SecurityWeek’s ICS Cyber Security Conference is the conference where ICS users, ICS vendors, system security providers and government representatives meet to discuss the latest cyber-incidents, analyze their causes and cooperate on solutions.


What are you looking for?


By Edgard Capdevielle, CEO of Nozomi Networks

Power generation, substation and electric grid operators and many other critical infrastructure sectors typically use equipment from a heterogenous assortment of vendors. This equipment runs thousands of real-time processes generating a huge volume of data. Increasing the interconnectedness and digitization of these systems is a pillar of improved operational efficiencies, however, it isn’t risk free.

Analyzing and monitoring this data to detect anomalies that might be caused by a cyberattack is akin to searching for a needle, in thousands or even millions of haystacks. While it might seem mission impossible, ignoring the problem isn’t an option. Organizations need to find a way to detect anomalies in their ICS environment as a foundation for reliable and resilient power delivery.

Heightened Cyber Threats

Over the last few years attacks on energy infrastructure have greatly increased. Rather than benign, these cyberattacks have resulted in power outages in the Ukraine in both 2015 and 2016.

Power system cyber threats are now recognized as core risks to safely functioning societies, economic stability and business continuity. They are also cited among the top issues keeping energy leaders around the world awake at night. Furthermore, governments are increasing their focus on critical infrastructure cybersecurity, an example of which is the 2017 U.S. Presidential Order on Cybersecurity.

To improve cyber resiliency many utilities are evaluating options for augmenting the cybersecurity of their industrial control system (ICS) networks. That said, real-time visibility of cybersecurity attacks, risks and incidents of these large, heterogeneous, high availability industrial systems poses a unique challenge.

Technical Challenge

Many electric utilities have hundreds or even thousands of substations and they are critical for realizing the efficiency and adaptability vision of the smart grid. With the smart grid, information about consumption and operations needs to be sent back to a central point for analysis by energy management systems and substation automation systems, requiring two-way communication of data.

To facilitate this, the communications networks of substations are being retooled to facilitate connectivity with multiple systems. The preferred networking technologies are based on Ethernet and TCP/IP, and adhere to the IEC 61850 standards.

Modern substation systems need to support interoperability and deliver high reliability and availability. They also need to do this while addressing increasing concerns about cybersecurity.

Security with Zero Impact

Passive monitoring devices solve an important part of the SCADA (supervisory control and data acquisition) security problem by automatically identifying industrial assets and providing comprehensive, real-time cybersecurity and visibility of industrial control networks. They should provide optimal performance while monitoring thousands of substations and assets across low bandwidth networks.

However, delivering this functionality requires overcoming significant technical challenges. For starters, electric power generation systems and grids are characterized by large geographic areas, which similarly means a substantial amount of infrastructure.  Asset tracking, including their real-time status, results in large volumes of data that needs to be mined to identify anomalous incidents.

Advanced computer science techniques – such as artificial intelligence (AI) and machine learning is proving invaluable in cyber security, but on its own its only one half of the puzzle. Organizations need to marry this data with the insight and structure that ICS security experts provide to these techniques to make them effective.

While standard networking and cybersecurity tools rely heavily on direct programming, machine learning solves problems by programming algorithms that use AI to learn from data. With the input of experts who have a deep understanding of ICS cybersecurity, structures are created that allow the machine learning algorithm to view and interpret network and process data correctly. Once AI algorithms are enabled in this way, they can rapidly analyze the high volumes of ICS data that are impossible to evaluate any other way.

This data analysis is used to develop process and security profiles specific for each ICS. Once baselines are established, behavioral analytics are used to constantly monitor them. The result is the rapid identification and alerting of cyberattacks, cyber incidents and critical process anomalies. This information can be used to prevent, contain or mitigate cyber threats or process incidents before significant damage can occur. The data analysis is also invaluable in reducing troubleshooting and remediation efforts.

Increasing cyber threats, management fears and government policies are driving power generation, substation and electric grid operators to improve the resiliency of their systems with enhancements to their ICS cybersecurity programs. Five years ago, it was very difficult to have real-time visibility and cybersecurity of industrial control networks. That has changed.

The scale and complexity inherent in substation and power grid systems makes identifying anomalous and harmful incidents complex, but that doesn’t mean they can’t be found. Just like the right equipment will eventually find the needle in the haystack, it is now possible to have comprehensive ICS cybersecurity that addresses the advancing threat environment in a manner that reduces cyber risks while improving operational excellence and reliability.

Edgard Capdevielle, Nozomi Networks

About the Author

Edgard Capdevielle is CEO of Nozomi Networks and possesses an extensive background in successfully managing and expanding markets for both start-ups and established technology companies. Previously, Edgard was Vice President of Product Management and Marketing for Imperva, where he led teams that made the company’s web and data security products leaders in their space. Prior to that, he was a key executive at storage companies Data Domain and EMC. Edgard has a MBA from the University of California at Berkeley and a Bachelor’s degree in Computer Science and Electrical Engineering from Vanderbilt University.

By Edgard Capdevielle, CEO of Nozomi Networks Power generation, substation and electric grid operators and many other critical infrastructure sectors typically use equipment from a heterogenous assortment of vendors. This equipment runs thousands of real-time processes generating a huge volume of data. Increasing the interconnectedness and digitization of these systems is a pillar of improved operational efficiencies, however, it isn’t risk free. Analyzing and monitoring this data to detect anomalies that might be caused by a cyberattack is akin to searching for

(Eduard Kovacs - SecurityWeek) - Kaspersky said it had detected roughly 18,000 malware samples belonging to more than 2,500 families on industrial control systems (ICS) in the first half of 2017. According to the company’s “Threat Landscape for Industrial Automation Systems” report for the first six months of the year, nearly 38 percent of the industrial systems protected globally by its products were targeted during this period. This is 1.6 percent less than in the second half of 2016. Attempts to download

(Eduard Kovacs - SecurityWeek) - A cyber espionage group linked by security researchers to the Iranian government has been observed targeting aerospace and energy organizations in the United States, Saudi Arabia and South Korea. The threat actor, tracked by FireEye as APT33, is believed to have been around since at least 2013. Since mid-2016, the security firm has spotted attacks aimed by this group at the aviation sector, including military and commercial aviation, and energy companies with connections to petrochemical production. Specifically,

(Eduard Kovacs / SecurityWeek) - Engineering giant Siemens and PAS, a company that specializes in cyber security solutions for industrial control systems (ICS), announced on Tuesday a new strategic partnership. The goal of the partnership is to provide organizations the capabilities needed to identify and inventory assets, including distributed and legacy control systems, and provide visibility for detecting cyber threats and unauthorized engineering changes in multi-vendor environments. The solutions offered as a result of the partnership can be ideal for fleet-wide monitoring

By: Rick Grinnell, co-founder and managing partner of Glasswing Ventures. In this modern connected age, there’s no shortage of risks to fret about. I hate to add one more, but cyberattacks against utilities and power plants have recently rocketed to the top of the list of major security concerns. For instance, a June report from ESET released new research revealing that the Ukrainian power grid was taken down in late 2015 by the Win32/Industroyer malware. This malware has been considered the biggest threat to

Mocana Integrates Embedded Security Software with AWS IoT, Microsoft Azure IoT, and VMware Liota to Protect Devices (SecurityWeek / Kevin Townsend) - Two constants in current cybersecurity are the growing threat from insecure IoT botnets (Mirai, WireX, etcetera), and the continuing security provided by strong encryption. It is part of the mission of one venture capital funded firm to solve the former by use of the latter. Mocana was formed in 2002 as an embedded security software company for military applications. With the help

(Eduard Kovacs, SecurityWeek) - A group of cyberspies believed to be operating out of Russia has been observed targeting energy facilities in the United States and other countries, and the attackers appear to be increasingly interested in gaining access to the control systems housed by these organizations. The group, known as Dragonfly, Crouching Yeti and Energetic Bear, has been active since at least 2010, but its activities were first detailed by security firms in 2014. Many of the threat actor’s attacks have focused on

The official Call for Papers (speakers) for SecurityWeek’s 2017 Industrial Control Systems (ICS) Cyber Security Conference, being held October 23 – 26, 2017 at the InterContinental Buckhead Atlanta, Georgia, USA is open through August 15, 2017. As the original ICS/SCADA cyber security conference, the event is the largest and longest-running cyber security-focused event series for the industrial control systems sector. The conference caters to the energy, water, utility, chemical, transportation, manufacturing, and other industrial and critical infrastructure organizations. With a 15-year history, the conference

By Kevin Townsend (SecurityWeek) The U.K. Government Communications Headquarters (GCHQ), Britain's secret eavesdropping agency, warns that 'a number of [UK] Industrial Control System engineering and services organisations are likely to have been compromised' following the discovery of 'connections from multiple UK IP addresses to infrastructure associated with advanced state-sponsored hostile threat actors.' The warning comes from a National Cyber Security Centre (NCSC) memo obtained by Motherboard and confirmed by the BBC. NCSC is part of the UK's primary cyber intelligence agency, GCHQ. From the little information available, it

By: Eduard Kovacs (SecurityWeek) - The assessments conducted by the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in 2016 showed that inadequate boundary protection has remained the most prevalent weakness in critical infrastructure organizations. ICS-CERT conducted 130 assessments in the fiscal year 2016, which is more than in any previous year. Monitor newsletters published by ICS-CERT this year show that it has already conducted 74 assessments in the first half of 2017. Assessments are offered to both government organizations and private sector companies