Cybersecurity: How Much Is Enough?

By Andrew Ginter, Vice President of Industrial Security, Waterfall Security Solutions | February 2014, Vol. 241 No. 2

A SCADA control room.

Buyer's Guide

Cybersecurity concerns with our critical infrastructures are well-known. In recent years, the Department of Homeland Security (DHS) and other authorities have encouraged critical infrastructure owners and operators to take steps to ensure cybersecurity for both their business and critical control system assets.

The American Petroleum Institute (API) was ahead of the game when, in October 2004, it issued API 1164, a voluntary industry standard specific to supervisory control and data acquisition (SCADA) systems designed to improve security within the oil and gas pipeline industry.

Most pipeline utilities have a security program implemented already, but in the changing landscape of attack threats and methodologies, the key question remains: Are current efforts enough? Cybersecurity risks to control systems range from pervasive malware designed by organized crime syndicates, to insider threats and sophisticated, targeted attacks.

Information technology (IT) security teams are focused on preventing information theft: credit card numbers, contract details and intellectual property, for example.

Control system security teams have a much different focus, however. Most often the cyber-compromise of a pipeline control system triggers a safety shutdown of the pipeline. If malware impairs the operation of any part of a control system, and the operator is no longer confident in overseeing and operating the pipeline, and no working and uncompromised backup system is available, the operator is required to shut down the affected parts of the pipeline.

A more sophisticated attack could have more serious consequences. If an attacker overrides safety protocols, he could open valves to cause spills, damage equipment through faulty operation, or even trigger shock waves, especially in liquids pipelines. This could damage the pipeline, valves and equipment – posing a safety risk to and the general public.

The reality is that utilities will never be fully protected; we are never perfectly safe, and we are never perfectly secure. Because there is always more we can do and more we can buy, communicating our security posture to senior management is difficult. Telling management teams that “the next thing we should do or buy is this” does not help, as all they hear is, “I need more money.”

The way executives and board members resolve constant requests for additional funding is through a cost-benefit analysis for investments intended to increase profits or reduce costs, and a risk-management analysis for investments intended to address security and safety risks.

Management teams tend to use what they regard as mature risk management methodologies to evaluate risks and make investment decisions. Many management teams, for example, use some variation of the National Institute of Standards and Technology (NIST) methodology to evaluate security risks.

The methodology has a number of definitions of risk, the most succinct being NIST 800-37’s definition: “Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event, and a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.”