Biden executive order on power system cybersecurity leaves critical operations vulnerable, experts say | #microsoft | #hacking | #cybersecurity

This audio is auto-generated. Please let us know if you have feedback.

A Ukraine war-provoked Russian cyberattack on the U.S. power system has not happened, but experts agree the threat is real because of a key shortcoming in cybersecurity preparations.

The 2021 Colonial Pipeline shutdown that disrupted Eastern U.S. gasoline deliveries hinted at the danger of cyberattacks on the energy sector. A May 12, 2021, Biden executive order, requiring major power system cybersecurity actions, implicitly acknowledged that Russia’s 2015 attack on Ukraine’s power system can happen here. But current and planned responses to the Biden order may not be enough to protect electricity delivery, cyber specialists said.

Russia may have so far withheld cyber warfare against the U.S. and its allies because of “a balance of power issue,” OPSWAT operations technology and industrial cybersecurity expert Oren Dvoskin said. “If a cyberattack is stopped, whoever stopped it knows the adversary, which is why nation-states are careful about if and when to deploy cyber weapons,” he said.

But the cyber threat to the energy sector goes beyond attacks to communications networks like the recent headlined ransomware attacks, analysts said. Using the growing internet access of power system operations that allow companies to monitor and control engineering processes online, attackers could disrupt critical infrastructure to create environmental devastation, losses of life, and severe economic impacts, they said. 

Power system “security and safety” depends on “the reliability and accuracy of sensor data that informs operations,” Applied Control Solutions Managing Partner and Cybersecurity Analyst Joe Weiss told Utility Dive. And “Russia, China, and Iran are aware of the lack of cybersecurity in process sensors and have access to them” in critical electric system operations, he said.  

The recent discovery of cryptocurrency’s vulnerability is a reminder that cybersecurity requires constant attention. But threats can be minimized by first recognizing protections to internet technology networks are inadequate to protect operational technology hardware, and then putting the best people, processes and technologies in place to protect electricity delivery, cyber analysts said.

Recognizing threats

The Biden executive order recognized “persistent and increasingly sophisticated malicious cyber campaigns” and the need “to identify, deter, protect against, detect, and respond” to them. And protections must include systems “that run the vital machinery that ensures our safety (operational technology (OT)),” along with “systems that process data (information technology (IT)),” it said.

Threats to energy sector networks were apparent before the executive order. But vulnerability expanded with the “convergence of IT and OT systems” and the use of “common software and security systems” in monitoring and control, a November 2021 Congressional Research Service report said.

Shields Up, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, or CISA, was launched in February by the Biden administration as a response to the Ukraine war’s increased cyber threat.

The May 2021 executive order required federal agencies, including CISA, to develop “Zero Trust Architecture.” A zero trust system design assumes that “anomalous or malicious activity” is “inevitable or has likely already occurred.” It eliminates “implicit trust in any one element” and allows online access only with “real-time” and “multiple sources” verifications, the order said.

But that leaves a shortcoming in cybersecurity, analysts said.

Permission granted by DNV


The shortcoming

The federal approaches assume IT attacks are the concern, control systems engineer and cyberanalyst Weiss said. They overlook OT-focused cyberattacks, which “are not always easily identifiable or recognized at all,” and “can be mistaken for accidents or malfunctions,” he warned.

Original Source link

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Leave a Reply

Your email address will not be published.

− 3 = six