Addressing the Human Element in Cybersecurity

Part 3 in our Cyber Security for Utilities blog series.

The list of assets in the power and utilities industry is practically endless. Every power station and pipeline, substation and switchgear, battery and busbar must be kept reliable, resilient and secure. It’s challenging, and that’s before adding in the human element. Regrettably, human assets are often the weakest link in an organization’s cybersecurity posture.

Asset-intensive industries already face many workforce challenges. Experienced industry veterans are retiring. There is a shortage of qualified employees available to meet an ever-increasing demand. Plus, new hires often need specific technological skill sets in order to play their role in the utility’s digital transformation.

Meanwhile, the utility is dealing with growing customer expectations, increased regulatory pressure (e.g., NERC CIP, EU NIS Directive, GDPR), and ever evolving external cyber threats. Today’s utility needs to stay abreast of seemingly never-ending security patches and upgrade technology reaching end of life. More devices are getting connected, which means more potential endpoints at risk. And there’s more data (e.g., logs, configuration baselines, network traffic) than ever to monitor and secure.

On top of all those technical aspects, the utility must also protect against insider threat and human error. A disgruntled or malicious human could wreak havoc on systems intentionally. But an otherwise reliable employee might accidentally send confidential data via a mobile device and then lose that device, putting company data at risk, or use inappropriate IT resources on the network.

Even the utility employee with the best of intentions could cause downtime by typing one wrong command or clicking unwittingly on a phishing email. Verizon found that email was “the delivery mechanism in 94% of malware attacks in 2019” and noted, “managers need to stress the importance of employee vigilance.”

Add to that the number of external personnel (e.g., at third party vendors, service providers, auditors, etc.) who may connect to the utility’s systems and the problem only compounds further.

Diligent Management of Cybersecurity

Managing insider threat is critical to a robust cybersecurity posture. A key part of that is having the tools to know what your people are doing. Let’s talk about the benefits of user access management, access control, session management, and encryption in terms of mitigating the human element’s impact.

Multi-factor authentication is a cybersecurity best practice for user access management (especially now with remote and hybrid work environments). You don’t want to create too much friction for your users, yet appropriately authenticating and re-authenticating both users and their devices can cut risks. The bad actor might buy usernames and passwords on the dark web, or gain them via social engineering, but they can’t get in as easily without access to the compromised individual’s devices too or a multi-factor bypass vulnerability.

With access control, configuring role-based authorization supports the security principle of least privileged access. A least privilege access approach puts rules in place which limit the users’ access to only those applications, data, and assets necessary to getting their job done. This can help mitigate the damage done if that user’s account is compromised, since impact would be better contained.

Next, session management balances usability and security. With the right tools, administrators can:

• Quickly expire administrator sessions regardless of client
• See all sessions currently logged in and their origin
• Forcibly disconnect unrecognizable connections or those associated with malicious activity

Encryption is yet another solution that can be leveraged to reduce human threats. Having end-to-end encryption throughout the system stack (e.g., hardware, operating system, files and data, networking) reduces the threat of:

• Data accessed from stolen hard drives
• Theft of online data files containing confidential information
• Sensitive data being exfiltrated through the network

It is therefore best, of course, to encrypt data at rest  and in transit.

Then, There’s the Third-Party Risk

My previous blog looked in detail at the supply chain cybersecurity risk asset-intensive industries face today. That article outlined six strategies to manage cyber security risks, such as the more recent Kaseya attack. It called for utilities to proactively investigate their supply chain’s cyber practices.

Ultimately, your business needs to know what its third-party users are doing too. In this interconnected, digital age, individuals who provide project execution or support often need access to at least some portion of your organization’s own infrastructure. This can be worrisome as it’s another access point (or several) to secure.

When customers partner with GE Digital, they get peace of mind with access to our Personnel Risk Assessment Portal. Customers can see which GE employees have access to their data and systems. Plus, they are able to view GE’s own background checks of many of those employees (with the employee’s PII redacted to accommodate Privacy Laws) as well as GE’s NERC CIP Training material and employees’ attendance records.

Preparing for the Worst Made Easier

You can limit access, segment networks, encrypt data and use all kinds of cybersecurity best practices. Training your employees and reviewing supply chain partner security posture is necessary too. Yet, the business will never be impervious to attack.

That’s why it is important to have your people trained and ready to implement recovery plans in order to expedite your incident response. GE Digital Grid’s software products’ support for virtualization makes backup, recovery, and process validation easier. Our product guides can provide customers with the location of key data that needs to be backed up, suggested frequency, and any special steps required to successfully back up the real-time systems. Plus, our solutions integrate with the standard IT backup and recovery tools likely to already be in use within your enterprise.

GE has been working with utilities for more than 70 years. We understand these critical industries, understand where they’re vulnerable, and can partner with our customers identify how they can be better secured. Learn more today!

Interested in cyber security? Read the other blogs in this series:

Supply Chain Network Under Attack: Securing Your Cyber

The Delicate Balancing Act in Meeting Cyber Security Challenges

Keep an Open Mind about Open Source in the Utility Environment