March 29, 2024

Sharing can help utilities fight cyber threats

by Ramesh Reddi

As a utility IT systems engineer and long-time cybersecurity consultant, I have many times walked into a utility control room, glanced at system dashboards and seen evidence of hacker attacks. I have seen intruders access utility systems, potentially revealing proprietary and critical information on utility assets and automation systems. And, I know it could help all utilities if such information could be shared quickly enough to thwart cyber criminals before they move on to the next utility target.

Utilities in the United States could certainly use the help. Here, a cyber-attack on a utility occurs on an average of every four days. That’s the figure Congressman Randy Weber, R-Texas, told a House Subcommittee on Research and Technology last year.

Until recently, utilities were reluctant to report such attack, and they were concerned over two fronts. First, the information shared is not used in a timely fashion due to lack of real-time cyber-threat sharing technologies. Second, utilities had no legal protection against the liabilities that may result from sharing the cybersecurity information.

However, now that the Cybersecurity Information Sharing Act (CISA) of 2015 has been signed into law, those legal protections are now in place to lower the risk of sharing such sensitive data. More important, the U.S. Department of Energy’s Cybersecurity Risk Information Sharing Program (CRISP) offers a timely and automated way for utilities to share their experiences and gain actionable information back. With CRISP, It’s an all-new cybersecurity game for U.S. utilities. Here is how you can play to win.

Timely insight
CRISP is designed to give utility security professionals the timely information they need to identify, prioritize and coordinate the protection of their critical infrastructure and key resources. To be timely in the world of cybersecurity, information on threats must come in near real time and, through CRISP, it does.

Several government entities support CRISP. They include the:

  • Department of Energy’s Office of Electricity Delivery and Energy Reliability (DOE/OE)
  • North American Electric Reliability Corporation (NERC)’s Electricity Sector Information Sharing and Analysis Center (ES-ISAC)
  • Pacific Northwest National Laboratory (PNNL)
  • Argonne National Laboratory (ANL)

Among these players, PNNL runs the CRISP Analysis Center. Utilities that participate in CRISP install an Information Sharing Device (ISD) on their network border, just outside the corporate firewall, then that ISD collects data and sends it in encrypted form to PNNL. The CRISP Analysis Center evaluates the data it receives from participating companies and, using government-furnished information, sends alerts and mitigation measures back to the participating companies about potential malicious activity.

The PNNL reports contain a combination of useful information, such as hostile IP address, DNS domains and other specifics that make these reports a very powerful addition to a utility’s cybersecurity toolset. Better yet, this tactical and highly actionable data arrives via machine-to-machine exchange every five to 15 minutes, depending on the level of activity. These alerts can be pulled directly into the participating utility companies’ intrusion detection or intrusion prevention systems to help prevent malicious activity.

The language of vigilance
CRISP is an early adopter of three new threat-sharing standards developed by the U.S. Department of Homeland Security. Structured Threat Information Expression (STIX), Trusted Automated Exchange of Indicator Information (TAXII) and Cyber Observable Expression (CybOX) are free specifications that help organizations automate the exchange of cyber-threat records.

Structured Threat Information Expression (STIX) is an XML programming language for describing cyber threat information in a standardized and structured manner. STIX characterizes an extensive set of cyber threat data. These include indicators of adversarial activity as well as additional contextual information regarding the threat, such as the cyber adversary’s motivations, capabilities and specific activities.

Trusted Automated Exchange of Indicator Information (TAXII) standardizes the way information is exchanged by defining a set of services and message interactions that enable sharing of actionable cyber threat information across organization and product/service boundaries. Again, the purpose of the standard is to facilitate the detection, prevention and mitigation of cyber threats.

TAXII does not define trust agreements, governance or non-technical aspects of cyber threat information sharing. Instead, TAXII empowers organizations to achieve improved situational awareness about emerging threats, and it enables organizations to easily share the information they choose with the partners they choose using existing relationships and systems.

DHS initiated TAXII to simplify and speed up the secure exchange of cyber threat information. This standard eliminates the need for custom sharing solutions with each sharing partner, and it makes widespread, automated exchange of cyber threat information now possible.

Cyber Observable Expression (CybOX) is a structured language for the specification, capture, characterization, and communication of events or state properties that are observable in an operational domain. A wide variety of high-level cybersecurity use cases rely on such information, including event management and logging, malware characterization, intrusion detection, incident response, attack pattern characterization and indicator sharing. CybOX provides a common structure for relaying these observable circumstances, thereby improving consistent reporting.

With these new standards – plus the reduced liability utilities experience now that the Cybersecurity Information Sharing Act of 2015 has gone into effect – there are more opportunities than ever for utility professionals to bulk up their cyber muscle through data-sharing programs. What’s more, CRISP isn’t the only new cybersecurity game in town. To learn more please download the latest white paper from the Smart Grid Interoperability Panel titled ‘Cybersecurity Information Sharing in Electric Utilities.’ from the SGIP website.

About the Author

Ramesh Reddi is currently working as Cybersecurity Consulting Manager at SGIP. Ramesh works with SGIP utility members in activities related to NIST cybersecurity frameworks, DoE Cybersecurity Capability Maturity Model, OpenFMBTM and Smart Grid Cybersecurity Committee. He was a key contributor to SGIP and NIST Smart Grid cyber security standards through his contributions to NISTR 7628. He worked on key smart gird cyber security projects at PG&E, Exelon and FP&L. The projects focused on cyber security of transmission, distribution, AMI, enterprise, industrial control systems and critical infrastructure protection, using NIST Cyber Security Frameworks, NERC CIP and NIST Industrial Cyber Security controls. In addition to his direct experience with utilities, he has many years of experience with vendors like IBM and HP. His current interests include cybersecurity information sharing, IoT and Industrial Internet Consortium Security Framework.