FONES Minimum Standard - State of cyber security in the energy sector and sector-specific standards

FONES Minimum Standard

State of cyber security in the energy sector and sector-specific standards

Mark Zeman
by Mark Zeman
on August 05, 2021
time to read: 8 minutes

Keypoints

This is the FONES Minimum Standard in the Energy Sector

  • Implementation of the minimum standard remains minimal
  • Explicit strategies help, but even the best results remain under target
  • Overall, not even first maturity level reached
  • Sector manuals differ a lot in length and detail
  • Some very brief and straightforward, some long and convoluted

Two years ago, we last wrote about the ICT minimum standard from the Federal Office of National Economic Supply. Recently, this was picked up by the media as the energy companies, according to a survey conducted by the government, have failed to prepare and did not implement the recommendations from the minimum standard properly.

In particular, the energy sector set themselves a goal of reaching an average maturity grade of 2.6 and achieved on of barely under 1. We will take this as an opportunity to look at the standard again, in particular the sector-specific manuals and how they differ, as well as what this target number means.

Maturity Grades

The ICT minimum standard defined the following scale:

Grade Description
0 Not implemented
1 Partially implemented, not fully defined and adopted
2 Partially implemented, fully defined and adopted
3 Implemented, fully or largely implemented, static
4 Adaptive, implemented, continuously reviewed, improved

The target of the electricity industry, to achieve between 2 and 3 on this scale, is therefore at first sight a realistic target, which brings clear improvement. This would give us clearly defined and tested measures that have at least been partially implemented – a “good start”, so to speak. We could then build on this in the coming years and achieve further improvements.

The score was only just 1 (0.898 on average across all functions), which means that it has not even been fully defined what is to be implemented. It is not surprising that the federal government now wants to switch from voluntary to mandatory and establish an auditing office.

The function Protect scores the highest, with a result of 1.08, while Respond scores the worst with 0.66. Since the survey is a self-assessment without evidence, these results are probably to be read as optimistic, most likely being higher than they ought to be. However, it is important to be aware that some areas were also excluded here, in particular nuclear power plants, which are already separately regulated in terms of cybersecurity.

Switch to “Assume Breach”

Now, it is easier to say that improvements are needed in all areas than to implement them. As the federal government also states in its strategy for protection against cyber risks, it is becoming increasingly apparent that a successful attack is merely a matter of time. Under this paradigm, also called Assume Breach – assume you have been hacked – the functions Detect, Respond and Recover are particularly important. From the point of view of this critical infrastructure, this makes even more sense, as a short-term power outage is much less severe than months of restricted operations, as currently experienced by the Irish Health Service Executive.

Currently, the highest maturity is in the Protect function, which is still based on the older paradigm that you can completely prevent successful attacks by taking sufficient preventive measures. Now, it is certainly important not to disregard this function, but the strategy of first and foremost improving the response to an attack is certainly not inappropriate. However, both the ICT minimum standard and the industry manuals still have to be adapted to this.

Sector-specific Manuals?

As addressed in the original article, specific variants of the minimum standard have been developed, which should be tailored to individual industries. These differ, in some cases significantly, in their approaches to how the industry achieves higher resilience. The industry standard for wastewater utilities, for example, at 36 pages, is shorter than the ICT minimal standard and provides only a brief motivation, then moves directly into a checklist that can be used to improve resilience. Certainly not the most detailed approach and one that risks, despite the clear warning that security is not a state but a process, that this checklist will be worked through exactly once. Still, even this checklist is fundamentally thoughtful, and those who can answer yes to all questions are better off than they were before.

The standards for public transport, the gas sector and food supply are also rather concise. In contrast to the generic standard, the standards for public transport and the gas sector additionally explain what the critical processes in the sectors are that need to be protected, while the standard for the food supply sector primarily explains how a defense-in-depth strategy can be implemented.

The situation is different for the water supply and electricity sectors, which present documents of around 150 pages. The water industry nominally divides its industry manual into a main document and 4 appendices. The main document briefly explains the context and critical systems, while the appendices provide the details. The explanations of the Cyber Security Framework and Defense-In-Depth are similar to those for the other industries. In addition, there are additional recommendations for small water utilities serving fewer than 5,000 residents, which are not saddled with the full standard, but only provided with tips that would almost be in the right place for a private user. It is certainly commendable to formulate more appropriate recommendations for smaller companies, but these seem so generic and so with such a low bar that it will likely add little value. At least the industry can now be measured against this document. Lastly, there are three implementation examples, although these do seem somewhat idiosyncratic. In the first example, for example, the minimum target is rated as achieved (i.e., a value >= 2.6 achieved), but the entire Detect function has been excluded on the grounds that the sample company is taking a risk-based approach. Overall, the examples seem very kindly scored. Nevertheless, they are certainly valuable as a template for how this issue can be approached and audited.

The electricity industry, on the other hand, focuses on describing a security strategy in detail and devotes a little more than half of its document to this topic. The goal is to allow industry leaders to formulate their own strategies. However, as has now been shown in practice, this does not seem to have worked and while the companies that have formulated such a strategy are further along than those that have not, even these companies are not as far along as they should be. The industry standard also includes 21 Steps to Increase Cyber Security, which seem to be taken relatively directly from the U.S. Department of Energy. These are somewhat more concrete, but are still high-level and in some places extremely complex in their formulation. There is little talk of gradual improvements. A checklist as in the industry standard of the wastewater companies should achieve better results here, since it is much clearer and simpler.

Closing Thoughts

The relatively short and clear idea of the ICT minimum standard was thus developed into several industry manuals, some of which attempt to be just as short and directly applicable and some of which attempt to formulate lengthy strategies. For the electricity industry, the attempt to rely on a complex and detailed strategy now seems to have failed, at least in its current form. It would now be interesting to conduct more such surveys or studies and thus see how the situation has developed in other industries, i.e. whether the significantly shorter manual for the transport companies spurred on more improvements or the lower requirements for small water suppliers are better implemented and do bring added value after all.

In the long run, however, it is probably inevitable that for such critical infrastructure, binding requirements will be formulated and enforced by the federal government. As we have clearly seen several times in the recent past, one cannot rely exclusively on individual responsibility, but must proceed collectively. Analogously, it might also be worthwhile here to subsidize projects to improve cybersecurity and to actively follow their implementation in order to accelerate the improvement.

About the Author

Mark Zeman

Mark Zeman has a Master of Science in Engineering with focus on Information and Communication Technologies at the FHNW. He was able to transform his passion of information security to his focus since 2017. During his bachelor studies he worked for an email security company. (ORCID 0000-0003-0085-2097)

Links

You need support in such a project?

Our experts will get in contact with you!

×
OWASP Core Rule Set

OWASP Core Rule Set

Mark Zeman

totemomail

totemomail

Mark Zeman

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here