Moody’s concerns with cyber security of utilities – an open letter to utility Boards of Directors

Utilities, industrial, and manufacturing processes have been around for more than a hundred years. Until about 20 years ago, control systems operated without Internet Protocol (IP) networks and Commercial-off-the-Shelf operating system HMIs. These control systems can continue to work, albeit not in an optimally efficient manner, without the IP networks. However, none of these operations can operate without their control systems.

The reason for establishing control system cyber security programs is to keep lights on, water flowing, etc. Protecting Operational Technology (OT) networks does not assure the lights stay on, water flows, etc. However, protecting OT networks and demonstrating compliance has been the focus of most control system cyber security programs and conferences as well as the North American Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards for the North American electric utilities. For organizations such as rating agencies and insurance companies that have “skin in the game”, what is critical is the prevention of cyber-induced catastrophic damage which occurs when control systems are compromised. Currently, there is a gap between the OT network monitoring/security systems for assuring network integrity and the control system monitoring/safety systems that prevent process impacts (e.g., damaging a turbine or a transformer). This gap occurs because control system network monitoring does not correlate network anomalies to process impacts. Monitoring/preventing process impacts requires monitoring the process sensors (e.g., pressure, level, flow, temperature, voltage, current, etc.) in real time – an engineering, not network solution.

Moody’s has recognized the importance of cyber security in their ratings assessments as cyber attacks can affect the solvency of organizations. For financial and retail organizations, compromise of IT systems could result in catastrophic data breaches that could affect organizational solvency. Compliance approaches such as the NERC CIPS cannot adequately reduce the potential cyber threats to utility operations nor can a focus on OT networks. However, control systems can directly impact organizational solvency as seen from the Olympic Pipeline Company that went bankrupt after the 1999 cyber-related gasoline pipeline rupture.

Control system devices (e.g., process sensors, actuators, and drives) have no cyber security or the capability to be cyber secured. Moreover, there is a lack of adequately addressing cyber-related physics issues such as the Aurora vulnerability that can lead to very long outages and other direct damage. Addressing these issues requires engineering input which hasn’t always been welcome by the network security organizations – a major culture gap (this was obvious at the S4X19 Conference - my Link-in observations has had more than 3,500 views since I posted the blog last week). Control system cyber issues can, and have, lead to catastrophic safety and reliability failures which can impact rating agencies and insurance companies. Consequently, one of the focus areas in Moody’s Investor Services January 2019 ESG Focus newsletter was PG&E because of their imminent bankruptcy but also includes all other utilities:  “Beyond environmental considerations, we believe PG&E also faces a higher level of cyber-security risk. As a sector, we view all utilities as prized targets for attackers. For PG&E, which serves the greater Silicon Valley region, the wildfire events may give rise to an increase in hacktivism. With the distractions around bankruptcy, more sophisticated nation state actors may seek to exploit potential cybersecurity vulnerabilities (or through vendors, as a recent Wall Street Journal article noted). According to the World Economic Forum’s 2018 top 10 risks, PG&E and other utilities are at the nexus of cyber and environmental risk.” I think it is reasonable to assume that Moody’s is not comfortable that utilities are cyber secure regardless of the reassurances from certain industry and government organizations. I also believe it doesn't take sophisticated nation state actors to exploit some of these cyber vulnerabilities to cause catastrophic damage.

As mentioned, nation states such as Russia, China, Iran, and North Korea are aware of control system cyber deficiencies and may look to exploit potential cyber security vulnerabilities. Making matters worse is the continuing culture gap between the network security organizations and the Engineering/operations organizations that have inhibited the necessary defense of these critical systems. Hopefully, organizations like Moody’s can influence the Boards to meet their fiduciary responsibilities by prioritizing control system cyber security for safety and reliability not just compliance. I believe the prioritization of control system cyber security by the Boards is the only way to overcome the culture gap that has existed since at least 2000. Without the change in culture, it will not be possible (no maybe) to secure control systems.

Joe Weiss