Today’s automated distribution grids are under pressure to significantly improve network and operational efficiency while still securing critical infrastructure reliability. The transformation of existing utility assets thanks to the convergence of IT and OT systems, through the Internet of Things (IOT) and the decentralization of power systems leave the door open to increased cyber vulnerability. Digitization, the pervasive deployment of connected sensors and communicating devices and the shift towards open communication platforms, such as Ethernet and IP, introduce risks that threaten progress toward the goal. With the right skills, malicious actors can hack utility enterprise systems and disrupt grid control with serious power and economic consequences for everyone who relies on that energy. It’s not a hypothetical threat, look at the cyber attack on the grid in Ukraine.
Those responsible for critical utility infrastructure are exploring different approaches to security, and they often look for guidance from the most expert cyber security practices developed by the IT industry. That’s often not the best plan, because utilities have unique operational constraints and must account for the intersection at which IT and OT systems meet. A security approach that fits one side does necessarily suit the other. Within the substation environment, proprietary devices once dedicated to specialized applications are now vulnerable. Sensitive information about how these devices work can be accessed online by anyone, including those with malicious intent.
For those reasons, it’s necessary to develop cross-functional teams capable of addressing the unique challenges of securing technology that spans both worlds. Protecting against today’s cyber threats requires cross-domain efforts where engineers, IT managers, and security managers share their expertise.
Another common approach to deploying cyber-secure grid systems is a focus on complying with standards and regulations, like the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and the European Programme for Critical Infrastructure Protection (EPCIP).
Regulatory compliance and adhering to standards is good, but not good enough. As grid complexity grows from the stronger penetration of distributed energy resources and from more sophisticated feeder automation, a new approach to grid cyber security is a must – one that is oriented toward risk management.
Cyber security risk minimization is a continuous process: assess, design, implement, and manage. It’s not a matter of having ‘achieved’ a cyber secure state. That’s impossible. Keeping pace with ever-evolving IT and OT technology, and fighting back against the constant pursuit by some to weaken their security and identify vulnerabilities, requires a circular, iterative risk mitigation process that’s about more than just technology. It needs an organizational approach that deals with people, processes, and technologies.
We recommend that utilities start by taking a four-point approach:
- Conduct a risk assessment
- Design security policies and processes
- Execute projects that implement the risk mitigation plan
- Manage the security program