Operational risks continue to change as new technologies are employed and as existing relationships with suppliers and consumers change. Smart Grid enhances the traditional electrical grid with communications capabilities that converge utility operations with IT. There are many benefits to this convergence, including increased data for real-time situational awareness, historical analysis and improved customer service. But as noted by Vermesan et al. (2013), in gaining the benefits that come with automated meter reading, demand response management and interactive home networks, utilities also open themselves up to new security risks, shown in Figure 9.2.

These risks can be understood in terms of changes in attackers, attack methods, and exploitable vulnerabilities.

The Smart Grid industry will need to have much greater understanding of and visibility into these risks. A utility will need to participate in security communities that share information about attackers and attacker strategies in order to benefit from the experiences and research of industry, government and academia. The benefit of this insight into attackers has been demonstrated by information sharing models for the financial services industry, for example, in which each institution can share experiences with new phishing attacks with other financial institutions to share insight into new attackers and new attack methods. The VERIS Community Database Project (VCDB), a community data initiative to catalog security incidents in the public domain using the VERIS framework, provides another such information-sharing community. (http://www.vcdb.org/) Threat reports from government, industry and academic sources also provide important insights into changes in the attacker community, as well as into existing and emerging attack methods.

Transmission systems for Smart Grid provide much more extensive accurate, timely and extensive information than earlier systems that relied on analog devices for monitoring and control. This includes the ability to detect and record transient disturbances, to isolate the location of disturbances and to provide more precise measurement of disturbances. Phase measurement units (PMUs) and dynamic line rating units are particularly important in terms of providing this monitoring not only for operational purposes, but also as part of the security monitoring and response. For example, physical attacks on critical power lines could result in a cascade of impacts that disrupt service across a broad geographic area. Research on fault isolation, such as the paper by Zhang et al. (2009) has shown the effective use of multivariate analysis of PMU information in order to identify faulty components and faulty sections, then using that information to, accomplish fault isolation. Such faults can be the result not only of mechanical failure or weather conditions, but also of both physical and cyber-attacks. For example, cyber manipulation of the distribution system could result in surges that damage transformers as effectively as natural events such as lightning strikes. Visibility into these faults and into conditions that might trigger such faults is as vital in the identification and remediation of cyber attacks on the transmission system as in the identification and remediation of such faults from other causes.

As noted above, visibility into substations is also critical to an effective Smart Grid operational model. Substation sensors enable the monitoring of power flow conditions and equipment performance. They enable monitoring across the substation component, such as transformers, transformer cooling, circuit breakers, switches, relays, batteries, surveillance equipment and meters. They also enable the monitoring of environmental conditions, including temperatures in the substation and meteorological situations that might impact the substation. These monitoring capabilities can identify individual situations that could indicate a cyber attack, such as fluctuations in transformer cooling, unusual behavior in circuit breakers and disabled sensor or control mechanisms. In combinations, the capabilities provide a rich set of data to which analytics can be applied both to detect potential cyber physical attacks and to investigate those potential attacks to disregard false indicators of compromise and to understand actual attacks more fully.

Distribution monitoring has already been impacted significantly by the deployment of smart meters, providing a much more extensive and varied set of information than was available through manual reading of mechanical meters. For example, distribution applications can use field data to establish baseline patterns of real-time power flow conditions. Variations in actual power flow can then be identified quickly and analyzed to determine whether manual or automated changes should be made to line regulators, capacitor banks and other distribution components to address operational requirements. These same variations, however, can also be indications of cyber or physical attacks. Information regarding the variations can be combined other sources to identify potential attacks and appropriate response.

Automated Meter Infrastructure (AMI) information, particularly in combination with other sets of information such as home area network configuration and household information, is already being used to identify potential fraudulent use of electric power (Tweed, 2012). In this case, normal patterns of usage abstracted for the aggregate information from the AMI can be compared against the usage of a particular household, industrial user or other consumer. Anomalies between the abstracted pattern and power consumption by a particular consumer can indicate not only faults in the meter but also meter tampering for purposes of power theft.

Home Area Network (HAN) and Energy Management Control (EMC) Systems have developed in response to consumer interest in optimal control of discretionary power usage and utility interest in optimal control of load conditions. Monitoring information from the HAN can be valuable to the consumer in quickly identifying ways to optimize their power consumption. But here too, patterns of usage can be derived that provide opportunities to detect such issues as attacker compromise of an EMC that could result in significant damage within the consumer environment, such as in the case of an industrial consumer.

Work management systems are increasingly mobile, subject to attacks both in the reception of service instructions and in the transmission of service and operational data. Widespread disruption of a work management system could be part of an attack strategy focused on disruption of service by delaying response to emergency conditions. Monitoring to ensure the health of the work management system is valuable in rapidly identifying and responding to such disruptions.

With Smart Grid, customer information systems contain substantially more data than previously. This can contain customer financial information that, if not well-protected, could be of interest to cyber attackers looking for financial gain or doing reconnaissance in preparation for fraudulent activity. The recent cyber attacks against retail enterprises for the purposes of stealing credit card information and user financial account information indicate that such attacks could increasingly be targeted at Smart Grid customer information systems as well as the data in those environments become more extensive.

Generation resources typically already have extensive monitoring capabilities for operational purposes such as automated fault detection and capacity management. Resilience against cyber attacks require enhancements to these capabilities, such as protocol inspection to detect spurious or malformed control commands that could result in disruption of service or damage to the generation resources. The cascading effect of unexpected control outages in the 2006 power disruption in Europe, as analyzed in the UCTE 2006 report (2006, p. 20) resulted in “a significant amount of generation units tripped due to the frequency drop in the Western area of the UCTE system.” This situation can be caused by a cyber-physical attack, rather than by a change such as the switching-off that initiated the cascade of failures. The report also noted that “most of the TSOs do not have access to the real-time data of the power units connected to the distribution grids. This did not allow them to perform a better evaluation of the system conditions” (UCTE, 2006, p. 20). Visibility into the relationship of power generation to generator capacity will be critical in identification of and automated response to prevent cascading failure triggered by a cyber event.

Enabling distributed energy resources, a major goal of Smart Grid, creates significant challenges with regard to managing grid capacity and resilience due to the complexity of bi-directional energy flows and communications. Disruption of or error in the communication flow as the result of a cyber attack could result in the propagation of inappropriate load commands that could result in disruption of service or damage to components. Fraudulent claims regarding energy production by distributed energy resources could also be introduced into the system if there is inadequate visibility of generation, distribution and consumption data.

Enterprise Information Management (EIM) systems, including the Geographical Information Systems (GIS) discussed earlier in this chapter, are an important source of visibility within Smart Grid. Financial management of the utility may be disrupted by attacks on the EIM. Emergency response may be disrupted by attacks on the GIS.

Finally, Data management and analytics systems provide the opportunity for integration of data across all of the sources of visibility discussed in this section. This integration has great benefits for operational control, customer satisfaction and realization of business opportunity. But there also needs to be visibility into these analytics systems themselves in order to detect and respond to cyber attacks against these systems. The rise of targeted attacks, particularly those that have been characterized as Advanced Persistent Threats employing extensive reconnaissance, multiple attack vectors and detection-evading tactics (SBIC, 2011), have made security analytics increasingly important in cyber defense, as much for data management and analytics systems as for the other systems discussed above.

As discussed by Popovic et al. (2013), visibility across all these systems has created the opportunity for better observability of power systems, redundancy in measurements and improvement decision-making process wen operating the system. Equally importantly, this visibility into infrastructure creates the opportunity for the application of security analytics to detect and investigate cyber physical attacks, particular in combination with the visibility into risk already discussed and the visibility into identity, information and applications that we discuss in the remaining sections of this chapter.

Visibility into identities starts with collecting identity information and entitlements both from structured and unstructured data resources, including cloud and mobile apps. This information should relate to the full spectrum of both internal and external users (employees, partners, customers) across the full range of devices (laptops, tablets, mobile devices) and applications that they use. It should include as comprehensive as possible understanding of the attributes of each user; who they are, what they do and the policies that apply to them. These information sources for identity are shown in Figure 9.3.

This visibility must be balanced against requirements for privacy that come both from the external regulatory environment and internal policies. Both consumers and government agencies are concerned that personal information may be visible within the Smart Grid enterprise in situations where the information is not needed and to individuals who should not have access to it. For example, supply chain relationships may encourage the utility to share customer information with third parties and across national boundaries. It is very important for Smart Grid enterprises, therefore, to be circumspect in what identity information they collect, where and how they store it, and when and with whom they share it.

As noted by IDC, the enterprise needs to develop a data and information strategy that ensures that information is available as needed for both current and future requirements. (Feblowitz et al., 2013) At the same time, the strategy must also ensure the confidentiality, integrity and availability of that information in conformance with both external regulation and internal policy and strategy. This requires identifying sensitive information across the enterprise: where it is stored, how is it used and who has access to it. This needs to be a dynamic process that reflects the constantly evolving nature of both the information in the Smart Grid enterprise and in the attackers who may want to gain access to that information to steal, corrupt or destroy it.

Also as discussed in the IDC report, this visibility into information is essential not only in order to understand its sensitivity, use, and lifecycle, but also to leverage it for collaborative aspects of the operational model as a whole and security operations in particular. Information plays a critical role in the driving decisions both in on-going operations and in longer-term projects, in meeting compliance requirements, in evaluating risk and many other aspects of the business. Visibility into the availability and quality of this information empowers the organization to address these requirements. In order to achieve this visibility, the Smart Grid enterprise should have capabilities such as the following:

Knowledge management. This capability ensures that information is captured across all appropriate sources, managed effectively across its lifecycle and disseminated as appropriate to all participants who should have access to that information.

Collaboration support. This capability enables the secure exchange of information across all appropriate participants, including external partners.

Information integration. This capability employs analysis, taxonomies, ontological frameworks and other processes and technologies to enhance the value of managed information and to incorporate it into the business processes.

Many Smart Grid enterprise have seen an increase in collaboration between operations and information technology, particularly for sets of data such as automated meter data that is valuable for outage management and for security analytics. There are still major opportunities in this area and in integration, particularly in areas such as transmission data such as synchro-phasor measurements that are already employed in operations but only rarely for purposes of security analytics.

Visibility into applications is essential to assessing risks comprehensively and to making informed enterprise-level decisions.

The transformation taking place with advanced metering is a good example. In conventional metering systems, meters were read once a month, totaling 12 reads a year per customer. With advanced metering infrastructure (AMI) meters will be read every 15 minutes, increasing the number of reads per customer by 3,000 times per year. We have touched on the importance of visibility into AMI as an infrastructure and on the importance of visibility into this information from AMI. But equally important is visibility into the AMI applications from both operational and security perspectives. Is the application for receiving and processing information from smart meters encountering connectivity issues that result in lost information? Is it participating in a patch management strategy to ensure it is fully operational and secure? This visibility into the application is critical in ensuring their effective operation and security.

Similarly, capabilities such as network packet-capture are important in establishing normal behavior in the IT infrastructure. Full network packet-capture means recording, parsing, normalizing, analyzing, and reassembling all data traffic at every layer of the network stack. As network traffic is captured, it’s analyzed and tagged to facilitate subsequent threat analysis and investigation. Capturing and tagging network data enables security analysts to reconstruct users’ sessions and activities to understand not just basic details such as what time or to which IP address specific data packets were transmitted, but exactly what information was sent in and out and the resulting damage. These techniques help organizations learn what is “typical” within an IT environment so that future deviations from normal—which often indicate problems—can be identified and investigated as they arise.

Analysis systems capture and analyze massive amounts of rapidly changing data from multiple sources, pivoting on terabytes of data in real time, organized into various levels to enable different types of detection. For example, data can be captured and analyzed for potential security issues as it traverses the network. This capture time analysis identifies suspicious activities by looking for the tools, services, communications and techniques often used by attackers without depending on logs, events, or signatures from other security systems. Examples of this capture time analysis includes the detection of non-browser software programs running HTTP, protocols over non-traditional ports, and executables embedded in PDF files. Additionally, these sophisticated tools can detect subtle signs of attack by correlating events that seem innocuous in isolation but that are problematic when strung together. Analytical techniques fuse internal inputs from various sources using metadata. These advanced detection mechanisms also act as trip-wires that can provide early warning of potential infiltration. Processing of these information flows happens as they occur, meaning suspicious activities are spotted while there’s still time for security teams to stop attacks in progress.

This is comparable to the real-time operational response that is a fundamental capability in Smart Grid systems. Papers such as the California ISO Smart Grid Roadmap and Architecture (30) describe the application of synchro-phasor technology in real-time fault isolation and remediation: “Phasor units measure voltage and electric current physical characteristics. This data can be used to assess and maintain system stability following a destabilizing event within and outside the ISO footprint, which includes alerting system operators to take action within seconds of a system event. This capability reduces the likelihood of an event causing widespread grid instability.” Such “capture time analysis” is shown in Figure 9.4 of the Popovic paper (2013), illustrating the extraction of phase current features to determine if a fault has occurred.

This kind of capture analysis and response is important in terms of real-time faults caused by cyber attacks rather than natural disasters or equipment failure. The Aurora attack, in this case referring to the demonstration by Department of Homeland Security conducted at the Idaho National Laboratory (INL) in 2007, showed the creation of an out-of-phase condition that could damage alternating current (AC) equipment (Swearingen, 2013). The attack forced the repeated opening and closing a circuit breaker or breakers to rapidly disconnect and reconnect a generator to the grid, but out of phase. Many circuits of utilities carry varying load profiles, from resistive to inductive loads. These circuits may include rotating equipment. This load profile allows for the real-time failure demonstrated in AURORA to occur. Analytics that detect the anomalous behavior in circuit breakers can enable automated responses that prevent equipment damage or worse.

Analysis systems can also perform batch analysis on large volumes of historical security data. In the case of security analytics, such data are needed not only to fulfill most companies’ data retention and audit requirements but they are also invaluable in uncovering adversarial tactics that may have taken many months to execute and may even be ongoing. For instance, batch analysis of security data archives can help uncover previously overlooked cyber-attacks in which illicit data was transmitted only sporadically in small, stealthy streams over weeks or months. These types of “low and slow” attack techniques are hard to spot when they are occurring, because they are designed to seem innocuous by taking cover under existing processes and communication streams. These techniques usually become suspicious only when executed in a particular pattern over a specific window of time. Detailed, automated analyses of security data archives can discover attackers in the midst of establishing a foothold, as well as reveal information losses those organizations may not even realize they sustained.

In summary, batch analyses of can uncover attacker techniques and indicators of compromise that security teams can use in the future to detect similar attacks. More generally, batch analysis enables organizations to detect operational and security anomalies and reconstruct incidents with certainty and detail so they can investigate their losses and remediate problems faster and more effectively.

This technique is especially dangerous in attacks against administrative environments that may have been compromised as a first step in subversion or destruction of operational systems. Advanced attacks often use social engineering approaches to steal user credentials, trick the user into opening an attachment containing malware or to open URLs that would exploit the user’s web browser, leading to potential malware infection. Having established a foothold in the administrator environment through such a technique, the attacker can then leverage any of a number of legitimate system capabilities in order to move laterally across the organization, increasing both the scope and kinds of infection of the Smart Grid environment. This lateral movement can be accomplished by manipulating task scheduling, by creating or modifying services, and by remote reconnaissance or image execution. After the system infection phase, the next steps are 1) to make the attacker presence persistent on the user machine and 2) to start privilege escalation, using a range of techniques that are well-documented in the literature.

In the Windows environment, for example, one of the primary methods by which APT actors utilize existing architecture is by using Windows interconnectivity to increase their foothold into the network. Most commonly, allowed interaction between systems allows attackers to conduct lateral movement. This allows attackers to navigate from the initial compromised hosts to the more high-value targets in the environment.

Before starting with lateral movement, the attacker needs to identify the Windows environment, for example, if it is running in an Active Directory domain or not. In the Active Directory case, the attacker can use different techniques to get an administrator account credential, for example, getting a credential from the NTLM (Windows Challenge/Response authentication protocol) that is stored in the machine memory inside MSV1_0.dll or if the administrator login to the machine was remote, the attacker could find the credential in Kerberos.dll, wdigest.dll or tspkg.dll.

It is important to highlight that the attacker does not need to brute force the credential because they can use the “Pass the hash” technique. This enables the attacker to authenticate in a target server/service using directly the dumped password hash string. This is possible due to a Windows vulnerability which incorrectly uses a salt value in the authentication implementation. Mimikatz.exe, an open source tool, is often used to accomplish this type of attack.

There are a number of Windows administration tools that are frequently used by attackers in order to move laterally within an organization, infecting more and different kinds of systems. We’ll look at four such tools. The first of these is the “at” command (at.exe).

The at command was implemented in Windows 2000 as a method of manually scheduling tasks from the command. It was designed to allow administrators to schedule tasks on host or remote systems. However, the command still exists, and is operable, up to Windows 7 and Server 2008 systems. Attackers can use this command to create immediate or longer-term tasks that allow them to execute commands on remote systems. The at command works by:

Once the remote system receives the request, it creates a .job file in the Tasks folder under:WINDOWSSystem32 with a file name of At < job number >.job.

Analyzing the JobAdd request enables the security environment to detect malicious use of the at comment. Since the at command will submit a known UUID in the bind request to port TCP/445, this value can be detected, and parsed through the stream to the JobAdd. In order to detect malicious use of the at comment, a security analytics environment that has captured the command can parse the command location and length fields and job file name to detect discrepancies from normal use of this command, notifying security personnel of the anomaly.

The second tool frequently used by attackers in the administrative environment is the schtasks command. The schtasks command was introduced with Windows XP/Server 2003 as a replacement method for the at command to allow administrators to schedule jobs from the command line. Adversaries can utilize this functionality to exploit the same attack vector as with the at command. While the at command uses a well-known endpoint in the form of the named pipe “atsvc”, the schtasks command uses dynamic RPC endpoint mapping to determine its communication port. As such, it submits the ITaskSchedulerService UUID to the RPC endpoint mapping port (TCP/135) and receives a port assignment with which to begin communication. As the UUID for this service is known, a security analytics tool can detect when this UUID is seen passed with the appropriate protocol payload. Once the job is scheduled with the Task Scheduler, security analytics can recognize it as the command being executed by the job, identify it as an anomalous use of schtasks and notify security personnel of the potential attack, including displaying the binary that is scheduled to be run.

A third tool frequently used by attackers in the administrative environment is the sc command, or service control. The sc command was introduced with Windows NT 3.51 and included on endpoints as of Windows XP. The sc command uses the Service Control Manager Remote Protocol to interact with the Service Control Manger on the local, or remote, system. This command was designed to allow administrator to create, control, or remove services from the command line. It is commonly used by attackers to create new malicious services, disable services that may prove problematic, or remove services as necessary. While there are other command line binaries that allow for control of services remotely (namely netsvc and instsvc), these do not allow for the creation of new services remotely and as such, the sc command is more commonly preferred by attackers. Microsoft has allocated both an RPC interface UUID to present to the RPC endpoint mapping port, as well as a named pipe named “svcctl”. As the UUID for this service is known, a security analytics tool can identify when this UUID is seen passed with the appropriate protocol payload. As the purpose of this command is to interact with the database of installed services, the security analytics tool can then scan this database to allow the review of host artifacts resultant from the command’s execution. The security analytics tool can then notify security personnel of the potential attack, including displaying the artifacts related to the sc command.

A fourth tool frequently used by attackers in the administrative environment is the windows management interface. Windows Management Instrumentation (WMI) is described by Microsoft as “the infrastructure for management data and operations on Windows-based operating systems.” (Microsoft, n.d.) It is the latest method provided by Microsoft to conduct administrative tasks on host and remote systems via C + +, Visual Basic, or the wmic command-line utility. In order to connect to remote systems, one of two primary methods is used. The first is to specify the connection information in an SWbemServices object using a moniker string. This allows the script to communicate with a remote system using the user’s current credentials. However, this approach is limited as alternate credentials cannot be supplied and this method is unable to connect to systems across domains. The second method is more flexible, as it allows for specification of target computer, domain, username, and password. As the first method doesn’t allow for on-the-fly use of stolen credentials, this second method is more attractive to adversaries. This method involves using the ConnectServer method from SWbemLocator (IWbemLocator for C + + applications) to specify and conduct connection operations.

Both of these methods use the IWbemLevel1Login interface to connect to the management services interface within the requested namespace. This is useful in detecting this traffic as the interface must use the pre-designated UUID from Microsoft. As the UUID for this service is known, a security analytics tool can identify the UUID being passed with the appropriate protocol payload. In addition to passing the UUID to the RPC endpoint mapper, the UUID is also sent in remote requests along with parameters containing queries and commands to be executed on the remote system. In the case that pktPrivacy is not set, these parameters are sent to the remote system in the clear with a leading value of “__PARAMETERS”. This value is resultant from the use of the “_PARAMETERS” class to set input parameters for the aforementioned WMI methods. By detecting the “__PARAMETERS” values and removing the “abstract” values (“__PARAMETERS” is an abstract class), the security analytics tool is able to retrieve and register the parameters given to the WMI remote command, including queries and commands to be executed on the remote system. The security analytics tool can once again notify security personnel of the potential attack, including displaying the detected artifacts.

This is just a brief overview of the most popular tools used to accomplish lateral movement. Other tools like psexec.exe, wevtutil.exe, winrs.exe and net.exe are also used by attackers to expand their network foothold.

In all four of these examples of attacks within a Windows environment, the difficulty with combatting attackers using these methods is that all four of the capabilities have legitimate use cases within the administrator environment. This serves to increase the utility of these methods to attackers, since the valid use of these capabilities is not detected by most security tools that look for static indicators of compromise, rather than doing dynamic analysis of the use of these kinds of capabilities. Given this exploitation of legitimate communication between systems, it is extremely important for the success of analytical approaches to security that the normal use of these capabilities is well understood and incorporated into the analysis being done, in order to minimize false positives in the detection process. It is even more important to understand the environment in which this activity is seen if response personnel are to combat these threats. Understanding the known methods within the protocols used by these capabilities and determining their typical use and legitimate use cases within the organization’s actual environment is essential to applying security analytics in the detection of possible malicious use of these capabilities.

For example, files determined to be malicious may warrant a lower prioritization score if they’re determined to be malware that causes more of a nuisance than a true threat. Conversely, files that bear no outward signs of tampering may contain a custom-compiled executable designed to run only when it reaches certain systems or when a covert command is given. To uncover this type of dangerous, customized malware, advanced threat detection systems use a series of analytical techniques to rate the risk levels of suspicious files.

For example, an organization may set a rule requiring the security system to analyze every new executable coming into its networks. The malware detection system would then “sandbox” new executables, running them in a quarantined environment, recording everything they do, and elevating their risk score if suspicious behaviors are observed, such as changing registry settings or replacing operating system DLLs. Of course, legitimate software could also perform these actions: to integrate functions with existing software or to install a patch, for instance. But if the new executable demonstrates one of these behaviors along with initiating unusual network connections, then its overall risk score skyrockets. In that case, the analytics system should send an alert to an incident management system that could notify the security team of the issue, automatically prevent further introduction of the suspicious file and quarantine it in any systems where it’s found. Such an Incident Alert Rule is shown in Figure 9.5.

Similarly, anomalies that indicate operational issues (not necessarily security issues) can be assessed and prioritized in terms of risk. As discussed in the California ISO paper (Cal ISO, 2010) such analysis enables responses that can have a substantial effect on stability of the Smart Grid: “Phasor data is also useful in calibrating the models of generation resources, energy storage resources and system loads for use in transmission planning programs and operations analysis, such as dynamic stability and voltage stability assessment. The technology may have a role in determining dynamic system ratings and allow for more reliable deliveries of energy, especially from remote renewable generation locations to load centers.” (p. 8)

The incident response system should, as much as possible, prioritize the incidents in terms of known or potential impact on the business. The “Security Engineering Report on Smart Grids” by Hwang et al. (2012) explores this impact from two perspectives. The first is technical impact factors:

The second is business impact factors:

A full understanding of the impact may not be reachable until after the investigation is complete, or even for some length of time after that. But the incident response system should provide what prioritization it can, while ensuring that information related to the periodization decision is available to the response team so that they can ensure that the most important incidents are addressed as quickly as possible.

Incident response systems should also ingest information from external sources to enrich the organization’s internal data sources for purposes of incident investigation and response. For example, the security analytics platform and management dashboard should aggregate and operationalize the best and most relevant intelligence and context from inside and outside the organization to accelerate the analysts’ decision making and workflows.

Remediation after malware infection is a complicated task. If the compromised machine is vital for the system availability, it is usually not always possible to use previously saved safe machine images. The incident response team should check all the machine environments to remove all potential access points that attackers could utilize. Cyber criminals tend to use different entrench techniques in a victims’ network. The term entrenchment is used to describe a technique used by the attackers that allows them to maintain unauthorized access into an enterprise network despite attempted remediation efforts by the victim. The victims’ machine can be compromised in a variety of ways; for example the attackers could install web shells, they can add malicious or modified DLL to running web servers, they can utilize RDP backdoors, hide malware that will commence malicious activity after a fixed period of time, etc…

It is always good practice before starting to clean infected machines, to monitor network traffic and search for similar traffic patterns or similar IP connections as well as checking for all the possible lateral movements analyzing forensically the victim’s machine. The aim is to perform this in a stealth way so the attacker is unaware they are under surveillance thereby avoiding the possibility that the attacker will lunch countermeasures to cover their evidence or start to deploy other entrenchment techniques to remain in the network. Forensics analysts should search not only for malicious software but also for legitimate software that could be installed on the machine for malicious purposes as well for misconfigurations created by the attackers.

An effective incident response team should be composed of malware experts, IT forensics analysts and network experts thereby giving the organization a wide competency and skills blend to enable successful detection, protection and investigation. Operations teams may be confronted with potential evidence of an infiltration or breach, but find themselves exploring potential causes without success for weeks or even months. When that happens, it helps to bring in people with specialized expertise and tools in incident response (IR). IR specialists can deploy technologies that capture activity on networks and endpoints in key segments of the IT environment. Based on the scans, analyses and supplemental information these technologies generate, experienced IR professionals can usually pinpoint where and how security breaches are occurring and shut down ongoing cyber attacks much faster than organizations can do on their own.

The incident management system should support the determination of such vulnerabilities and assist in the remediation of those vulnerabilities, such as through the remediation planning shown in the Figure 9.6.

On a more comprehensive level, an incident may indicate a more fundamental issue in the operational model, such as in terms of missing or improperly instrumented controls. For example, the 2009 paper by the US Department of Energy calls out the vulnerabilities inherent in the older control systems that are currently deployed throughout the United States and that may have to be replaced: “The electric power industry relies heavily on control systems to manage and control the generation, transmission, and distribution of electric power. Many of the control systems in service today were designed for operability and reliability during a time when security was a low priority. Smart Grid implementation is going to require the installation of numerous advanced control system technologies along with greatly enhanced communication networks.” (p. 4) This book has disused many of these advanced technologies that may need to be considered as part not only in the initial development of the operational model but also in addressing incidents that occur.

For example, a well-prepared security teams will know what the organization’s valuable information assets are and which systems, applications and users have access to them. Awareness of these parameters help security analysts narrow their field of investigation during a breach so they can address problems faster and with greater confidence. But a given incident may indicate that the security operations teams should conduct a breach readiness assessment or institute

Practice drills to improve the speed and efficacy of their reactions to cyber attacks. They may need to revise their inventory of high-value assets that must be protected based on their new knowledge of what is attractive to an attacker. They may need to review their security policies again business priorities and regulatory requirements.

The Figure 9.7, expanding on a similar diagram in the Popovik paper (2013), provides an example of a process for mitigating risk in response to incidents such as detected intrusions.

Such a process can take advantage of operational incidents, regardless of whether they result from a security incident, equipment failure, natural disaster or any other cause, to enable organizations to take new actions to progressively improve their processes, optimize staffing and skills, modify their technology platforms, change their supplier relationships or take any other of the multiple of actions that could help them better address the risk of such an incident.

These improvements can be assisted by the technology advancements in big data and security analytics systems that deliver “imagine if” capabilities. The bounds of what’s imaginable are now being explored by operations professionals and business leaders together. For organizations concerned about an effective operational model, these “imagine if” scenarios often focus on injecting better intelligence and context into both operational and security practices. For example, if we apply new analytic approaches to historical data, what could we learn? What do the cyber attacks we’ve encountered tell us about our business and operational risks? If we add new log sources or external intelligence feeds to our data warehouse, what patterns could we look for that we couldn’t even imagine seeing before? What types of intelligence might help us hunt down threats or respond to operational incidents more quickly, including through automated capabilities that do not require human intervention?

An effective operational model for Smart Grid should ensure that this connection between incident response and the risk management process is established and effective.

If this harmonization is achieved, the result is that operations administrators, security analysts and other staff will spend far less time tracking down information for an investigation or researching the status of an incident. Instead, they can focus their time on enriching intelligence sources, uncovering subtle irregularities in their IT environments that point to serious problems, or hunting down covert threats faster.

Process integration is an important aspect of improving the impact and contributions of the employee community. It eliminates many routine steps, such as copying-and-pasting incident information, that go along with manually joining disparate security operations workflows. Integration also reduces opportunities for error, because activities for complex processes such as incident response can be programmed to follow a deterministic sequence of actions based on best practices. Finally, process integration can facilitate cooperation among different parts of the business—among audit, information security and compliance, for example—and help organizations create a unified view of conditions and risks throughout the organization.

This collaboration across the enterprise is essential in creating a culture of engagement that enables effective operations. Such a culture can have a dramatic impact on security as well, by making encouraging a personal commitment to security by every employee. While social engineering attacks continue to remain a significant threat, the awareness of individual responsibility for security can be a powerful force in helping each employee recognize and avoid responding to such phishing, pharming and vishing attacks.

Approaches to engaging the user community have been explored in detail in “A 15-Minute Guide to Smart Grid Correspondence with Utility Customers” (EMC, 2010). The paper recommends an integrated communications strategy that includes the following five components in order to engage the customer in a positive attitude toward Smart Grid.

Engaging the user community has significant benefits in terms of their confidence in the value and effectiveness of Smart Grid. As with the employee community, it also has significant benefits in terms of their confidence and participation in Smart Grid security, as essential for the user as it is for the utility.