Simulating a Cyberattack on the Energy Industry

Energy Industry Cybersecurity: A Playbook for Incident Response

By: Leo Simonovich, Global Head of Industrial Cybersecurity, Siemens Energy, Inc.

Today’s cybersecurity environment brings attacks to the utility sector with increased frequency and sophistication, and many people in the energy industry are struggling to adapt to the new normal. The simple fact is that we can no longer treat cybersecurity as though attacks are rare, one-off events.

 

A 2019 Poneman Institute study found that utility operational technology (OT) infrastructure is significantly more vulnerable to a cyberattack than utility informational technology (IT) networks; breaches also have a more destructive impact on operations. Instead of seeking to extract information like credit card numbers or business practices, attackers aim to disrupt service or damage critical infrastructure. In other words, OT– everything outside the enterprise network—is the new frontier for cyberthreats against critical infrastructure. Utilities must now plan for resilience against a backdrop of constant siege.

Whether an organization is creating its first IR plan or building on existing capabilities, a clear OT response framework will help build a culture of continuous improvement and constant vigilance. Strong cybersecurity IR begins before an incident occurs and continues long after normal operations have been restored.

The best way to approach this new threat environment is to develop an incident response (IR) plan to better detect, contain, and eliminate cyberattacks with minimal impact on operations. That is why I recently participated in an interactive tabletop exercise in London held jointly by the UK Energy Emergency Executive (E3CC) and the UK Department for Business, Energy and Industrial Strategy (BEIS). During the exercise I presented a Siemens playbook for an IR scenario where a cyberattack on a utility caused a city-wide blackout. The playbook, “Simulating a Cyberattack on the Energy Industry: A Playbook for Incident Response,” uses specific examples drawn from the exercise, but its lessons are broadly applicable for regulators, utilities, and OT or IT security experts anywhere in the world.

 

In the same way the physical safety of a plant depends on many people understanding their roles and responsibilities to ensure the availability and safety of operations, cybersecurity is a collective undertaking. Teams that have built and practiced an IR playbook in advance of a breach will perform better than teams forced to improvise every time.

 

Detecting and responding to a breach requires cybersecurity, IT, and OT experts to work together in a crisis. Leaders will need to choose between competing interests during cyber incidents and make decisions with partial information in high-stress situations. Continuing plant operations may preclude investigation of anomalies or make it more difficult to preserve evidence. Someone in the organization will need to decide when and how to engage with partners, vendors, regulators, and the public. All these issues require thoughtful consideration before a crisis.

 

Whether an organization is creating its first IR plan or building on existing capabilities, a clear OT response framework will help build a culture of continuous improvement and constant vigilance. Strong cybersecurity IR begins before an incident occurs and continues long after normal operations have been restored. The following steps are distinct and crucial aspects of IR decision-making and are intended to form a feedback cycle:

  • Preparation—practicing a methodical response to a wide variety of threats: To prepare, IR teams should build and maintain an industrial forensic toolkit. An organization should also identify which staff will centrally manage a crisis, define roles, and educate plant personnel. This team will be responsible for rebooting equipment, restoring operations, and eliminating vulnerabilities during an incident.
  • Identification—identifying a cyberattack is underway: An initial signal might come in the form of an operational abnormality or more directly as ransomware. Field personnel are especially important in helping distinguish between security and process control system abnormalities. An investigative playbook can help diagnose, triage, and activate responders in assessing the impact and determining appropriate next steps.
  • Containment—ensuring the incident causes no further damage: The overarching priority is to isolate infections, maintain production, and, above all, ensure actions do not further jeopardize plant safety or operations. In an OT context, containment can be difficult; utilities must isolate the source of an attack and determine when to apply a built-for-purpose passive forensic tool to remove malware from production networks or limit unnecessary data transfers.
  • Eradication—removing the threat: The forensics team must ensure that essential operations are backed up should challenges arise with restoration. Possible methods could range from system patching or rebuilds to full architecture redesign. The team should preserve evidence, which may range from mapping of employee change control to full-system image capture.
  • Recovery—enacting a phased recovery plan to restore full strength operations: This requires focusing on restoring critical systems first—or operating in analog mode—until there is confidence in system-level performance. An environmental and safety check should be done in parallel to control for unintended performance impacts of restoration.
  • Lessons learned—documenting lessons learned from the incident. The lessons-learned process is an ongoing activity that must not only capture the immediate impacts of an incident, but also the long-term improvements of plant security. This could range from a better designed process-control system and stand-up of a physical-command response center, to enhancing an organization’s monitoring capabilities. This response system should include utility peers, vendors, authorities, and the security community.

Everything learned from those six steps goes into the feedback loop. An IR plan can and should always get smarter and faster after every cyber incident. Adapting to the new normal won’t be an easy process but creating and communicating a structured IR plan is the first step toward protecting OT.