Mitigating risk and anticipating attack vulnerabilities on utility grids and systems is not just about installing technology, writes Didier Giarratano
There's an evolution taking place in the utilities industry to build a modern distribution automation grid.
As the demand for digitized, connected and integrated operations increases across all industries, the challenge for utilities is to provide reliable energy delivery with a focus on efficiency and sustainable sources.
The pressing need to improve the uptime of critical power distribution infrastructure is forcing change. However, as power networks merge and become 'smarter', the benefits of improved connectivity also bring greater cybersecurity risks, threatening to impact progress.
Electrical distribution systems across Europe were originally built for centralized generation and passive loads – not for handling evolving levels of energy consumption or complexity. Yet, we are entering a new world of energy. One with more decentralized generation, intermittent renewable sources like solar and wind, a two-way flow of decarbonized energy, as well as an increasing engagement from demand-side consumers.
The grid is now moving to a more decentralized model, disrupting traditional power delivery and creating more opportunities for consumers and businesses to contribute back into the grid with renewables and other energy sources. As a result, the coming decades will see a new kind of energy consumer – who manages energy production and usage to drive cost, reliability, and sustainability tailored to their specific needs.
The rise of distributed energy is increasing grid complexity. It is evolving the industry from a traditional value chain to a more collaborative environment, where customers dynamically interface with the distribution grid, energy suppliers and the energy market. Technology and business models will need to evolve for the power industry to survive and thrive.
The new grid will be considerably more digitized, more flexible and dynamic. It will be increasingly connected, with greater requirements for performance in a world where electricity makes up a higher share of the overall energy mix. There will be new actors involved in the power ecosystem such as transmission system operators (TSOs), distribution system operators (DSOs), distributed generation operators, aggregators and prosumers.
|Credit: Schneider Electric|
Regulation and compliancy
Cybersecurity deployment focuses on meeting standards and regulation compliancy. This approach benefits the industry by increasing awareness of the risks and challenges associated with a cyberattack. As the electrical grid evolves in complexity, with the additions of distributed energy resource integration and feeder automation, a new approach is required – one that is oriented towards risk management.
Currently, utility stakeholders are applying cybersecurity processes learned from their IT peers, which is putting them at risk. Within the substation environment, proprietary devices once dedicated to specialized applications are now vulnerable. Sensitive information available online that describes how these devices work can be accessed by anyone, including those with malicious intent.
With the right skills, malicious actors can hack a utility and damage systems that control the grid. In doing so, they also risk the economy and security of a country or region served by that grid.
Regulators have anticipated the need for a structured cybersecurity approach. In the US, the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) requirements set out what is needed to secure North America's electric system. The European Programme for Critical Infrastructure Protection (EPCIP) does much the same in Europe. We face new and complex attacks every day, some of which are organized by state actors, which is leading to a reconsideration of these and the overall security approach for the industry.
|Credit: Schneider Electric|
Due to the shift towards open communication platforms, such as Ethernet and IP, systems that manage critical infrastructure have become increasingly vulnerable. As operators of critical utility infrastructure investigate how to secure their systems, they often look to more mature cybersecurity practices. However, the IT approach to cybersecurity is not always appropriate with the operational constraints utilities are facing.
These differences in approach mean that cybersecurity solutions and expertise geared toward the IT world are often inappropriate for operational technology (OT) applications. Sophisticated attacks today are able to leverage co-operating services, like IT and telecommunications. As utilities experience the convergence of IT and OT, it becomes necessary to develop cross-functional teams to address the unique challenges of securing technology that spans both worlds.
Protecting against cyber threats now requires greater cross-domain activity where engineers, IT managers and security managers are required to share their expertise to identify the potential issues and attacks affecting their systems.
A four-point approach
Cybersecurity experts agree that standards by themselves will not bring the appropriate security level. It's not a matter of having 'achieved' a cyber-secure state. Adequate protection from cyber threats requires a comprehensive set of measures, processes and technical means, and an adapted organization.
It is important for utilities to think about how organizational cybersecurity strategies will evolve over time. This is about staying current with known threats in a planned and iterative manner. Ensuring a strong defence against cyberattacks is a continuous process and requires an ongoing effort and a recurring annual investment. Cybersecurity is about people, processes and technology. Utilities need to deploy a complete programme consisting of proper organization, processes and procedures to take full advantage of cybersecurity protection technologies.
To establish and maintain cyber-secure systems, utilities can follow a four-point approach:
1. Conduct a risk assessment
The first step involves conducting a comprehensive risk assessment based on internal and external threats. By doing so, OT specialists and other utility stakeholders can understand where the largest vulnerabilities lie, as well as document the creation of security policy and risk migration;
2. Design a security policy and processes
A utility's cybersecurity policy provides a formal set of rules to be followed. These should be led by the International Organization for Standardization (ISO) and International Electrotechnical Commision (IEC)'s family of standards (ISO27k) providing best-practice recommendations on information security management. The purpose of a utility's policy is to inform employees, contractors, and other authorized users of their obligations regarding protection of technology and information assets. It describes the list of assets that must be protected, identifies threats to those assets, describes authorized users' responsibilities and associated access privileges, and describes unauthorized actions and resulting accountability for violation of the security policy. Well-designed security processes are also important. As system security baselines change to address emerging vulnerabilities, cybersecurity system processes must be reviewed and updated regularly. One key to maintaining an effective security baseline is to conduct a review once or twice a year;
3. Implement the risk mitigation plan
Select cybersecurity technology that is based on international standards, to ensure appropriate security policy and proposed risk mitigation actions can be followed. A 'secure by design' approach that is based on international standards like IEC 62351 and IEEE 1686 can help further reduce risk when securing system components;
4. Manage the security programme
Effectively managing cybersecurity programmes requires not only taking into account the previous three points, but also the management of information and communication asset lifecycles. To do that, it's important to maintain accurate and living documentation about asset firmware, operating systems and configurations. It also requires a comprehensive understanding of technology upgrade and obsolescence schedules, in conjunction with full awareness of known vulnerabilities and existing patches. Cybersecurity management also requires that certain events trigger assessments, such as certain points in asset life cycles or detected threats.
For utilities, security is everyone's business. Politicians and the public are more and more aware that national security depends on local utilities being robust too.
Mitigating risk and anticipating attack vulnerabilities on utility grids and systems is not just about installing technology. Utilities must also implement organizational processes to meet the challenges of a decentralized grid. This means regular assessment and continuous improvement of their cybersecurity and physical security process to safeguard our new world of energy.
Didier Giarratano is head of Marketing Cyber Security at Energy Digital Solutions/Energy, Schneider Electric.