Energy Sector Security
Energy fuels the economies of the world. Without a stable supply of energy, a national economy cannot function. People may hope for the day when energy reliance can shift to renewable sources. But in practical terms, the world is absolutely dependent upon electricity, petroleum, and natural gas. In the U.S., energy is identified as "critical infrastructure" — and is a prime target for terrorist attacks and a variety of natural and manmade hazards that could produce catastrophic results in the event of a system failure. Accordingly, the energy sector requires active engagement in protecting its assets and managing risk, including the mitigation of vulnerabilities that can be exploited via a cyber attack.
This sector includes production, refinement, storage, and distribution of oil, gas and electric power. Operators in these segments use sophisticated energy management systems. They manage control equipment in a single operating plant or local area with a Distributed Control System (DCS). The DCS collects sensor measurements and operational data from control equipment, processes and displays the information, and relays commands to local and remote equipment. These actions open and close valves or switches, regulate the flow of oil, gas, and electricity, and execute other operational functions. Large, geographically dispersed distribution operations manage multiple DCS with a Supervisory Control and Data Acquisition (SCADA) system.
How Energy Control Systems are Vulnerable
Control systems used to rely on closed, private networks for communication between devices, the DCS, and the SCADA system. New control systems often rely on open, public networks for communication. As with any use of the Internet, attackers may exploit vulnerabilities in network protocols and equipment, operating systems, and application software. Attacks against business targets typically aim to steal sensitive business or customer data for financial gain. Objectives are different for an energy target.
For example, a control system may be disrupted by attackers who delay or block the flow of its information. Control system equipment may be damaged by excessive tolerances, premature shutdown of processes or disablement. Actions could include unauthorized changes to programmed instructions in a programmable logic controller (PLC), remote terminal unit (RTU), or a distributed control system. Attackers could also change alarm thresholds or issue unauthorized commands to control equipment. Any of these actions could send false information to system operators, who in turn might take inappropriate actions in reaction to unpredictable operations of critical infrastructure. All of the above can interfere with the operation of safety systems — hence the need for strong control system security.
How Qualys Solutions Help Secure Energy Control Systems
Qualys' on-demand solutions for network vulnerability management provide a fully automated way to non-disruptively scan new SCADA networks, inventory assets, identify vulnerabilities, track remediation, reduce network security risks, and reporting necessary to meet IT policy compliance requirements. These solutions include QualysGuard, a web-based service for comprehensive network vulnerability management. QualysGuard Policy Compliance includes built-in auditing and reporting for NERC compliance.
By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables energy companies to eliminate network vulnerabilities before they can be exploited. Driven by the most comprehensive vulnerability KnowledgeBase in the industry, QualysGuard identifies software and configuration security gaps and provides the immediate insight needed to keep energy management systems secure.
And because QualysGuard's Vulnerability Management, Policy Compliance, and Web Application Scanning solutions are delivered as an on-demand web service, it achieves this at a fraction of the cost associated with traditional software.
Insightful, easy-to-grasp reports for both business and technical managers means the entire organization knows the security and compliance status at any given time. While, pre-built and fully customizable reporting capabilities provides a straightforward substantiation of security and compliance levels to internal auditing teams and external regulators — including NERC.