TMEPA Helping Members Stay Current on Cybersecurity
As a continuing service to our members, TMEPA offers training and informational sessions on the latest topics important to electric utilities and municipal electric systems in particular. Earlier this month TMEPA partnered with SecurIT360 to offer cyber security training which shared some best practices to monitoring network security along with information for utilities working on compliance with NERC’s CIP requirements.
Utilities generally are very good at physical security of assets, but cyber security is a continually fight to stay up to date on the latest tactics and ways to combat them. The average time for an attacker to be inside a network before being caught is 220 days. With utilities being prime and frequent targets for hackers, proper cyber security involves more than just a firewall and anti-virus software. A phishing email sent to a key employee can easily get passed a firewall. Since there is no silver bullet to being fully protected, here are some of the best practices shared by David Forrestal from SecurIT360 at the training:
Monitoring. Firewall and antivirus are vital to any network because they prevent known bad things from happening, but they can't stop unknown bad things from happening. For large companies and utilities more is required like network monitoring. What is the expected network bandwidth for a given day? Is there a spike in log-ins? Who is physically plugging into the network? Are there longer than usual VPN sessions? Are sites in foreign countries being visited? Is there a spike in log-ins? Monitoring is needed for CIP compliance, operations and generally maintaining a good security posture, and it is the backbone of many other cyber security protections.
Rebooting. Every night computers and equipment should be rebooted. When this occurs, a hacker who has a foothold into the computer has to regain that foothold again every day. Some systems even have a set time to shut down every night. This can conflict with installing updates overnight, which requires a security assessment of which is more important: insuring updates are installed or possibility of being hacked.
Network inventory. On a regular basis an inventory of devices on the network should be done to see what and who is on the network. For large systems there is software that can use network logs to filter through the data, but for small networks an excel spreadsheet can be used. This network inventory can spot devices on a network that shouldn’t be there. A network inventory can be done weekly or however often to see what is new on network and what is it doing.
White-list. Fully functioning anti-virus and firewall with a robust white-listing program can greatly limit where employees go on the web. A white-list program is tough measure that limits access to only certain sites that are "white-listed." A blacklist program prohibits access to certain sites but generally allows wide access.
Limit administrative and remote access. Administrator access should be given sparingly. The typical employee should not have administrator rights for their computer. Remote access can be a great tool run a utility from home or on the go, but it creates another entry point for a hacker. Requiring another form of verification beyond a username and password can work to make sure only proper utility employees can access the network from outside of it. In addition to multi-factor verification, remote access should be monitored and audited regularly to make sure a hacker has used it to access the network. Someone who does not use remote access ideally should do this monitoring and auditing. Those using remote access should log in with a standard account, and then once they are in they can upgrade up to system administrator privileges.
Vigilance. Regularly require employees to change passwords and don’t exclude anyone from the requirement. Do self attacks and penetrations. Conduct table top exercises to game plan an incident or breach. Use Homeland Security’s evaluation tool. Don’t get numb to alerts that might come into your inbox. And overall, don’t allow tools and software to give you a false sense of security.
To contact David Burns with SecurIT360, he can be reached at 205-787-1250 and dburns@securit360.com.