The energy sector has become a focused topic in cybersecurity in recent years—and for good reason. Cyber attacks on the energy grid have grown in number and sophistication, and while they haven’t caused any outages in the U.S. yet, attackers have repeatedly shown that they have the capability. According to a 2019 report from the Government Accountability Office (GAO), there have been successful cyberattacks on power grids in other countries, including the notorious attack on the Ukrainian power grid in 2015.
So why do these security breaches keep happening if the cybersecurity community is on such high alert? The problem lies within the supply chain, and subsequently within the devices themselves. We’ve seen a rapid adoption of connected devices—ICS, OT, and IoT—within our critical infrastructure, including our utilities. But many security teams at utilities are not equipped to deal with the risks that come with these connected devices—not because they aren’t skilled, but because this is truly a complex issue with very little tooling available to empower teams to do their jobs quickly and effectively with confidence.
Meanwhile, there are an increasing number of regulations being passed in order to try to address these security issues. But these regulations can be vague or unclear and leave utilities scrambling to find solutions in order to stay compliant—and often, compliance does not quite lead to security.
Below we delve into both the technical and compliance challenges in the era of connected devices.
Hidden risks in the connected device supply chain
The challenges associated with securing connected devices stem from how they are built. A highly globalized economy and a robust open source software market have ensured that nearly every device manufacturer utilizes outside software and open source components. Typically, only 5 to 25% of code within firmware is proprietary, with the rest coming from open source or third-party suppliers. While utilizing code from vendors and other external sources, device manufacturers inadvertently inherit vulnerabilities that are either not disclosed or are otherwise not visible to them. This creates considerable risk to asset owners, including utilities, who do not know exactly what software is running inside their devices.
In the absence of product security solutions that focus on the true risk factors of connected devices and embedded systems, utilities have had to rely on third-party risk assessment services or penetration testing to ensure product security. Not only do these manual methods offer incomplete information, but they are inefficient, costly, and cannot scale with the rapid adoption and deployment of connected devices. This is especially true for smaller utilities who have limited security resources and personnel.
Increasing regulations with decreasing clarity
As a result of the increasing attacks on connected devices, the energy industry has had to contend with a growing number of regulations attempting to secure the Bulk Electric System. These regulations are often vague and difficult to comply with. This is due to both the lack of clarity around these issues in addition to a scarcity of available tooling to solve the aforementioned technical challenges.
For months now, utilities have been working to address NERC CIP-013. The regulation requires utilities to establish a plan to assess the security risk presented by vendors and products in addition to reducing risk factors in their overall procurement process. While having a plan in place is a good first step, this doesn’t necessarily bring utilities any closer to solving their security issues, especially given the lack of efficacy of third party assessments and other tools that check the box for compliance in this situation.
In May of 2020, the White House made the security of the U.S. bulk-power system a national priority when the president issued an Executive Order (EO). The EO bans the acquisition, importation, transfer or installation of bulk-power system electricity equipment from companies under foreign adversary control. It covers equipment used in energy transmission and power generation needed to maintain transmission reliability (69kv or more), including control centers and the software used to manage flows of electricity, voltage regulators, automatic circuit reclosers, transformers, and protective relays.
The challenge that utilities have been facing is that it is unclear what will ultimately be needed in order to comply with this Executive Order—and whether or not compliance, in this instance, will effectively minimize security risks. Finite State has commented on the effectiveness of EO 13920 in our response to a DOE request for information.
How utilities and device manufacturers can prioritize connected device security and ensure compliance
The key to truly ensuring that our connected devices (and thus our critical infrastructure) are secure is knowing what risks are hidden within each and every device on your network and security patch that you download and deploy. You can do this quickly and at scale through Software Composition Analysis which involves advanced firmware analysis to produce a Software Bill of Materials (SBOM) as well as a comprehensive list of vulnerability and threat information (including things like hard coded credentials, a list of CVEs for each firmware version, cryptographic materials, and more.) Utilizing this ground-truth data and coupling it with information on vendor supply chains, software provenance, and compliance information is the only way to clearly see the whole product risk picture.
Risk assessment and mitigation for utilities
Finite State has automated the process of firmware analysis and comprehensive product security reporting, giving utilities a robust tool to uncover and address security issues and saving your team time and resources. Security teams at utilities can upload a device firmware to the Finite State Platform and quickly see a complete risk analysis report. Once this information is available, the platform will provide your team with remediation guidance to ensure that you can take actionable steps to improve your security posture and meet the latest compliance standards and regulations.
Finally, the Finite State Platform serves as a single collaborative tool that unites all industry stakeholders, (including device manufacturers and government regulators) which will allow utilities to alert OEMs directly when vulnerabilities and other security issues have been discovered, ensuring that their teams can remediate the risks identified immediately.
If you want to empower your team with the proper security tooling and ensure that your organization is up to date with all the latest standards and regulations, sign up for a demo of the Finite State Platform or read more about our risk profiles.
Comprehensive product security tooling for device manufacturers
By utilizing the Finite State Platform as a part of the development process, connected device manufacturers can ensure the security of their products before they are shipped to customers. With Finite State, product security teams can not only verify the content of components sourced from sub-tier vendors, but can see which of their products are impacted by newly discovered vulnerabilities like Ripple20. The Finite State Platform allows product security teams to minimize supply chain risk factors, generate a robust SBOM, track the security posture of their products over time, and generate executive level reports to share with other teams and partners.
If you want to adopt the most comprehensive product security platform for connected devices and instill confidence in your products, sign up for a demo of the Finite State Platform or learn more about vulnerability trends in connected device supply chains.