Cyberattacks have skyrocketed in recent years, leaving individuals, families and businesses severely compromised. Jeff Beavers, NECA’s executive director of network integration and services; Bill Ryan, regional director for Cybersecurity and Infrastructure Security Agency (CISA) Region 3; and Max Wandera, director of Beachwood, Ohio-based Eaton’s Cybersecurity Center of Excellence, answered questions about how electrical contractors can keep customers secure from cyberattacks due to growing connectivity and the transition to renewable sources of energy.
What are some major points of vulnerability for homeowners, businesses, public buildings, multifamily residential spaces and schools?
Beavers: With the proliferation of connected devices and the internet of things, the risks are exponential.
Take the residential environment. We have “smart homes,” not necessarily by design, but by virtue of the consumer products we purchase. From the typical wired and wireless “data network” and streaming content to televisions, smart phones and tablets, we now have connected appliances, door cams, garage door openers and Wi-Fi pet feeders. A typical house could have 20–30 devices on the home network.
While this presents homeowners with needed amenities and cool gadgets that are easy to connect, the risks are increased with the number of back doors into the system. Too often the front door is left open as basic encryption of devices is not applied.
This is the difference between a smart building and an intelligent building. A building has several smart systems that work independently of each other. An intelligent building has intelligent control and integration of these systems and a cybersecurity framework that guides the initial deployment and operations over the life of the system.
Ryan: Spearphishing is one of the most common techniques used for initial access as personnel and their potential gaps in cyber awareness are often a point of vulnerability. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.
Other potential weaknesses include exposing services to the internet, such as access applications; unsupported or outdated operating systems and software increasing the risk of compromise; control system devices with vulnerable firmware versions; and the absence of an organizational culture that fosters cyber-readiness.
Wandera: In short, any device that connects to the internet is a potential gateway for bad actors to compromise a home or businesses’ critical data. In the home, this can include smart TVs or appliances, smart home security systems or even medical devices. In commercial buildings, it can include typical IT assets such as PCs or laptops, but it can also include facility and operational systems such as HVAC or power management.
What responsibilities do electrical contractors have in terms of keeping their customers cyber-safe while being connected and well-managed through automated controls?
Beavers: I think the customers will look to the (integration) contractor as the subject matter expert—beyond physical deployment of equipment—and helping them make informed decisions about a cybersecurity program.
Ryan: One way to think of it is in terms of three risk categories: Information Technology (IT), Operational Technology (OT), and IT/OT convergence. Properly segmenting IT/OT systems to ensure that no part of OT systems can directly connect to the internet can greatly reduce the possibility of a successful attack. There is an increase of the cyber-physical nexus, where hacking IT leads to a breach of OT, and this has created new avenues that adversaries use to exploit vulnerabilities that can have cascading consequences in systems, networks and beyond. Properly segmenting IT/OT systems to ensure that no part of OT systems can directly connect to the internet can greatly reduce the possibility of a successful attack.
Wandera: There are several key responsibilities contractors should be aware of and measures they can take:
- Only buy from reputable sources. Source secure products through an established supply-chain-management process. Look for products that have been tested and validated by third parties.
- Know the assets involved and work with the end-user to ensure they are patched regularly.
- Configure and secure devices by changing default passwords and using secure communication and supplier hardening guidelines to improve device resilience. Always follow the vendor’s recommendations to ensure alignment with best practices.
- Monitor devices and investigate anomalies that may exist. This means checking device logs regularly, monitoring devices for anomalous behavior, reading network logs and investigating suspicious activities for any abnormal behaviors that may result in cybersecurity breaches.
- Securely dispose of devices when removing them from service. This means performing the necessary factory-reset for products and following the manufacturer’s recommendation for secure disposal. If devices contain sensitive information, it is prudent to physically destroy them before disposing of them.
What about teaching new generations of electricians? What is critical for them to know?
Beavers: For the systems integrator, it presents new opportunities for client engagement and services. There is training and certification for both the practice—risk assessment—and physical implementation.
We are experiencing the fourth industrial revolution—mechanical, electrical, the internet and now digital. The digital revolution is estimated to have 10 times the impact of the internet.
Ryan: Mitigating risk needs a whole-of-government approach—and to be successful, we need whole-of-nation action to build resiliency. One of our main goals right now is to strengthen the government’s collaboration with the private sector—industry, academia, researchers, hackers. This collaboration DNA is what CISA is built on.
Wandera: It’s important that the new generation of electricians achieve levels of competency in cybersecurity to ensure we are building and deploying secure solutions. This means having a deep understanding of cybersecurity best practices and how they apply to various industry standards. This requires a combination of taking classes and receiving on-the-job training. Eaton continues to invest in industry education and training programs to help our customers advance more cybersecure futures.
What are key takeaways for the electrical contracting industry regarding cybersecurity?
Beavers: For the integrator, it is the progression of technology, and an opportunity for new services. To provide new services, it will require an investment in hiring/staff development (training, certifications) and/or new teaming opportunities.
Ryan: The key takeaways are the basics. These apply to all industries, and the electrical contracting industry is no exception. Make cybersecurity a priority, not an afterthought, and build a culture of cyber-readiness. And always use multifactor authentication, which is a layered approach to securing physical and logical access where a system requires a user to present a combination of two or more different authenticators to verify a user’s identity for login. Multifactor authentication increases security, because even if one authenticator becomes compromised, unauthorized users will be unable to meet the second authentication requirement and will not be able to access the targeted physical space or computer system.
Wandera: The most important thing contractors can do to ensure cybersecurity for their customers is consult with manufacturers that embed security throughout the entire product development process—i.e., Eaton’s “secure by design” process. This approach to product development places cybersecurity front and center from inception to deployment and into maintenance. A secure development life cycle can help manufacturers stay ahead of cyber-criminals by managing cybersecurity risks throughout the entire life cycle of a product or solution.
What responsibilities do ECs have when working with other entities such as HVAC installers, engineers and building management companies?
Ryan: CISA offers Cyber Essentials, a guide for small businesses to develop an actionable understanding of cybersecurity practices. It is available to download from the CISA website and provides the basics for building a culture of cyber readiness. Contractors can also check out the Cyber Essentials Toolkits, which break it down into bite-sized actions.
Wandera: Cybersecurity is everyone’s responsibility, and contractors should educate themselves on where vulnerabilities may exist while communicating with any key stakeholders, including the end-customer. Responsible measures include ensuring software updates are signed prior to installation; changing the default setting and password for products that could be seen as targets for attack; using industry standard cybersecurity protocols; testing the overall system once it is fully deployed for vulnerabilities; and ensuring there is a manual override for any critical operations—a smart door, for example.
Do you see overlapping roles?
Wandera: Each entity plays a role in building the smart ecosystem for the end-user, and, for this reason, there may be some overlap. This is why it’s critical that contractors be aligned with stakeholders in projects, so everyone is aware of potential cybersecurity risks and their role in mitigating them.
With the transition to renewables and the growing need to conserve power, what makes cybersecurity so important? Does use of renewables require us to be more connected?
Wandera: With more energy consumers seeking to reduce their carbon footprints and become smarter about their consumption, connected devices have an essential role to play in helping manage and monitor energy use in both commercial and residential buildings.
These can include everything from smart thermostats and appliances to smart circuit breakers, which can provide energy use data at the breaker level. These devices are essential to enabling what we call our “everything as a grid” approach to the energy transition, paving the way for a future in which both commercial and residential buildings can become energy “prosumers” rather than just consumers. This means buildings not only use energy but actually provide it back to the grid. This aids grid stabilization, thus lowering energy costs and reducing the building’s reliance on grid power.
More smart devices mean more connectivity points, however, and for cyber-attackers, that means more opportunities to penetrate a system’s defenses. This is why, as smart devices become more ubiquitous, it’s essential that they be designed with cybersecurity in mind.
How much of cybersecurity is about practice, and how much of it relates to installing specific up-to-date equipment and protection devices?
Beavers: Cybersecurity is both practice and the physical implantation—the integration piece. All DoD projects, for example, require a cybersecurity professional, ideally engaged from the start for conceptual planning. This piece—the practice—defines the risk management framework to reduce/minimize risk. The risk assessment looks at HVAC systems, building lighting, mass notification, life safety, SCADA, uninterruptible power supplies, backup generation, EV charging and solar generation, not to mention the telecommunication system.
The integration piece would follow the framework established from the conceptual phase and carried through from construction specifications, through the submittal phase, to procurement, to deployment, to network configuration and over the life of the system.
Ryan: Maintaining up-to-date operating systems, software and equipment is important, as well as installing patches. But remember, cybersecurity is a shared responsibility. We each have to do our part to keep the internet safe. When we all take simple steps to be safer online, it makes using the internet a more secure experience for everyone.
Wandera: Digitalization has introduced new technologies into traditional operational environments. For this reason, people familiar with operational technology in these environments must be positioned to adapt. Special consideration is required when securing legacy systems, as some of these systems do not support updates due to long or 20-plus year life cycles. Standard IT tools and technologies may not work. These systems require leveraging other technology solutions that include multiple layered defenses and controls; white-listing, which allows users only to take actions on systems that an administrator has approved in advance; and other measures.
New systems being developed are more intelligent and have the resources to accommodate more stringent cybersecurity requirements and technologies.
How long do you think it will take for the world to transition to managing energy use better and operating securely?
Beavers: The world—I can’t say. There are many parts of the world with more cellphones than reliable power. For the United States, I think the transition is happening— perhaps too quickly—to define the road map or standards-adoption and deploy systems that not only meet our appetite for ubiquitous connectivity, but do so in a secure manner. Cyber is the new battlefield.
Wandera: As companies collaborate on technologies and processes to advance the energy transition, cybersecurity must be regarded as essential and placed at the center of any conversation. This means establishing global standards that are consistent across all regions and that can be easily understood and adopted. It’s a collective effort, and Eaton is actively working to make it happen. We’re pursuing a multipronged approach through partnerships with standards organizations, across industries, and through investments in education. We’re part of the International Society of Automation Global Cybersecurity Alliance (ISAGCA) involving other industry partners to drive the adoption of IEC 62443 series of standards in our industry.
Continue reading to learn more on what Eaton is doing in the area of cybersecurity. Additional information from CISA that could not be included in print is incorporated into the story above.
Regarding Eaton’s secure by design approach, what do you consider to be key elements of design that keep energy users safe?
Wandera: We must take a holistic approach to cybersecurity that incorporates people, processes and technology. This means having people with the right skill sets to execute cybersecurity best practices, having comprehensive processes to detect, respond to and recover from a cyber attack, and ensuring that we are leveraging the best technology to secure customers’ networks.
It is also critical that organizations across the electrical industry establish a robust cybersecurity program that includes periodic assessments of their IT/OT networks to ensure they stay on top of vulnerabilities. If they do not have this expertise in-house, they can leverage third-party cybersecurity service offerings from trusted suppliers, including:
An initial audit and assessment focused on people, processes and technology to help customers take corrective action that advances system uptime
Workforce education focused on deploying and maintaining products that keep infrastructure up to date and resistant to evolving cybersecurity threats
What has Eaton achieved in the realm of cybersecurity through its collaboration with Underwriters Laboratories?
Wandera: Collaborating with Underwriters Laboratories means we have an independent, third-party agency that can assess the competency of our organization and the process and technology we use to drive our “secure by design” principles. This provides customers with a level of trust, knowing that the products we provide have been created with the utmost regard for cybersecurity. As a result of the collaboration, Eaton is the first to have our process, competencies and technology assessed to comply with both the International Electrotechnical Commission (IEC) 62443 and UL 2900 standards.
Eaton is also the first company to be accepted into the UL Data Acceptance Program for manufacturers, which means our global laboratories in Pittsburgh and Pune, India, have the capability to test products to key aspects of its UL 2900 standard. By purchasing products tested in these specialized labs, customers can rest easier knowing their devices are compliant with the industry’s highest cybersecurity requirements before they’re installed in critical systems.
How is Eaton educating people on cybersecurity? How should electrical contractors regard this training in terms of adding value for their customers?
Wandera: Eaton has partnered with higher education institutions to strengthen cybersecurity education and train the next generation of engineers. Through these partnerships, we provide students the opportunity to gain hands-on experience in leveraging our secure by design principles through internships, co-op programs and the Eaton Cybersecurity SAFE Lab at the Rochester Institute of Technology.
We also continue to develop and promote resources for our customers and partners that help them become more knowledgeable about potential vulnerabilities and how power management technology is evolving to meet these challenges. Those resources include the “Smart Consumer’s Guide to Home Cybersecurity,” a white paper outlining key cybersecurity design principles, the Cybersecurity Perspectives global forum, an on-demand virtual learning platform offering training and education across multiple cybersecurity elements and a broadcast, part of Eaton’s “Current Thinking” series, about the critical importance of a holistic approach to cybersecurity.