Cyber security risk ratings cannot accurately assess cyber risk across industrial ecosystems

July 2, 2019, Bitsight published their report “Analyzing Utilities Sector Cybersecurity Performance”.  The Bitsight report is similar to other rating summaries and surveys about industrial organizations. According to the Bitsight report, “electric grid operability and reliability are the biggest challenges as cyberattacks on organizations and their third parties continue to increase.” Also according to the report, “security ratings allow the electric utilities industry - one that is essential to critical national infrastructure - to accurately assess risk across their business ecosystem.” The report is fine as far as it goes, but it has a limited perspective. That is, the report is valid only if it is limited to the IT systems which do not affect grid operability and reliability. However, the control system issues that directly affect the reliability, safety, and security of the grid are not addressed. In fact, this report is a representation of the culture and governance issues that continue to be implicated in the inadequate response to control system cyber security. 

All organizations have front offices that are responsible for human resources, billing, order entry, customer databases, etc. Cyber threats to front office networks include data manipulation, data compromise, and stolen data. The electric industry is a major part of the financial sector with their electricity markets. Most organizations, including the electric industry, also are part of the real estate sector as they own buildings and data centers. Comparing the cyber risk of utility billing systems or customer information to the IT systems in other organizations are valid. According to the report, the electric industry has a median security rating which is in line with the Retail and Tourism/Hospitality sector organizations but falls below the strongest sector performers, including Finance, Legal, and Insurance. These results may be true for IT but has no relevance for control systems. An example of just how misleading the ratings are for control systems, Bitsight’s diligence performance metrics show 51% of utility organizations with no vulnerable services and 45% with no out-of-date systems. These metrics are obviously meaningless for utility control systems. Utility (and other industrial) control systems are often very out-of-date when it comes to cyber security and with multiple vulnerable services that can't be bypassed. Yet it is the control systems that are the existential risk for electric utilities and their customers. 

The report compared utilities to other sectors, many of which do not use control systems (other than for building controls or merchandise distribution which I expect weren’t addressed). The closest the report came to even mentioning control systems was the statement that "a 2018 breach on a smart regulator valve nearly destroyed a Saudi Arabian chemical plant”. Unfortunately, that statement was not correct but it at least addressed the fact that compromising control systems can cause catastrophic physical failures which IT systems cannot. 

“Keeping lights on” is what makes the electric industry critical to the national economy and defense not maintaining the IT infrastructure. Compromising physical processes can damage expensive facility equipment, cause environmental damage, injure or kill people, and affect the national economy and defense.

Control system cyber threats are real – there have already been more than 1,500 actual control system cyber incidents. Currently, there is minimal cyber security, authentication, control system cyber security training, or control system metrics for control system field devices such as process sensors, actuators, and drives (where you go “boom in the night”). Moreover, there is a lack of adequately addressing cyber-related physics issues such as the Aurora vulnerability that can lead to very long (as much as 9-18 MONTH) outages that could affect the long term viability of any utility.

Addressing control system cyber security issues requires engineering input which hasn’t always been welcome by the network security organizations – a major culture and governance gap. Very often the engineering organizations have no input on cyber security surveys even though it is their equipment in question.

Control system cyber issues can, and have, lead to catastrophic safety and reliability failures which can impact rating agencies and insurance companies. Consequently, one of the focus areas in Moody’s Investor Services January 2019 ESG Focus newsletter was PG&E because of their bankruptcy but also includes all other utilities:  “Beyond environmental considerations, we believe PG&E also faces a higher level of cyber-security risk. As a sector, we view all utilities as prized targets for attackers. For PG&E, which serves the greater Silicon Valley region, the wildfire events may give rise to an increase in hacktivism. With the distractions around bankruptcy, more sophisticated nation state actors may seek to exploit potential cybersecurity vulnerabilities (or through vendors, as a recent Wall Street Journal article noted). According to the World Economic Forum’s 2018 top 10 risks, PG&E and other utilities are at the nexus of cyber and environmental risk.” I think it is reasonable to assume that Moody’s is not comfortable that utilities are cyber secure regardless of the assurances from certain industry and government organizations. I also believe it doesn't take sophisticated nation state actors to exploit some of these cyber vulnerabilities to cause catastrophic damage.

The electric industry’s North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cyber security standards and supply chain requirements are a compliance exercise rather than actual security. This is particularly true with the loopholes including the exclusions of process sensors, serial sensor networks, etc. This brings up two problems with comparing security ratings. As mentioned earlier, comparing the risks to any industrial organization with critical control systems to a retail or financial organization that has no critical control systems is meaningless. Secondly, the electric industry with their compliance approach to security is different than other industries that have a security mindset.

Cyber security ratings currently can’t address control system cyber security yet control systems are existential for any industrial organization. Until there is better understanding of the control system cyber risks, security ratings for industrial organizations are meaningless.

Joe Weiss