Utilities are waking up to the need for a centalised security monitoring centre to better co-ordinate responses to cyber and physical threats, says Galen Rasche, technical executive at US-based Electric Power Research Institute.
Mr Rache said: “Over the past year or two, we have seen tremendous interest from utilities in the US in developing and implementing an Integrated Security Operations Centre (ISOC).
“There have been more high-profile cyber-security incidents but there are also security and business drivers behind bringing together separate siloed departments.”
Rasche is part of a team that has produced the report ‘Guidelines for Planning an Integrated Security Operations Centre’.
The team identified that a utility will have multiple groups and operators independently gathering and analysing information from the different domains - ie datacentres, workstation networks, physical security, supervisory control and data acquisition systems, energy management systems and field equipment.
If a smart meter is sending back unusual data, a new device is detected as being plugged in at a sub-station, and there is also an attack on field equipment, the utility will take much longer to connect the dots that is an attack.
The report said: “Correlating this data to find suspicious activity can be extremely challenging and often only occurs long after an incident happens.
“An ISOC is designed to collect, integrate, and analyse alarms and logs from these traditionally siloed organizations, providing much greater situational awareness to the utility’s security team.
“Additionally, an ISOC allows utilities to transition to an intelligence-driven approach to incident management, which is much more effective for handling advanced threats.”
Building internal trust
While EPRI highlights the benefits of adopting an ISOC, the non-profit organisation is also realistic about the organisational hurdles to overcome.
Mr Rasche said: “Building an ISOC requires significant technical resources, staff and time, but one of the biggest challenges will be overcoming a lack of trust between corporate IT and operations technology IT groups.
“There also isn’t a one-size fits all solution. The process of implementing an ISOC will depend on the size of the utility and the company resources.”
The study is the first stage in what EPRI sees as a multi-phase process.
Mr Rasche said: “Once a utility has executive support for an ISOC, they can spread out the integration over a few years. EPRI will spend a lot of time fine tuning each part of the system. We will work through each domain of a utility, starting with control centres followed by sub-stations, before moving on to the next phase.”