New Information Security Policy
Why Security Policy is Important
Due to the cyberattacks taking place at the Democratic National Committee, state and local government offices, and propaganda on social media in 2016, some cybersecurity experts assert that technologies used to store and secure voter’s information represent a theoretical 17th critical infrastructure (CI) in the United States and potentially in other territories. Even though voter registration databases and electronic ballot machines are not currently documented as components of American critical infrastructure, their need for security highlights the necessity for entities to develop cybersecurity policies in order to identify prospective vulnerabilities due to the country’s dependency on networks to secure information. Effective cybersecurity policies make Americans and their way of lives more secure by implementing specific procedures that ensure access to resources that impact citizen’s health and productivity: access to the electric grid, water systems, transportation, financial and healthcare information, as well as other CIs. Over the last several decades, a significant innovation has impacted all current CIs by placing supervisory control and data acquisition (SCADA) and programmable logic controllers (PLCs) on networks in order to increase functionality, reliability and provide cybersecurity professionals with the ability to make adjustments to CIs in an efficient way. While most cybersecurity experts would agree that placing these controls on networks establishes many benefits on the operation and maintenance of CIs, many would also agree that it creates a vulnerability as it would be a point of emphasis for hackers who want to gain unauthorized access. Some CIs, particularly the electric grid, has been managed prior to controls being on networks and can be operated independently from them should it be determined necessary by cybersecurity staff and upper management. Deciding on when to remove a CI’s controls from the network can be a significant component of the development of new cybersecurity policy.
Denial-of-Service
State-sponsored cyberterrorism has potentially affected government and utility services from providing Americans with reliable access to energy in 2019. An energy service provider within the United States submitted a report to the Department of Homeland Security (DHS) and Department of Energy last March, describing a cyberattack that affected the electric grid. The denial-of-service attack took place on March 5th, allowing hackers to bypass firewall settings on networks at the energy provider’s operations in California, Utah and Wyoming. The cyberattack caused no blackouts or physical damages, but made adjustments to SCADA controls that made it more difficult for cybersecurity professionals to examine what changes were made and if they required mitigation. Company representatives endorsed a “manual mode” option for operating energy utilities as a method of protecting CIs when hackers gain access to SCADA and PLCs. The first known cyberattack on the energy sector, causing blackouts and physical damage for hours, occurred by Russian-sponsored hackers at energy facilities in the Ukraine in 2015.
How to Create Security Policy
Based on intelligence made available in the open source regarding the cyberattack on the US electric grid, a prospective security policy-tentatively entitled “Energy Sector: Information Security Policy 2019” developed by the author of this document-outlines security measures that use human and technological resources in order to assist government and private utility companies in providing confidentiality, integrity and availability of energy to American consumers. The following information security policy provides a solution to the strategic objective of securing energy sector critical infrastructure in the presence of active cyber threats on networks, SCADA controls, and PLCs. The backward planning model has been applied in order to provide a solution for the organization’s end goal as the first components of the policy, and recommends solutions in descending order that can be efficiently applied by cybersecurity staff.
1. Integrate physical controls, isolate, prevention systems, firewalls and vulnerability assessments.
2. Implement incident response, staff notification and monitor traffic.
3. Identify forensic information and indicate a point of entry.
4. Remove all threat agents and submit report to upper management.
Section 1
Cybersecurity professionals should examine the functionality of physical controls in case of a security threat that gains unauthorized access to SCADA and PLCs. Staff should understand how to remove SCADA and PLCs from the network, and transfer operations to physical, manual controls available at utility companies in order to provide energy with minimal disruption. Isolation of the threat agent located on any of the affected computers should be subsequently removed from the network in order to isolate and prevent the malware from spreading to other locations. Information on the March 5th cyberattack does not pinpoint the installation of an intrusion detection prevention system (IDPS) on the company network. Since the malicious code bypassed firewall settings, using an IDPS can work in tandem with existing firewall settings in assisting the organization with monitoring traffic and points of entry for threat agents. The malware bypassed the network’s firewall, a Cisco Adaptive Security Appliance model; cybersecurity staff can examine the settings in place at the time of the cyberattack, change or update settings, or make the decision to replace the existing firewall with one that is more of an industry standard or has a higher rate of success indicated in open source intelligence. Cybersecurity professionals can determine which staff would be responsible for conducting vulnerability assessments and how frequently; these examinations can identify areas of potential risk that can give cybersecurity professionals the opportunity to prevent cyberattacks on control systems.
Section 2
The proceeding steps should only be implemented if the cybersecurity staff has been successful with isolating the threat agent, which gives them the opportunity to gather further intelligence on the malware and select the most efficient methods of removing the threat agent. At this point, cybersecurity staff should have enough information to develop an incident response document including data regarding the initial facts of the cyberattack: where do you have the threat agent isolated, did it cause any physical or digital damages to networks and control systems, is there any other preliminary information that you find pertinent regarding the specific threat agent and its actions? It would be helpful to answer these questions and send a final copy to upper management in order to inform them of the threat agent’s scope of operations. This process should be followed by staff notifications regarding the potential loss of data due to the cyberattack; if there are employees whose credentials have been compromised then it would be a best cybersecurity practice to notify them and upper management, which will give them the opportunity to update their credentials in order to prevent hackers from returning to their terminals. While the threat agent is still isolated, it would be helpful to monitor network traffic for an extended period of time in order to make sure that malicious code is not present throughout company networks.
Section 3
Cybersecurity professionals should conduct a forensic analysis in order to gain as much intelligence regarding the threat agent as possible. This process should involve examining internet browser history and files downloaded (including their timestamps). The forensic examination should also include analyzing log files in order to discover the threat agent’s point of entry. The examination will give the cybersecurity professional answers to many questions regarding the cyberattack: what kind of threat agent attacked the network, when and how did it do so, what can the organization do in order to prevent these attacks from happening again? The collected information represents the most current intelligence gathered on the specific threat, and can help other entities in the future if such information were shared in the open source.
Section 4
Now that all the information regarding the cyberattack has been collected by the cybersecurity professional, it would be appropriate to identify a method of removing the threat agent from infected devices. This may require running existing anti-virus software or collaborating with technical staff responsible for developing patches that can delete malware and other forms of threats. After it has been eliminated and all devices reconnected to the network with normal network traffic, then the cybersecurity professional should submit all collected intelligence and procedures as a report to upper management.
New Policy
Energy Sector: Information Security Policy 2019 is a mandatory information security policy for government and private energy utility service providers as it reduces the prospect of organizations experiencing disruptions when providing energy to consumers. It provides a backup strategy during circumstances in which state and non-state actors may gain unauthorized access to networks, terminals, SCADA and PLCs. The policy will help bolster organization’s strategic objectives of making energy available at all times, and responsibly remove networked-control systems to manual ones (on a temporary basis) during a cyberattack. This policy also provides an effective plan should the unthinkable occur and utility providers find themselves affected by instances of cyberwar.