Enhancing Cybersecurity Preparedness in the Energy Sector: A Case Study of GRIDCo

 
Cybersecurity Incident Response Plan
Development
 
Incidence Response through Supply
Chain Preparedness: The GRIDCo
Case Study
 
1.
Intro & Background – GRIDCo
2.
Considerations for OT Security
3.
GRIDCo’s OT Incident Management
4.
SCADA Upgrade Case Study
5.
Q&A
 
 
Table of Contents
 
 
Introduction: 
The 
Power
 
System
 
3
2
 
B
u
l
k
 
C
u
s
t
o
m
e
r
s
 
1
0
 
G
e
n
e
r
a
t
i
n
g
 
C
o
m
p
a
n
i
e
s
(
i
n
c
l
.
 
I
P
P
s
)
 
5
,
2
3
1
 
M
W
 
i
n
s
t
a
l
l
e
d
 
g
e
n
e
r
a
t
i
o
n
c
a
p
a
c
i
t
y
 
(
3
 
H
y
d
r
o
,
 
1
3
 
T
h
e
r
m
a
l
 
&
 
2
S
o
l
a
r
 
P
l
a
n
t
s
)
 
6
,
4
7
2
.
2
3
 
C
i
r
c
u
i
t
-
k
m
 
o
f
 
t
r
a
n
s
m
i
s
s
i
o
n
 
l
i
n
e
s
(
6
9
 
 
k
V
,
 
1
6
1
k
V
,
 
2
2
5
k
V
 
&
 
3
3
0
 
k
V
)
 
w
i
t
h
a
b
o
u
t
 
7
0
%
 
 
f
i
b
e
r
-
o
p
t
i
c
a
l
l
y
 
e
q
u
i
p
p
e
d
 
P
e
a
k
 
D
e
m
a
n
d
 
 
3
,
6
1
8
 
M
W
 
i
n
 
D
e
c
e
m
b
e
r
 
2
0
2
3
 
GRIDCo Operates both IT and OT
Infrastructure
 
GRIDCo is Interconnected with Cote
D’Ivoire, Burkina Faso, Togo, Benin
 
Potential Impact of Outages
Financial Loss of Millions of USD daily
Negative impact on GDP as ~80% of
National production depends on
Electricity
Sub-regional security stability
 
 
Introduction: Background Information
 
Threat actors can introduce compromised components into a
system, unintentionally or by design, at any point in the
system's lifecycle.
Attackers set sights on Industrial control systems (ICS) and
third parties
Need to understand Supplier's maturity and security processes
and products for connected products and services
 
Considerations for OT Security and Incident Management
[to establish basis for IRP]
 
OT Focus Area
Direct Control of Devices and processes
Reliability and Continuity of Operations
System response times are critical
 
OT Devices
Customised OS devices running OEM apps,
proprietary embedded devices, custom
production systems
Refresh cycle sometimes over 20 years
Usually many legacy units
 
IT Focus Area
Information Management and Security
Digital Technologies
Internet and Connectivity
 
IT Devices
Commonly connected Windows servers,
PCs, mobile devices running OS and
Apps
Refresh cycle is 3-5 years
 
Considerations for OT Security and Incident Management
[OT/ICS cannot be handled the same way as IT]
 
OT Threat Identification
Challenges in identifying domain-specific
threats.
Higher exposure to zero-day vulnerabilities,
especially in embedded devices
 
OT Remediation
Complex threat remediation
High operational risk; incorrect actions can
halt production for extended periods
 
IT Threat Identification
Extensive public database for
vulnerability identification
Lower zero-day vulnerability exposure
 
 
IT Remediation
Simple and more available threat
remediation with minimal impact
Lower operational risk
 
Considerations for OT Security and Incident Management
[OT/ICS cannot be handled the same way as IT]
 
GRIDCo has adopted and follows the NIST
Guide to OT Security (800-82 Rev. 3) for
incident management.
NIST 800-82r3 builds on the NIST
Framework (Identify, Protect, Detect,
Respond, Recover)
It’s IMP includes four main stages:
preparation and prevention;
detection and analysis;
containment, eradication, and recovery;
post-incident activity.
 
GRIDCo’s OT Incident Management Plan (IMP) –
Based on 
NIST Guide to OT Security (800-82 Rev. 3)
 
Step 1: Preparation and Prevention.
 
Preparation is key to an effective response.
 
Calculate business impacts
Use existing risk analysis.
Identify supporting systems/assets
Triage the Assets [meet 80/48 KPI] – Know and
Prioritise Systems that are critical – Control 80% of
our operations
95% Certainty of the priority of these Assets
 
GRIDCo’s OT Incident Management
 
GRIDCo’s OT Incident Management:
Calculate business impact, using existing risk analysis
 
Risk Assessment – critical part of our
USAID-sponsored BIP Program.
 
Engage Relevant Teams (Finance, Procurement,
Engineering) to determine estimated value of
potential operational losses and restoration costs.
Assess all probabilities and apply them to calculate
Business impact, raw impact, and raw Risk Rating
Assess Treatment Cost (and status) and Calculate
Target Risk and compare with current risk rating for
decision making
 
Step 2: Detection and analysis.
Take steps to put security safeguards in place.
Ensure to deploy relevant systems
Vendors must meet GRIDCo’s criteria to qualify
Vendor [where we are unsure, vendor makes
written commitment]
Implemented Security by Design – Cybersecurity
Assessment done with Vendors and Factory
Acceptance Testing (FAT) before implementation
Site Acceptance Testing (SAT) not limited to only
system functionality, but also CS compliance
CS Awareness programs and simulations
 
GRIDCo’s OT Incident Management
 
Step 3: Containment, eradication, and
recovery.
 
Incident Response process is triggered
immediately when an issue / suspected
issue is picked up
.
Incident Reporting process is triggered
with the least positive information
obtained.
Communicate to 
Management first. Then
industry stakeholders must be informed
on a need-to-know basis.
 
GRIDCo’s OT Incident Management
 
Step 4: Post-incident Activity.
Test your plan.
Documented Simulations driven by Business
Continuity and Compliance teams
Simulations in OT carried out. Results
recorded and compared with expected
outcomes.
Lessons Learnt log is kept.
Plan is reviewed annually.
 
GRIDCo’s OT Incident Management
 
The Process has been incorporated into our IRP
Know your Suppliers and Third Parties:
Have categorized database of all Suppliers,
Vendors, and Contractors, and engage them
through that database.
Undertake periodic assessment of their
cybersecurity compliance status
Vendors legally accept responsibility for their
undeclared vulnerabilities
Pre-tender cybersecurity assessment – for specific
activities
 
GRIDCo’s OT Incident Management Process Improvement
 
We used Lean Six Sigma Approach we learnt through the USAID-sponsored
Business Innovation Project to improve our incident management processes.
 
Scope: Upgrade of the SCADA System including
deployment of DR Site Control Centre.
Ensured Security-by-design during scoping and
Requirements gathering.
Pre-qualification (Cybersecurity) of Tenderers
Tenderer accepts responsibility for undeclared
vulnerabilities
FAT at Vendor’s Factory: OILs are documented for
resolution
Site Acceptance Testing – before project sign-off,
includes CS Reviews and regression testing. Firewall
config & Setup, HW and OS hardening, AD systems
security and in Redundancy, Firewall Configs reviews.
Actual Red-Team attack-attempts, both internally and
remotely – staged breach.
 
A Case Study: SCADA Upgrade Project
 
The Energy sector OT Cybersecurity threat landscape is rapidly evolving and expanding.
Attacks are now many and more frequent: Power sector is one of the most targeted.
Actors are increasingly getting, and using, sophisticated Malware tools.
Interruptions / Disruptions have dire consequences (financial, security, social, political...)
Supply chain has become one of the most challenging vulnerabilities to address.
Unfortunately, cyber-supply chain accountability are usually not well-defined, and CISOs have
little or no control over their supply chain.
No matter how challenging, companies can start by identifying and mapping critical assets
using a maturity framework (like NIST) to assess their maturing level, and take steps to treat
critical gaps
.
Incident management / response is as important as incident prevention.
 
Conclusion
 
 
Tony Assan
Chief Information Security Officer
Slide Note
Embed
Share

Exploring the development of a Cybersecurity Incident Response Plan through the lens of supply chain preparedness using the GRIDCo case study in the energy sector. The article delves into considerations for OT security, incident management, potential impacts of outages, and the unique IT-OT infrastructure of GRIDCo, emphasizing the critical need for heightened security measures to mitigate risks in the interconnected energy landscape.


Uploaded on May 12, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Cybersecurity Incident Response Plan Development Incidence Response through Supply Chain Preparedness: The GRIDCo Case Study

  2. Table of Contents 1. 2. 3. 4. 5. Intro & Background GRIDCo Considerations for OT Security GRIDCo s OT Incident Management SCADA Upgrade Case Study Q&A

  3. Introduction: The Power System 32 Bulk Customers 10 Generating Companies (incl. IPPs) 5,231 MW installed generation capacity (3 Hydro, 13 Thermal & 2 Solar Plants) 6,472.23 Circuit-km of transmission lines (69 kV, 161kV, 225kV & 330 kV) with about 70% fiber-optically equipped Peak Demand 3,618 MW in December 2023

  4. Introduction: Background Information GRIDCo Operates both IT and OT Infrastructure GRIDCo is Interconnected with Cote D Ivoire, Burkina Faso, Togo, Benin Potential Impact of Outages Financial Loss of Millions of USD daily Negative impact on GDP as ~80% of National production depends on Electricity Sub-regional security stability

  5. Considerations for OT Security and Incident Management [to establish basis for IRP] Threat actors can introduce compromised components into a system, unintentionally or by design, at any point in the system's lifecycle. Attackers set sights on Industrial control systems (ICS) and third parties Need to understand Supplier's maturity and security processes and products for connected products and services

  6. Considerations for OT Security and Incident Management [OT/ICS cannot be handled the same way as IT] OT Focus Area Direct Control of Devices and processes Reliability and Continuity of Operations System response times are critical IT Focus Area Information Management and Security Digital Technologies Internet and Connectivity OT Devices Customised OS devices running OEM apps, proprietary embedded devices, custom production systems Refresh cycle sometimes over 20 years Usually many legacy units IT Devices Commonly connected Windows servers, PCs, mobile devices running OS and Apps Refresh cycle is 3-5 years

  7. Considerations for OT Security and Incident Management [OT/ICS cannot be handled the same way as IT] OT Threat Identification Challenges in identifying domain-specific threats. Higher exposure to zero-day vulnerabilities, especially in embedded devices IT Threat Identification Extensive public database for vulnerability identification Lower zero-day vulnerability exposure IT Remediation Simple and more available threat remediation with minimal impact Lower operational risk OT Remediation Complex threat remediation High operational risk; incorrect actions can halt production for extended periods

  8. GRIDCos OT Incident Management Plan (IMP) Based on NIST Guide to OT Security (800-82 Rev. 3) GRIDCo has adopted and follows the NIST Guide to OT Security (800-82 Rev. 3) for incident management. NIST 800-82r3 builds on the NIST Framework (Identify, Protect, Detect, Respond, Recover) It s IMP includes four main stages: preparation and prevention; detection and analysis; containment, eradication, and recovery; post-incident activity.

  9. GRIDCos OT Incident Management Step 1: Preparation and Prevention. Preparation is key to an effective response. Calculate business impacts Use existing risk analysis. Identify supporting systems/assets Triage the Assets [meet 80/48 KPI] Know and Prioritise Systems that are critical Control 80% of our operations 95% Certainty of the priority of these Assets

  10. GRIDCos OT Incident Management: Calculate business impact, using existing risk analysis Risk Assessment critical part of our USAID-sponsored BIP Program. Engage Relevant Teams (Finance, Procurement, Engineering) to determine estimated value of potential operational losses and restoration costs. Assess all probabilities and apply them to calculate Business impact, raw impact, and raw Risk Rating Assess Treatment Cost (and status) and Calculate Target Risk and compare with current risk rating for decision making

  11. GRIDCos OT Incident Management Step 2: Detection and analysis. Take steps to put security safeguards in place. Ensure to deploy relevant systems Vendors must meet GRIDCo s criteria to qualify Vendor [where we are unsure, vendor makes written commitment] Implemented Security by Design Cybersecurity Assessment done with Vendors and Factory Acceptance Testing (FAT) before implementation Site Acceptance Testing (SAT) not limited to only system functionality, but also CS compliance CS Awareness programs and simulations

  12. GRIDCos OT Incident Management Step 3: Containment, eradication, and recovery. Incident Response process is triggered immediately when an issue / suspected issue is picked up. Incident Reporting process is triggered with the least positive information obtained. Communicate to Management first. Then industry stakeholders must be informed on a need-to-know basis.

  13. GRIDCos OT Incident Management Step 4: Post-incident Activity. Test your plan. Documented Simulations driven by Business Continuity and Compliance teams Simulations in OT carried out. Results recorded and compared with expected outcomes. Lessons Learnt log is kept. Plan is reviewed annually.

  14. GRIDCos OT Incident Management Process Improvement We used Lean Six Sigma Approach we learnt through the USAID-sponsored Business Innovation Project to improve our incident management processes. The Process has been incorporated into our IRP Know your Suppliers and Third Parties: Have categorized database of all Suppliers, Vendors, and Contractors, and engage them through that database. Undertake periodic assessment of their cybersecurity compliance status Vendors legally accept responsibility for their undeclared vulnerabilities Pre-tender cybersecurity assessment for specific activities

  15. A Case Study: SCADA Upgrade Project Scope: Upgrade of the SCADA System including deployment of DR Site Control Centre. Ensured Security-by-design during scoping and Requirements gathering. Pre-qualification (Cybersecurity) of Tenderers Tenderer accepts responsibility for undeclared vulnerabilities FAT at Vendor s Factory: OILs are documented for resolution Site Acceptance Testing before project sign-off, includes CS Reviews and regression testing. Firewall config & Setup, HW and OS hardening, AD systems security and in Redundancy, Firewall Configs reviews. Actual Red-Team attack-attempts, both internally and remotely staged breach.

  16. Conclusion The Energy sector OT Cybersecurity threat landscape is rapidly evolving and expanding. Attacks are now many and more frequent: Power sector is one of the most targeted. Actors are increasingly getting, and using, sophisticated Malware tools. Interruptions / Disruptions have dire consequences (financial, security, social, political...) Supply chain has become one of the most challenging vulnerabilities to address. Unfortunately, cyber-supply chain accountability are usually not well-defined, and CISOs have little or no control over their supply chain. No matter how challenging, companies can start by identifying and mapping critical assets using a maturity framework (like NIST) to assess their maturing level, and take steps to treat critical gaps. Incident management / response is as important as incident prevention.

  17. Tony Assan Chief Information Security Officer

Related


More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#