Timely implementation of security in power plant industrial control systems at the construction stage is vital, writes Jonni Talsi

Recently there have been several high-profile stories reporting attempts to hack power stations in the US, the UK and Ireland.

These have highlighted the need for robust cybersecurity systems.

While cybersecurity is creeping into our lives more and more, it is still not an integral part of many new power projects. This should be rectified. Protecting industrial assets is getting harder and owners of plants must deal with these realities.

Many such cyberattacks have been conducted through plants’ Industrial Control Systems (ICS), placing them on the front line of cybersecurity. Given that ICS’ are an essential part of industrial plants’ operations and supervision systems, these breaches can become very serious and expensive. Previously automation systems had very little connectivity and so were isolated from other systems.

Today, a wave of new IoT/IIoT compatible devices integrated into plants’ systems will provide much desired interconnectivity between plants’ integrated automation systems and corporate enterprise solutions, but inevitably they are increasingly vulnerable to cyber-incidences.

As a rule, cybersecurity should be incorporated as early as possible. However, there are often barriers to implementation at different project phases. This article introduces some of these issues and explores how establishing a clear plan from inception can ensure clear lines of responsibility, and an integrated cybersecurity system.

Establishing cyber foundations

In an ideal world, company boards would demand that their plant management and project management to incorporate cybersecurity into plant designs.

The most successful cybersecurity goes beyond technology; it integrates technology into the physical infrastructure of a plant. However, many organisations still do not prioritise it until after they experience a breach.

Often this is because organisations with a low-level of cybersecurity expertise are put off by the time, complexity and costs associated with improving their systems. In reality it is mostly the larger, more financially robust organisations that can afford to establish and maintain a specific cybersecurity department.

However, recent hacks prove that neglecting cybersecurity has serious consequences. To ensure that ICS security is an integral part of a project, security requirements should be prescribed in the project’s contractual specifications. The skill is to find a suitable combination of sections (for example the technical specifications, minimum functionality specification, interface documentation or other related IT/ICT and substation automation documentation) and identifying where and how to weave cybersecurity specifications in. In the project execution phase you only get what is written into the contract – if it is not written down, it does not exist.

The Front End Engineering Design (FEED) phase may not be the most obvious point at which to implement ICS cybersecurity, but there are two reasons it is a good idea.

Firstly, it is during these early phases that the main project and different parts of industrial plant are budgeted. Secondly, if the costs of cybersecurity are excluded from budget estimates at this stage, it will be very difficult to find money for it later on in the project.

The art of procurement

Traditionally procurement activity is done alongside the project. While your procurement specialists might have worked on IT-related issues before, they are not subject matter specialists. In this new era of ICS cybersecurity, this is not sufficient.

Procurement specialists need to be introduced to ICS security and encouraged to learn about existing certifications and standards. This should be taken into account when procuring plant ICS and related security solutions.

Without a skilful procurement officer you are at further risk of failing to implement ICS cybersecurity features successfully.

As the project proceeds from the planning to the execution phase, pressure usually begins to mount on the engineering, procurement and construction contractor.

Naturally, investors and the plant’s senior management expect the project to be completed along the specified timeline, so the facility can start generating energy and a financial return.

As the EPC contractor faces growing time pressures, issues that are not considered ‘core’ – like extra layers of cybersecurity – are often postponed in favour of the overall timeline. This means that the facility’s cybersecurity is ultimately downgraded in favour of the overall timeline, which while financially sensible in the short term, could create greater financial problems later.

Another potential challenge to overcome is where responsibility lies. Plant owners and EPC contractors might agree on the need for cybersecurity. However, if this is passed down to vendors and manufacturers, who then pass them to subcontractors, you end up with multiple, fragmented cybersecurity systems that only work in isolation rather than across the whole system. Consequently the plant does not have an integrated cybersecurity system and several conduits remain vulnerable to exploitation.

Jonni Talsi: if cybersecurity is overlooked,
Jonni Talsi: if cybersecurity is overlooked, there may be unexpected long term costs

To avoid this, teams should ensure that there are robust testing processes for ISC cybersecurity systems.

One such check point is the Factory Acceptance Test (FAT). This is performed at the end of the software development phase by the vendor of the Distributed Control System (DCS) or Supervisory Control and Data Acquisition System (SCADA) at their factory facility.

There may be a reluctance to do this because of project timescales, but it is essential. Having a clear and robust ICS security implementation plan means this can be enforced in order for the construction phase to be compliant.

It is generally recognised that cybersecurity for ICS is a critical part of plant security. However, bridging the gap between recognition and successful implementation is proving difficult.

Only by having a clear, integrated ICS cybersecurity implementation strategy and program can organisations avoid the difficulties outlined above. A third party understanding of plants’ processes, functional safety aspects and state-of-the-art technology can provide much needed confidence for implementation and help plant management to set up cybersecurity measures in place.

Plants that are being built today need systems that can face bigger and tougher challenges in the decades to come. If cybersecurity is overlooked for short term reasons, there may be unexpected long term costs on the horizon. Therefore, it makes sense to invest the time and resources required to manage both physical and cybersecurity related risks adequately.

This benefits plant employees, the environment and reduces risks to the business continuity.

Jonni Talsi is Chief Engineer for Cybersecurity, Thermal Power and Renewable Energy at Pöyry Management Consulting