When it comes to utility substation automation, how do you put basic cybersecurity concepts into practice? Concepts like availability, integrity, confidentiality (AIC), or authorization, authentication, and auditability (AAA) need the support of your organizational and operational processes. To achieve that, consider following a step-by-step approach like the one illustrated here.
Step 1: Define security policy
Your cybersecurity policy lays out formal security rules. It needs to clearly define the obligations of employees, contractors, and other authorized users when it comes to protecting your technology and information assets. It should list and classify hardware and software assets and equipment, identify threats and assess risk, define information protection rules, describe users’ responsibilities and access, describe what’s not allowed and the consequences of violating the policy, and detail incident response plans and teams.
Step 2: Define processes
System security baselines aren’t static. As they change in order to address emerging vulnerabilities, your organization needs to review and update its cybersecurity system processes. If you conduct a review once or twice a year, you can maintain an effective security baseline. It’s also important to maintain a strong patch management system. To deploy a patch management system that properly supports your secondary control systems, you’ll need to generate a system inventory baseline, conduct periodic risk analyses, monitor security sources for patches, test and deploy patches, and revise your asset inventory baseline.
Step 3: Choose and implement technology
When implementing security policy and risk mitigation actions, choose technology based on international standards like IEC 62351 and IEEE 1686. They offer secure-by-design approaches (as opposed to bolt-on security approaches) that help reduce risk when securing control system components. Determine which standards are best suited to implement your cybersecurity requirements in the operational technology environment relevant to your organization.
Step 4: Document everything
Your cybersecurity documentation should include detailed processes, network diagrams, security architectures, and technical documentation supplied by vendors. It’s also essential to possess as-built documentation of deployed systems, approved cybersecurity templates for periodic audits, security risk assessments, as well as engineering, servicing, commissioning, and patch management documentation.
Read my previous post to know how can utilities protect themselves against cyber attacks or the white paper, “A Framework for Developing and Evaluating Utility Substation Cybersecurity“, and let us know what you think. What other measures can utilities take to protect themselves from the growing risk of substation cybersecurity threats?