Addressing The Human Elements of Cybersecurity for Asset Intensive Industries Author Sticky Matt Yourek Director of Product Cyber Security & Compliance Grid Software, GE Vernova Matt Yourek is the Director of Product Cyber Security and Compliance for Grid Software, GE Vernova, a position he has held for the past four years of his 15-year GE career.Matt's role includes product management for the cyber security functionality of the Digital Energy solution, Open Source DevOps, and secure product delivery; supporting marketing, sales, contracts, and commercial operations on all things related to customer-facing cyber security aspects of our business; product vulnerability and incident response; ISO27001 governance; customer supply-chain risk assessments of our business; and collaborating with industry. Aug 19, 2024 3.5 Minute Read Share Part 3 in our Cyber Security for Utilities blog series. The list of assets in the power and utilities industry is practically endless. Every power station and pipeline, substation and switchgear, battery and busbar must be kept reliable, resilient and secure. It’s challenging, and that’s before adding in the human element. Regrettably, human assets are often the weakest link in an organization’s cybersecurity posture. Asset-intensive industries already face many workforce challenges. Experienced industry veterans are retiring. There is a shortage of qualified employees available to meet an ever-increasing demand. Plus, new hires often need specific technological skill sets in order to play their role in the utility’s digital transformation. Cybersecurity & Infrastructure Security AgencyImage credit: GE Vernova Meanwhile, the utility is dealing with growing customer expectations, increased regulatory pressure (e.g., NERC CIP, EU NIS Directive, GDPR), and ever evolving external cyber threats. Today’s utility needs to stay abreast of seemingly never-ending security patches and upgrade technology reaching end of life. More devices are getting connected, which means more potential endpoints at risk. And there’s more data (e.g., logs, configuration baselines, network traffic) than ever to monitor and secure. On top of all those technical aspects, the utility must also protect against insider threat and human error. A disgruntled or malicious human could wreak havoc on systems intentionally. But an otherwise reliable employee might accidentally send confidential data via a mobile device and then lose that device, putting company data at risk, or use inappropriate IT resources on the network. Even the utility employee with the best of intentions could cause downtime by typing one wrong command or clicking unwittingly on a phishing email. Verizon found that email was “the delivery mechanism in 94% of malware attacks in 2019” and noted, “managers need to stress the importance of employee vigilance.” Add to that the number of external personnel (e.g., at third party vendors, service providers, auditors, etc.) who may connect to the utility’s systems and the problem only compounds further. Threats to Cyber Security Diligent Management of Cybersecurity Managing insider threat is critical to a robust cybersecurity posture. A key part of that is having the tools to know what your people are doing. Let’s talk about the benefits of user access management, access control, session management, and encryption in terms of mitigating the human element’s impact. Multi-factor authentication is a cybersecurity best practice for user access management (especially now with remote and hybrid work environments). You don’t want to create too much friction for your users, yet appropriately authenticating and re-authenticating both users and their devices can cut risks. The bad actor might buy usernames and passwords on the dark web, or gain them via social engineering, but they can’t get in as easily without access to the compromised individual’s devices too or a multi-factor bypass vulnerability. With access control, configuring role-based authorization supports the security principle of least privileged access. A least privilege access approach puts rules in place which limit the users’ access to only those applications, data, and assets necessary to getting their job done. This can help mitigate the damage done if that user’s account is compromised, since impact would be better contained. Next, session management balances usability and security. With the right tools, administrators can: Quickly expire administrator sessions regardless of clientSee all sessions currently logged in and their originForcibly disconnect unrecognizable connections or those associated with malicious activity Encryption is yet another solution that can be leveraged to reduce human threats. Having end-to-end encryption throughout the system stack (e.g., hardware, operating system, files and data, networking) reduces the threat of: Data accessed from stolen hard drivesTheft of online data files containing confidential informationSensitive data being exfiltrated through the network It is therefore best, of course, to encrypt data at rest and in transit. Managing insider threat is critical to a robust cybersecurity posture. A key part of that is having the tools to understand the human element of cyber security.Image credit: GE Vernova Then, There’s the Third-Party Risk My previous blog looked in detail at the supply chain cybersecurity risk asset-intensive industries face today. That article outlined six strategies to manage cyber security risks, such as the more recent Kaseya attack. It called for utilities to proactively investigate their supply chain’s cyber practices. Ultimately, your business needs to know what its third-party users are doing too. In this interconnected, digital age, individuals who provide project execution or support often need access to at least some portion of your organization’s own infrastructure. This can be worrisome as it’s another access point (or several) to secure. When customers partner with GE Vernova, they get peace of mind with access to our Personnel Risk Assessment Portal. Customers can see which GE Vernova employees have access to their data and systems. Plus, they are able to view GE Vernova’s own background checks of many of those employees (with the employee’s PII redacted to accommodate Privacy Laws) as well as GE Vernova’s NERC CIP Training material and employees’ attendance records. Reducing Cyber Security Risk Preparing for the Worst Made Easier Reducing cyber security riskImage credit: GE Vernova You can limit access, segment networks, encrypt data and use all kinds of cybersecurity best practices. Training your employees and reviewing supply chain partner security posture is necessary too. Yet, the business will never be impervious to attack. That’s why it is important to have your people trained and ready to implement recovery plans in order to expedite your incident response. GE Vernova’s software products’ support for virtualization makes backup, recovery, and process validation easier. Our product guides can provide customers with the location of key data that needs to be backed up, suggested frequency, and any special steps required to successfully back up the real-time systems. Plus, our solutions integrate with the standard IT backup and recovery tools likely to already be in use within your enterprise. GE Vernova has been working with utilities for more than 70 years. We understand these critical industries, understand where they’re vulnerable, and can partner with our customers to identify how they can be better secured. Learn more today! Interested in cyber security? Read the other blogs in this series: Supply Chain Network Under Attack: Securing Your Cyber The Delicate Balancing Act in Meeting Cyber Security Challenges Keep an Open Mind about Open Source in the Utility Environment Author Section Author Matt Yourek Director of Product Cyber Security & Compliance Grid Software, GE Vernova Matt Yourek is the Director of Product Cyber Security and Compliance for Grid Software, GE Vernova, a position he has held for the past four years of his 15-year GE career.Matt's role includes product management for the cyber security functionality of the Digital Energy solution, Open Source DevOps, and secure product delivery; supporting marketing, sales, contracts, and commercial operations on all things related to customer-facing cyber security aspects of our business; product vulnerability and incident response; ISO27001 governance; customer supply-chain risk assessments of our business; and collaborating with industry.