Our client, a municipal utility company, cited cybersecurity as one of their foremost challenges. The public welfare, local, regional, and national economies are threatened by even minor disruptions and shutdown of services provided by entities that maintain our nation’s electronic and energy resources grid. Intone was engaged to assess several specific cyber risk areas and develop a strategy of security processes to protect our client from the potential damage a successful cyber attack could inflict upon our client’s operations and the communities and economies that rely on their ability to maintain uninterrupted utility services.
Intone was asked to assess our client’s cybersecurity defence-in-depth strategy related to antivirus software update procedures and their Supervisory Control and Data Acquisition (SCADA) system. SCADA systems are historically designed as proprietary products to be robust, on a local area network (LAN), and both easy to operate and maintain. The technology evolution to wireless connectivity and the cloud have introduced more efficient interoperability computing benefits but come with the associated cyberattack risks, as well.
Intone used the strategies set forth in the guidance provided within publications of two cybersecurity authorities; specifically; NIST (National Institute of Standards and Technology) Special Publication 800-82 Revision 2, Guide to Industrial Control Systems (ICS) Security. [Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC)] and secondly, the report Recommended Practice: Updating Antivirus in an Industrial Control System, from the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) Industrial Control Systems; ICS-CERT (Industrial Control Systems – Cyber Emergency Response Team). Intone staffed the assessment team with experienced, dedicated, cybersecurity professionals with deep industry-specific knowledge and a full understanding of current technologies and the cyber threat environment.
Our assessment found our client was properly implementing the antivirus deployment and updated best practices recommended by ICS-CERT. They had separated their ICS and corporate IT systems by an ICS demilitarized zone (DMZ), which correctly contained only the ICS servers that are accessible from their IT network. Their antivirus update procedures were in the recommended secure network architecture for ICS.
The client was also ahead of industry peers with their detailed change management, backup, and testing policy that was well managed and strictly followed. However, their approach to their SCADA system security needed updating. Intone’s assessment found their cybersecurity tactics have mostly involved securing perimeter access with firewalls while little attention was directed to threats currently existing within their internal network.
Our assessment revealed that insiders, not hackers, represent the highest cyber threat risk to our client’s IT and operational technology (OP) networks. We recommended that they remedy their lack of real-time, cybersecurity intelligence by deploying anomaly detection tools and analytics to create anomaly data details. These tools and analytics will create the actionable intelligence they need to leverage the information, related to the discovery of anomalies within their network environment. Intone also recommended our client develop their cybersecurity program around a unified security framework; a proven methodology to implement a comprehensive program.
At the conclusion of the assessment project, Intone provided our client a strategic approach roadmap for enhancement of their cybersecurity program, including understanding the enterprise security risks to their mission, directing their resources on the highest priority risks, deploying their cybersecurity tactics using a programmatic framework, building on the framework capabilities through continuous monitoring and improvement and documenting and reporting areas of tangible progress and performance.
Lastly, We also advised our client to continue to follow the directives of cybersecurity experts, monitor all available publications and be alert to tech disruptions both good and bad. Our subject matter experts also developed post-project cybersecurity awareness training for all employee groups.