Knowing Your Risks and Vulnerabilities and How to Prioritize Budget to Close Gaps

In a moment of serendipity, as I was planning out content for this issue, I took a moment to scroll through LinkedIn when I saw a post by Shawn Wallace that said he and Glenn Engel would be presenting an educational session at GSX. The session topic Wallace posted about has the title “Threats to Critical Infrastructure Sites: How to Evaluate Risk and Prioritize Spend to Close Vulnerabilities.” I immediately thought of how the topics in this session would also be great for this column, especially since this is our GSX-focused issue—and more so because these topics really hit at the heart of the security strategy and the economic realities that demand utility security professionals spend security dollars accurately and efficiently.

Luckily, prior to GSX, we got a chance sit down with Wallace, the Director of Critical Infrastructure for Unlimited Technology, and Engel, the Global Business Resilience and Security Manager for the AES Corporation, to get their insightful perspectives on how to navigate a path toward effectively closing vulnerabilities.

UTILITY SECURITY MAGAZINE:
Welcome Shawn and Glenn! Let’s first talk about your presentation. What inspired you to create an education session that focuses on critical infrastructure risk evaluation and spending strategies?

Wallace:
In our industry, so much focus is put on use and advancement of technology it’s easy to skip over the reasons why we have it. At the same time, deploying a lot of technology might lead one to feel like they’ve closed off risk when critical gaps could remain. In talking with each other, it’s this aspect of it that motivated us to put this talk together. As we brought this idea to others in the industry, we found that often the up-front risk analysis wasn’t being done. Companies were securing every building and asset the same using familiar designs. We know we need a fence, cameras, access control, VMS, etc. so they get put into use without much thought for who we are trying to detect or prevent or how they would compromise the asset.

While the cost of technology continues to increase this can be an expensive proposition especially if corporate budgets are tight. Companies may find themselves spending the same amount on non-business critical assets as they do for the business-critical ones. This is the wrong approach; spend and effort should be directed to what’s most important. But, to do this, you need to first define what assets are most important to your business. In critical infrastructure this can be value in the asset itself but also the impact the asset can have. A substation’s value is not in the equipment but in the impact it would have on the electric grid if it was taken off‑line and causes a sustained blackout for a large population.

UTILITY SECURITY MAGAZINE:
So let’s look at the threat landscape. What are some trends that you are seeing that our readers should be thinking about? 

Engel: 
While somewhat industry dependent, all businesses—and especially critical infrastructure, face security threats at every turn. There are the usual ones like theft of valuable items for resale, criminal mischief, and crimes of opportunity like an unlocked gate or door. Increasingly we are seeing nation states or ideological threat actors looking to disrupt services and supply chains hoping to gain notoriety for their cause or to disrupt societal norms in the hopes of sowing anarchy. And while not something you can easily install protective measures around, we are experiencing an increase in large natural disasters and we’ve even seen more organized threats like gangs and organizations looking to kidnap, blackmail, extort, or provide protection for financial gain.

UTILITY SECURITY MAGAZINE:
What are some strategies that utility security leaders should consider when going through the process of determining which of their assets are their “crown jewels”?

Wallace:
There are really two avenues that need to be walked down in the utility sector when it comes to asset prioritization. The first is through the NERC Critical Infrastructure Protection (CIP) standards. Those working in the utility space are already familiar with how the standards prioritize assets based on their impact to the Bulk Electric System and what procedures, plans and controls need to be put in place.

However, it is recognized that “compliance doesn’t equal security” so an additional approach is required. Utilities might conduct a more pointed risk assessment to improve security at a facility beyond what is required by NERC CIP.

The second approach then is to view assets in terms of their potential impact to the business. Many assets in the utility sector don’t fall under the NERC CIP standards but are still considered enough of a priority for the business to be treated as a high priority. Business impact considerations include financial and reputational.

We have been seeing this trend where companies are upgrading substations (for example) based on their own risk assessment conducted beyond what the NERC CIP standards require. The utility determines that the potential business impact warrants additional security controls and attention.

Many utilities and energy companies are engaged in technology development projects to create new equipment and/or intellectual property. Both fall well outside the traditional utility asset prioritization process but need to be included, nonetheless.

UTILITY SECURITY MAGAZINE:
So, after a utility identifies their most important assets, what are some considerations for prioritizing those assets?

Engel:
There are multiple ways an organization may consider prioritization of assets. In the utilities industry for instance, we may look beyond the cost of replacement to items like parts replacement availability, the potential impact to a certain number of customers, as well as potential reputational and regulatory impacts.

Starting with customer impact, one can start to look at assets in terms of the number of customers blacked out for a certain amount of time. Within a distribution level substation (for example), if the components can be easily replaced the risk is lower than a substation with long lead transformers. A utility may have a non-NERC CIP substation that services a business campus performing critical functions to a community like a hospital or it may supply power to a large datacenter complex. Ranking the assets based on net customer impact in an outage is one approach.

Drilling into each facility, one can look at replacement costs and lead times for equipment. While much focus is put on long lead transformers, they also need to take a close look at the control house and how their communications system is architected. It may be that if a single facility is compromised it can impact other facilities which would increase their priority, communication towers for example.

The same can be said for generation facilities especially if they are unmanned remote start like some simple cycle combustion turbines or large renewables. What is the business impact if the facilities are taken out of service?

There are a lot of factors to consider and depend on the nature of the utility itself, whether it’s a large publicly traded generation and transmission company or a co-operative servicing several rural communities.

UTILITY SECURITY MAGAZINE:
Why is the adversary sequence diagram process so important to a utility security strategy?

Wallace:
Adversary Sequence Diagrams (ASDs) identify the paths an adversary would take to penetrate the security systems at a facility to accomplish their objectives. It helps you understand the likelihood the adversary is detected, the time to detection, the time it takes to respond and when the adversary will be confronted.

ASDs help you to determine what security controls need to be put in place to deter, detect and delay the adversary enough for a response to take place. A lot of time, effort and money is spent on controls, but many companies have never run the analysis to see if they would stop the attack.

There are scenarios where you will find your response time will never be quick enough to intercept an adversary. The ASD can help to daylight this risk by allowing the business to make the right decisions to adjust accordingly.

When asked if a facility is secure, you might get a list of all the controls and technology in place. But you may not hear that the team ran the right scenarios to see if those controls accomplish the right objectives. That is what the ASD does.

UTILITY SECURITY MAGAZINE:
What are some key strategies you recommend when it comes to determining how to best align spending in ways that most effectively impact security?

Wallace:
Security and risk or impact go hand in hand. Your spend should be directed where you have the greatest risks or potential impacts to your customers or business. It’s OK to have facilities where your plan is purely to recover after an attack.

Once you have identified your most important assets, walking through the ASD process at a single facility is a great start. You can then build your security layers based on the actual adversary paths, thus getting the right controls in place while avoiding spending on additional controls or technology that don’t increase prevention, detection or deterrence.

Finally, make sure you have an opportunity to test any new technology or get a real reference from an industry peer. If a piece of technology has a high false positive or false negative rate—or requires a lot of training by a human operator—you should consider that in the total cost of deployment. It may be that the net spend is out of proportion with the incremental gain in detection capability that the technology provides.

UTILITY SECURITY MAGAZINE:
For some of our readers, the budget might not align with the needs. What recommendations would you give readers who may have a lack of funding?

Engel:
This is one of the strengths of using adversary sequence diagramming. You can look at a location more holistically, without a consultant or salesperson advising you, to see where vulnerabilities may or may not exist with the potential to redeploy existing equipment or to spend limited budget on the most vulnerable attack vectors. It isn’t a panacea, but it might help with deploying budgets more effectively.

Typically, funding comes in annual cycles, and you may need to create a multi-year plan to get the controls in place that you need. This is just a fact of business. You should be fully aware and document your gaps while making sure the right stakeholders in the business are aware of them. Unfortunately, it becomes an acceptable risk that the business takes on until it can be mitigated once funding is available.

UTILITY SECURITY MAGAZINE:
One solution for a lack of budget might be to ask for more funding. What sort of strategies do you recommend when strategizing that ask?

Wallace:
Demonstrating analysis and prioritization of the each ask is essential. You need to use data to show that the funding will cover off the risk and this is where the process we described previously will help. The onus is on the business to determine where funding should be allocated between the different profit or cost centers. Typically, an executive or team makes the decision to direct funding to different areas based on perceived need. Your license to ask for more funding comes from an analysis that shows either a compliance issue or an outsized risk to the business that needs to be mitigated with urgency and that this should be prioritized over other needs.

UTILITY SECURITY MAGAZINE:
Speaking directly to C-suite and other leaders at utilities, what are some key perspectives you think they need to better understand as it relates to the challenges of physically securing utilities?

Engel:
Nobody in our industry ever says that they want less security. The issue always comes down to how much risk reduction can an organization get for the funding that’s available. This is the challenge faced by our security teams; how to prioritize where to spend limited funding given that gaps will remain. It is incumbent on the business then to accept the risks posed by the gaps and to be constantly moving the bar forward by closing them whenever possible.

About Shawn Wallace 
Mr. Wallace is the Director of Critical Infrastructure for Unlimited Technology and has over 20 years working in the electric and oil and gas sectors. He is a member of the Security Industry Association Utilities Advisory Board and prior to joining Unlimited Technology, he led the critical infrastructure efforts with two startup companies in cybersecurity. He was the Director of Transmission and Distribution for AECOM comprising over 350 personnel throughout North America and Canada. Mr. Wallace holds Bachelor of Science degrees in Chemistry and Chemical Engineering from Purdue University and an MBA in Finance from the University of Denver.

About Glenn Engel
Glenn Engel is the Global Business Resilience and Security Manager for AES Corporation, one of the world’s leading energy companies generating and distributing conventional and clean energy solutions and innovation. He is responsible for the development and implementation of AES global Security and Business Resiliency programs encompassing the frameworks, methodologies, and standards for global operations. He has over 20 years in industry having presented papers, being published, and speaking at several events including for: Disaster Recovery Journal (DRJ) International, Society of Photo-Optical Instrumentation Engineers (SPIE), Midwest Contingency Planners Organization and Strohl Systems.