Security from the outside looking in

This past April, security professionals in the utility sector were up-in-arms about a very public and documented red-team video documentary that highlighted how “easy” it was to “fully compromise” a power company. Simply put, a boutique cybersecurity and network penetration firm, that specializes in “ethical hacking”, entered corporate buildings, unmanned distribution substations, and the company’s IT server room under the cover of darkness rather quickly and with little challenge.

As you can imagine, this event is not only embarrassing for the utility, but it’s also a gut punch for those who have worked tirelessly to improve security and promote the positive steps industry is making to secure the grid.

[ ALSO ON CSO: Ever been in these social engineering situations? ]

While this video does not paint the utility company in the best light, the benefits of red teaming can help security professionals and utility executives determine weaknesses and where to ultimately spend next year’s budget dollars to reduce security risk. The usefulness of such an exercise far outweighs the risk and will certainly bring to light protection concerns.

For a successful example, we simply need to look at the defense industry and what our military forces use to examine their vulnerabilities to perimeter security, access control, and the detection of unauthorized individuals. While I’m not suggesting that utilities hire a US Marine Corps team of covert experts to circumvent their security measures, I will advocate that there is value in “thinking like the enemy”. Having an outside firm, with no affiliation to your company, infrastructure, or systems, conduct an assessment on how they would infiltrate, gain access, or sabotage equipment may be very eye-opening and provide an impartial assessment.

Red teaming is the practice of analyzing a security mechanism from the standpoint of an external attacker or adversary. A red team is a group of third-party penetration testers that detects vulnerabilities in your physical security systems or cyber networks while mimicking the attacks of an intruder. The ultimate purpose of red teaming is to harden your security against real-world attacks after taking the lessons learned from the test. Presumably, after digesting the gaps and the perceived weaknesses in your system, infrastructure owners will improve their security programs by updating their mitigation measures and adding additional focus to gaps in awareness, detection, and defense.

[ MORE: What security pros can learn from the networking team ]

Obviously, I am a major advocate for exercises and examining how to make infrastructure “harder” targets. That said, utilities should be educated and fully understand the inputs and information that a red team exercise will provide. Below, I have listed a number of concerns and considerations that utilities should be mindful of prior to any such evolution.

But first, a word of caution. As recent events have shown us, utilities must protect themselves from this information and the security “results” from getting into the wrong hands. Built into any contract with a third party must be provisions for nondisclosure and extreme confidentially. Utility executives will be mindful of this and the ever-present reality that information in the incorrect hands can result in unwanted hits to reputational risk.

If your company sees the value in having an unaffiliated third party conduct a red team exercise against your corporate campus, IT systems, or physical infrastructure, here are a few thoughts to consider:

• Have your company leadership be fully aware and have complete “buy-in” as to the process and methods used to obtain the exercise results.
• Once the results are in and gaps have been discovered, what will this information be used for? Is company leadership prepared to immediately respond and mitigate any discovered vulnerabilities?
• Nobody likes to have their baby called ugly! Be prepared to hear an outsider’s perspective — that means the good, the bad, and the ugly.
• Provide limited situation awareness to those who absolutely “need to know”. If you are completely prepared and anticipate the “outsider threat”, what real value are you getting from the exercise? It is better to judge reactions, assess mitigation measures, and evaluate response from a simulated crisis while responders are in the moment.
• Get others involved. An exercise is always a good excuse to reach out to other internal departments, intelligence agencies, and law enforcement.

At the end of the day, be open to new ways of addressing an old problem. After all, this is a critical review and analysis of already-existing plans. You presumably will do this because you are interested in improvement. So go do it, and improve!