Best Practices for a Strong Cybersecurity Foundation

This blog is part of a series on cloud technologies and security – to be sure not to miss out on future publications, subscribe to our newsletter.

In our most recent cloud blog, we discussed the cybersecurity risks utilities and energy organizations specifically face. We also discussed the data concerns that result from the widespread adoption of cloud technologies. If you missed it, check it out here. In this blog, we will cover best practices for building a solid cybersecurity foundation so you can adopt cloud technologies and implement a successful digital transformation safely and securely.  

“Investing in digitalization without shoring up cybersecurity practices is as misguided as building a house without a foundation. But when the groundwork is laid, trailblazers are free to innovate and take their organizations to new heights.”

Jesper Zerlang, CEO of LogPoint and Forbes Technology Council Member 

As the energy industry collects and relies on more data than ever before, cybersecurity concerns increase.  In the evolving energy landscape, implementing the best cybersecurity practices is critical to success. Here are some best-in-class cybersecurity practices that organizations can implement to ensure they have a solid foundation on which to build their digital transformation and cloud adoption strategies.  

• Zero-Trust Network Access & Verification – Operate under the assumption that no user or device is trusted, and all must be verified before access is granted. Implement verification methods such as multi-factor authentication.  
• User and Employee Education – Ensure users and employees are educated on cybersecurity risks and best practices. 
• Identity and Access Management – Adopt a least privilege stance, granting users the minimum access required. Additionally, implement identity and access management so that digital identities for all users can be leveraged to monitor activity and restrict access during data interactions when necessary. 
• Data Loss Prevention & Disaster Recovery Plans – Data loss prevention (DLP) are a set of tools and services for ensuring the security of cloud data. DLP should be used to prevent data loss.  Data should be backed up and there should be a backup plan that has been implemented in case of data loss. If an organization does experience data loss or a breach, a contingency plan for data recovery should be in place to expedite the recovery of lost data and the resumption of normal business operations.  
• Third-Party Management – Organizations need to verify and confirm the security processes and procedures of third-party cloud solution providers, ensuring their processes meet industry standards and the organizations own cybersecurity policies.  

Because cybersecurity is a growing, critical concern - the National Association of Regulatory Utility Commissioners (NARUC) recently released a set of Cybersecurity Baselines in partnership with the U.S. Department of Energy (DOE), which align with the above, but are even more comprehensive.  We have outlined and summarized the specific guidelines, which are quite extensive, below.  Our next blog in this series will cover the best cloud cybersecurity practices, as well as the specifications of the security we have built into our PLEXOS Cloud solution. Subscribe to our blog to make sure you don’t miss it.

NARUC Cybersecurity Baselines - Phase 1

• Asset Inventory – Using a risk-based criteria to classify the criticality of all assets, maintain an inventory of critical IT and digital OT assets that are essential to the delivery of energy.  
• Organizational, OT, IT Cybersecurity Relationships & Leadership – A senior-level employee should be designated to have explicit ownership over IT and OT cybersecurity activities, including governance, planning, resourcing, managing and executing cybersecurity activities, while also promoting a cybersecurity culture within the organization.  
• Mitigating Known Vulnerabilities – Create and implement a plan to address known vulnerabilities, prioritizing the assets identified in the asset management phase.  
• Third-Party Validation of Cybersecurity Control – Develop and implement a periodic independent validation of the organization’s cybersecurity controls and address findings in a timely, risk-informed manner.  
• Supply Chain Incident Reporting & Vulnerability Disclosure – As the organization procures new critical devices and services, efforts should be made to negotiate procurement documents and contracts stipulating vendors or service providers notify the organization of any security incidents or known security vulnerabilities within a risk-informed time frame determined by the organization.   
• Vendor/ Supplier Cybersecurity Requirements – Cybersecurity requirements and questions should be included in the procurement process, and responses evaluated in vendor selection where appropriate.  
• Changing Default Passwords – Create and maintain a process to change default passwords prior to installation. If exceptions are required, document and implement alternative, but equally effective, methods and compensating controls.  
• Password Management – Enforce a policy requiring a password length of 15 or more characters for IT and OT assets not otherwise protected behind multi-factor authentication (MFA). Where 15-character passwords are not possible, utilize the maximum password length and document alternative measures and compensating controls. Additionally, establish a strict policy prohibiting password re-use, unless an organization-defined risk exception is required, and documented.  
• Unique Credentials – Users should have unique credentials for accessing services and assets on IT and OT networks. For shared accounts, a process should be established and implemented for managing and approving access.  
• Revoke Credentials of Departing Employees – An administrative process should be implemented and enforced to revoke physical access and disable logical access to critical organizational resources within 24 hours of an employee's departure.  
• Separate User and Privileged Accounts – Create a policy which restricts administrator rights on user accounts, requiring separate user accounts for actions and activities not associated with the administrator role and re-evaluate privileges on a recurring basis to ensure continued need for a specific set of permissions.  
• Network Segmentation – Separate IT and OT networks and identify OT networks of different trust levels. Enforce a deny-by-default policy on communication between networks, allowing only explicit connections for specific system functionality using an appropriate network security device. Allowed connections and the business justifications behind them should be documented.  
• Monitor Unsuccessful Login Attempts – Develop a process which detects, alerts, and monitors unsuccessful logins and informs appropriate personnel.  
• Leverage Phishing-Resistant Multifactor Authentication (MFA) - When granting remote access to assets, leverage the strongest available method of MFA.  
• Basic Cybersecurity Training – Ensure all employees and contractors participate in basic cybersecurity training covering concepts like phishing, business email compromise, operational security, password security etc. at least once a year – fostering a culture of security and cyber awareness.  
• OT Cybersecurity Training – Conduct OT-specific cybersecurity training at least once a year for personnel who access or secure OT as part of their role.  
• Strong and Agile Encryption – Develop a policy which protects critical data in transit, including methods for updating outdated or deprecated encryption technologies. 
• Secure Sensitive Data – Create a process by which to identify and securely store sensitive data, by way of strong access control methods for authenticated and authorized users and system applications.  
• Email Security – Develop and maintain a process to reduce the risk from email threats.  
• Disable Macros by Default – Establish software restriction policies preventing the execution of unauthorized code, disabling macros or similar embedded code by default. 
• Document Device Configurations – For critical IT and OT assets, document, backup and maintain baseline and configuration details for more effective vulnerability management and response and recovery activities.  
• Document & Maintain Network Topology – For critical IT and OT networks, document, backup and maintain physical and logical network topology.  
• Hardware and Software Approval Process – Ensure approval is required prior to the installation or deployment of new hardware, firmware, software, or software versions for critical IT and OT assets, in addition to approval before decommissioning or removal.  
• System Backups – Document and maintain a system restoration plan, including processes to backup critical systems.  
• Incident Response Plans – Establish, maintain and regularly validate IT and OT cybersecurity incident response plans for general and organization specific threat scenarios. Leverage cybersecurity exercises to build in risk-informed timeframes and incorporate learned lessons.  
• Log Collection & Secure Log Storage – Securely store and protect time synchronized access and security focused logs to use for both detection and incident response. Particularly, create a process to protect critical IT and OT asset logs from unauthorized access. 
• Prohibit Connection of Unauthorized Devices – Develop processes and policies that reduce the likelihood of unauthorized media or hardware connecting to IT and OT assets through methods like limiting use of USB devices, disabling AutoRun, defining acceptable types of media and hardware, establishing scanning requirements, creating validation and authorization steps, and removing, disabling, or securing physical ports.  
• Limit Exploitable Services on the Internet – Minimize the number of ports and services exposed to the internet.  
• Limit OT Connections to Public Internet - Ensure OT assets are not on public internets, unless necessary. If necessary, document the exception and compensating controls.  
• Detect Relevant Threats and TTPs - Maintain an organizational awareness of the cybersecurity threats and tactics, techniques, and procedures (TTPs) of bad actors, specific to your organization and industry and maintain the ability to detect these key threats. 
• Incident Reporting – Implement policies and procedures detailing when, how, and to whom confirmed cybersecurity incidents must be reported to.  
• Vulnerability Disclosure/ Reporting – Develop a method for security researchers to easily notify the organization of vulnerable, misconfigured or exploitable assets and respond to submissions in a timely manner, in addition to mitigating validated risks.  
• Deploy Security .TXT Files – Make sure that public facing web domains have a .txt file. 
• Incident Planning and Preparedness – Ensure there is a plan in place to recover and restore business or mission-critical assets and systems that could be impacted by a cybersecurity incident. Plans should be updated and maintained regularly.  

Above we have summarized all the Cybersecurity Baselines released by NARUC and the DOE. To learn more about the creation of these Baselines, check out our recent blog, or view the full NARUC document here.