Cybersecurity for U.S. Dams, Power Grids, Infrastructure: More Answers Emerge
With nation-state cyber attackers eyeing critical infrastructure targets, you can safely expect more room will be made for managed security service providers (MSSPs) at the solutions table.
Utilities providers and systems operators, prime examples of potentially vulnerable sectors, are about to get a security boost, as Reno, Nevada-based BlackRidge Technology and Agile Fractal Grid (AFG) will showcase their new, jointly developed security-as-a-service (SECaaS) platform to some 400 electric utility co-ops and municipal utilities attending Milsoft’s 2018 User Conference this week in Florida.
The three-part harmony came about when Milsoft, an Abilene, Texas-based electric utilities software developer, engaged with AFG to provide managed SECaaS to its 920 utilities customers. AFG, a Medway, Massachusetts MSSP, sells a platform for industrial internet of things (IIoT) systems to accurately control electric power and communications grids. BlackRidge’s flagship Adaptive Trust Solution provides the end-to-end, identity-based cyber defense technology underpinning the companies’ SECaaS offering.
“We are very excited to add BlackRidge to our team of teams approach to cyber security as a managed service offering for small- to medium-size businesses that are resource constrained and lack the expertise to manage, detect, and recover with decisive action,” said Charles Speicher, AFG chairman.
To run the show, BlackRidge named Michael Murray, a former general manager at Analog Devices, as head of its new IIoT and critical infrastructure wing. Murray, who will oversee the SECaaS offering, said the “rapidly growing cyber threat to our critical industrial, consumer and community infrastructure needs a new approach to cyber defense.”
From Power Grids to Dams: Cybersecurity Contrats Emerge
It’s not only the nation’s power grids that are vulnerable to cyber attacks — 600 dams in 17 western U.S. states are at risk as well, according to the U.S. Department of the Interior (DoI), which has awarded federal contractor Booz Allen Hamilton (a Top 100 MSSP) and Spry Methods, a McLean, Virginia-based cybersecurity provider, spots on a $45 million, five-year contract to protect those structures from cyber attackers.
While the $45 million sounds like a good number, if the contract’s outlay spans all 600 sites it amounts to roughly $75,000 for each dam spread out over five years, or $15,000 a year per dam.
The DoI’s Bureau of Reclamation awarded winners on its contract for IT risk management services on June 5, Nextgov reported. The contract covers technical and professional threat monitoring and mitigation services, compliance with the Federal Information Security Management Act, securing dam industrial control systems (ICS), and collaborating with the Bureau’s information system security officer, the report said. With the award, the Bureau is now set to issue task orders to Booz Allen Hamilton or Spry to provide those services.
“Over the last two years, Spry has been deeply involved in the security assessment and evaluations of numerous Reclamation systems,” Lori James, Spry’s chief cybersecurity officer, told Nextgov. “Spry is looking forward to our continued support of DoI and Reclamation specifically, where we can help streamline security requirements and produce efficient and useful methodologies that will become commonplace at DoI.”
Will History Repeat Itself?
An incident two years ago in which hackers gained control over a gate controlling water at an out-of-service dam in New York, perhaps mistaking it for a similarly named far large structure in Oregon, may have put some urgency to the contract.
“Hydroelectric facilities such as the ones operated by [Reclamation] can have a significant number of ICS/[operational technology] systems,” said Marty Edwards, managing director at Automation Federation and former director of Homeland Security’s ICS-CERT, told Nextgov. It can be challenging to update security on those legacy systems, he said.
“That is certainly a good start but ultimately cybersecurity is about hiring people,” Edwards reportedly said. “I would like to see either permanent civil servants or a standing program put in place to use contractors every year. Most likely the best approach is a combination of the two.”