The term “cybersecurity” has been thrown around a lot in recent years, and there have been various instances where the infrastructure of utilities has been threatened in the U.S. and abroad. Is there any particular event associated with Red Clay’s decision to create SecureGrid?
Red Clay has long been known as the leader in Meter Data Management (MDM) solutions for utilities. We have advised our clients on best practices and have stayed ahead of the curve when it came to the early adoption of MDM applications. We recognize that, as utilization of smart meters increases alongside investment in infrastructure modernization, utilities are looking to us to continue providing guidance about security.
There is no single cyber event that led to our decision to create SecureGrid (Electric), SecureH2O (Water), or SecureGas (Gas) offerings. The security threats to the IoT haven’t changed in 22 years; data collection, backdoor keys, and user education are as problematic today as they were in 1996. Red Clay has a range of customers, from small municipal utilities to large, investor-owned energy providers, each of whom have problems common to their size and location. Municipal utilities historically have not had job roles dedicated to infrastructure security.
Utilities in smaller cities struggle with job retention of security experts and therefore often lack established policies around their AMI network. Larger energy providers, who may have a dedicated security team, look for guidance and auditing to ensure that policies are up to date. Policies such as North American Electric Reliability Corporation – Critical Infrastructure Protection (“NERC-CIP”) and the American Water Works Association (“AWWA”) G430 do not extend to Advanced Metering Infrastructure (“AMI”) networks which have led these systems to be sorely lacking in established procedures for security.
The security threats to the IoT haven’t changed in 22 years; data collection, backdoor keys, and user education are as problematic today as they were in 1996.”
Our goal is to help our clients with maturing their AMI security policies, to grow utility participation in the Cybersecurity Risk Information Sharing Program (CRISP), and to continue to be the trusted advisor that our customers expect from us. Red Clay wants to promote a culture of security amongst utilities and ensure that we are providing our clients the value and services that will benefit the safety and reliability of these projects, overall.
What are the threats associated with a cyber-attack? Specifically, how hazardous would a security breach be to the CIS and AMI systems of a utility company?
The core job of all utilities is the safe, reliable, and cost-effective transmission of their resource, regardless of commodity. Therefore, the threats of a cyber-attack are severe. The last ten years of the Customer Information System and Advanced Metering Infrastructure programs have been focused on seamless integration of all core utility applications. This integration, while providing streamlined business processes and improved customer service to residents, also means that a weakness in any one system can impact all integrated systems.
A CIS system can contain Personal Identifying Information (PII) such as social security numbers used to secure credit for customers during enrollment while financial information, such as bank accounts and credit card information, may be stored in some older systems. A breach directly into the CIS can therefore yield enough information to sell online on the dark web and can cause personal damage to customers. A CIS can also be a conduit into the related AMI system.
AMI systems, along with SCADA systems, have more severe consequences to a utility and related customers. Breaches into water systems can lead to inadequate water treatment which can impact an entire population of residents. In early 2000, a disgruntled ex-employee of a vendor for the Maroochy Shire Council in Australia decided to use his knowledge as a former insider to hack into the Maroochy Water Services SCADA system and disrupt various sewage pump stations, releasing more than one million liters of sewage into local waterways and parks. His actions caused significant environmental damage and created the potential for mass disease and illness.
The Flint, MI, case, while not related to a cyber breach, can show the dire consequences that occur when water sources are no longer safe for residents. For energy providers, a security breach could lead to an entire service territory without power. While the concept of living ‘Off the Grid’ is appealing in some circles, the reality of a population without electricity is catastrophic. Illness, disease transmission, and food source damage would be commonplace without the essentials of electricity. As Ted Koppel described in ‘Lights Off: A Cyberattack, A Nation Unprepared, Surviving the Aftermath’, the United States is simply ill-prepared to withstand an energy cyberattack.
While the concept of living ‘Off the Grid’ is appealing in some circles, the reality of a population without electricity is catastrophic.”
As a service provider in the utility industry, Red Clay feels that it is our responsibility to contribute to the safety and security of both our clients and their customers.
How do the security offerings differ from other cybersecurity tools currently on the market?
Our security solutions (SecureGrid, SecureH2O, and SecureGas) are not one particular tool or software, but a methodology. Utilizing a comprehensive set of technical applications, advisement, and planning services, we assist utilities in developing an overall maintainable strategy for Cybersecurity protection on their AMI network. The methodology incorporates the five main pillars of cybersecurity as defined by the US Department of Homeland Security:
- Risk identification
- Threat reduction
- Reducing vulnerabilities
- Mitigating consequences
- Enabling cyber outcomes
Red Clay’s proprietary AMI SECURITY CONTROLS MATURITY ASSESSMENT is based on CIS Critical Security Controls and the Cybersecurity Capability Maturity Model frameworks. This assessment maps compliance mandates to technical standards, risks, and security controls.
What makes us unique is that, unlike large security firms who focus on selling a particular software application irrespective of industry or utility consulting firms who know the business but do not have any security competencies, Red Clay brings specialized industry knowledge with our security experts led by our Chief Security Officer, Michael Pearson. Michael Pearson brings both an established 25 years of experience in security engineering along with owning a patent on the first intrusion prevention service.
Our set of security solutions means that Red Clay continues to distinguish itself by being ahead of the market in terms of meeting our clients’ needs and helping them to self-maintain.
What do you believe the most important tool in attack prevention currently is and how might this change in the next 5-10 years?
Simply said: knowledge and investment. So long as there is innovation within utilities and new technologies being introduced, there will always be the potential for attack. It is critical for utilities to be vigilant and knowledgeable in the protection of all networks, from internal networks to AMI, SCADA, and more. This knowledge comes with an investment in a wide range of tools including:
- Staff dedicated to security
- Policies and procedures that are up to date with the industry standard and that are subject to audit on a regular basis
- Applications focused on identifying intrusion threats
- Education across the organization from Day 1 in security practices with regular updates
- Working with experts in the industry, such as Red Clay, to supplement internal tools with best practices.
Given that technology moves quickly, it is futile to predict what the best software would be on the market to prevent attacks, as it may not be developed yet. Knowledge and investment are like the Rolling Stones – as relevant and impactful now as they were 20 years ago.