software and hardware vendors, contractors, IT and telecommunications service providers, and technology designers who develop and deliver system products and services. Researchers at government laboratories and universities also play a key role in exploring long-term solutions and developing tools to assist industry. Industry organizations and government agencies can provide the needed coordination, leadership, and investments to address important barriers and gaps. Each of these stakeholder groups brings distinct skills and capabilities for improving control system security.
Roadmap implementation will entail three main steps.
1. Ongoing industry and government efforts to enhance control system security should be aligned with Roadmap goals, and current activities mapped to the milestones. This will help to highlight any gaps that are not being addressed and identify areas of overlap that would benefit from better coordination.
2. New projects should be initiated that address the critical needs identified in the Roadmap. Leaders in the energy sector and government must step forward to organize, plan, resource, and lead projects that provide solutions to known security flaws. Additional new projects may also be launched as gaps in existing activities are identified.
3. A mechanism should be developed to provide ongoing oversight and coordination for pursuing the Roadmap. Existing sector coordinating councils and control system forums are strong candidates for fulfilling this important function.
Additional Notes and Highlights
Expertise Required: None
This work was sponsored by the Dept. of Homeland Security and the Dept. of Energy.