Part of Grid Network »

The Grid Professionals Group covers electric current from its transmission step down to each customer's home. 


Can someone elaborate on the cybersecurity aspect in the grid during current COVID19 situation?


This question was submitted by a community member who wanted to stay anonymous

  • Jun 29, 2020

Producer's Note: This question was posed during a recent webcast hosted by Energy Central: 'ScottMadden's Energy Industry Update – "Take It to the Limit." We thought we would bring the question to the community to see if you could help provide some further insights. 

About the webcast: ScottMadden's energy experts shared their views and field questions related to the future of the gas utility, 100% clean energy goals, and how they may be impacted by COVID-19, and regulatory strategy during a pandemic. Hundreds attended.  If you missed and would like to hear the recording, you can view the replay here!

Your access to Member Features is limited.

Whether it was intentional or happenstance with the timing, the Chinese are actively cyber attacking the US electric grid which resulted in Presidential Executive Order 13290.  You might find my Purdue CERIAS webinar on cyber security of control systems of interest: - Wednesday July 15, 2020 I gave a 1 hour presentation on control system cyber security for the Purdue University Summer Seminar Series - the recording is on the Purdue Cerias website - There were 183 pre-registrations of which 119 attended. The registrations were from 16 countries – Australia, Austria, Brazil, China, Germany, India, Israel, Kuwait, Lithuania, Mexico, Netherlands, New Zealand, Saudi Arabia, Singapore, UK, US. Actual attendees were from India, Israel, Kuwait, Lithuania, Mexico, Netherlands, Saudi Arabia, Singapore, UK, US. There were 10 questions raised that I did not have a chance to answer on the webinar. I thought the questions and answers would be of general interest.

Many of the salient issues related the grid management have been elaborated earlier.  However, the proposed digital conversion comes with a serious warning on security issues considering the complexity that goes into digitalising different sections of the grid operation and maintenance.

Since this happens to be a new experience, there are many lessons that we need to learn as we flow through the changes that have been suggested.  Protection, automation and control, abbreviated as PAC has complicated inter-connections and a simple fault at one end may trigger the change in the entire system.  One has to therefore restrict such limitations to a smaller section in order to set right the fault in the quickest time possible.  Power grid is quite a notorious one to be handled properly and more sensibly.

The quick revival seems to be the key for some organisations while others see a screen of uncertainty fog and unclear of their position once the crisis is over.  None of us can forecast what the future will be like as everyone is as unclear as the other.

Generally, cyber security refers to data breaching which varies in size and structure depending upon the type of organization we wish to consider.  As I said earlier, digital technology provides extremely useful data and any breach would be pretty serious especially when privacy is of utmost importance to any utility more so for energy sector.  One would realise the impact of loss of electricity or for that matter even water.

There are equally competitive cyber security advisors, companies helping utilities to safeguard their data.  Despite this, you cannot escape breach.  There have been examples in the form of malicious worm that targeted SCADA sometime back which disturbed the watershed.  It is indeed a paradoxical situation as we find cyber attackers seem to be smarter as the saying goes, “A thief is smarter than the police”.

Digital jungles of power grids are the targets as sensors, smart meters and integrated cloud services are an integrated network of both hardware and software.  Because of its proximity to society, energy industry has a massive responsibility and could face a degree of negative impact – Ukraine cyber-attacks of 2015-2016 serves as a good example on the kind of disruption of life.  In simpler terms, Energy sector is sandwiched between cyber security and public safety. Summing up, energy sector cannot escape cyber-attacks but, could try hard to minimise and engage more experts to look at plugging vulnerable points to the extent possible.

We will therefore need new security technologies to detect threats before they occur or escalate into a crisis.

I agree with Richard and would only add a couple of points.

  1. The basic challenge of reducing cybersecurity risk remains the same with or without the pandemic.  That said, the "attack surface" is larger since people are using the internet for business more.  To help reduce this risk, I wrote an Energy Central post recommending refresher training to try to avoid getting hooked by a phishing attack:  
  2. As always, keeping up to date with software patches remains another key.  The #1 avenue for hackers to succeed is a phishing success that installs malware that exploits an existing, unpatched software vulnerability.

It's a difficult time; however, the power industry is once again meeting the challenge!


Richard Brooks's picture
Richard Brooks on Jul 3, 2020

Thanks, Mike. I hope you will consider filing comments on FERC's 6/18/2020 white paper proposing voluntary investments in cybersecurity controls for the grid with financial incentives. I welcome your insights on my own FERC filing comments to the FERC white paper.

Keep up the good work at WPI: you guys did a great job on the Maters program you created for ISO New England. My son-in-law is a proud graduate of your Masters program with ISO-NE.

Mike Ahern's picture
Mike Ahern on Jul 8, 2020

Hello Richard,

I just reviewed the FERC White Paper and your comments.

In my view, the FERC is to be commended for an initiative to apply incentives to inverstments to reduce cybersecurity risks to the power grid.  That said, the perscriptive nature of the guidance may produce less risk reduction per dollar invested than could be achieved.  For example, much of the guidance is concerned with low risk bulk electric system assets yet the Distribution System may be a much greater vulnerability.  Instead, perhaps FERC could just invite proposals to reduce risk and adjudicate the incentive awards.

I do appreciate your filed comments about assessing software as a valid risk reduction investment.  Here again, these could reduce risk for all classes of assets and also be applied to Distribtion systems.  In this way, risk reduction investments could be more efficient.



Richard Brooks's picture
Richard Brooks on Jul 11, 2020

Thanks for your insights, Mike. Energy Central is hosting a PowerSession on 8/12 covering software supply chain risk assessments for the electric grid, which is what I wrote about in my FERC filing. I hope you can join us and share your own thoughts/experiences with other attendees on 8/12. Thanks for the response.

Mike Ahern's picture
Mike Ahern on Jul 8, 2020

Hello Richard,

Thank you!  

I'm glad your son-in-law liked our WPI graduate program.  We developed the cyberecurity certificate at the request of ISO-New England and PJM Interconnection.  Since then, the program has also attracted Financial Services professionals (e.g. bankers).

I'll review the FERC white paper and your filing.



I'm not sure what you're looking for but here is what I know.

Many of my colleagues are working remotely. Everything seems to be going smoothly thanks to Webex, Zoom, Gotomeeting, etc. VPN access it the only allowed way to connect to the office network, based on what I've been told.

Some grid operators have quaranteed their control system operators in onsite housing (campers) to keep them from being infected.

Energy loads are down from 6-11% across the country. Wholesale energy prices are tanking. Revenues are way down.

Plans for returning to work are very cumbersome; worse than any of the BCP practices I remember, where a tornado event simulated the destruction of the master control center. In that scenario the building was rebuilt and everyone came back to work in a newer building. Recovery from COVID-19 is very different from the BCP practices with staged/phased return of personnel, meeting room changes, masks and all the other changes that go along with this.

Tap Into The Experience of the Network

One of the great things about our industry is our willingness to share knowledge and experience.

The Energy Central Q&A platform allows you to easily tap into the experience of thousands of your colleagues in utilities.

When you need advice, have a tough problem or just need other viewpoints, post a question. Your question will go out to our network of industry professionals and experts. If it is sensitive, you can post anonymously.