Part of Grid Network »

The Grid Professionals Group covers electric current from its transmission step down to each customer's home. 


Cybersecurity Protections Across the Energy Industry It's Not Just About OT

image credit: Unknown author
Richard Brooks's picture
Co-Founder and Lead Software Engineer, Reliable Energy Analytics LLC

Dick Brooks is the inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software...

  • Member since 2018
  • 1,574 items added with 689,419 views
  • Mar 8, 2023

The energy industry, especially manufacturers of products to the industry have a near obsession to always frame cybersecurity in the context of OT. This is understandable as so much of the cybersecurity discussions revolve around the NERC CIP standards, which are aimed at the Bulk Power System (BPS) and OT assets. It seems a week doesn’t go by that a vendor isn’t promoting the IEC 62443 standard upon the industry, as “the solution” for cybersecurity. Schneider Electric and Hitachi Energy seem to be the most vocal IEC 62443 supporters.  OT cybersecurity is important, but IT cybersecurity is also important. This article focuses on the need for a holistic approach to cybersecurity covering IT, OT and inter-company cybersecurity practices and protections, which IEC 62443 does not address.

There are realities that cannot be ignored. Some successful cybersecurity IT attacks have impacted OT system performance. The Colonial Pipeline incident started with a breach affecting an IT system (Billing), which caused an outage on the systems used to deliver petroleum products across the East Coast. Drivers waited in long lines for gasoline, not because the OT systems were under attack, but because the company was unable to operate without its billing system. Lesson Learned: Cybersecurity protections are a “business issue” that are not confined to internal IT and OT systems, and can even be impacted by an external cybersecurity event affecting a supplier company that can cause business disruptions.

In my opinion, this intense focus on OT cybersecurity is directly related to the OT focus of NERC CIP, BPS protections within an Electronic Security Perimeter (ESP). It’s not surprising that vendors of products used in OT Grid operations would focus on IEC 62443 as their preferred solution, given NERC’s focus. But Energy industry cybersecurity controls need to cover more than simply BPS OT systems. A Settlement/Billing system contains some sensitive financial data, i.e., bank accounts, and is one of the most attractive targets of hackers. HR systems contain personally identifiable information and is another high value target. Neither of these high value systems and applications are covered by NERC CIP or IEC 62443.

Energy industry stakeholders would be better served by following a broader cybersecurity framework and standards that cover the broad array of application and systems found in a Utility Company. The NIST Cybersecurity Framework, and related NIST standards cover IT and OT applications and systems, providing a much broader set of guidelines to protect all of the applications and systems found in a Utility Company. NIST standards cover OT and IT applications and address external, third-party protections for the software supply chain. Some manufacturers are claiming that IEC 62443 covers Software Bill of Materials (SBOM). This is not true, only NIST recommendations contain the specific guidance needed to acquire SBOM’s from vendors, along with NIST Vulnerability Disclosure Reports.

Utility companies operating in the US would be well served by following the NIST cybersecurity framework and the series of NIST standards in order to have a more holistic approach to cybersecurity protections across all company functions and operations, including OT, IT and inter-company software supply chain risks that align with the US National Cybersecurity Strategy and DOE's Vision following the national strategy. I’ll refer to this wise advice from an IEC 62443 vendor, LDRA: “The ideal framework for a particular organization is likely to depend on the industry and its associated regulatory drivers. The NIST standards are usually obligatory for the US public sector

Parties looking for practical implementation guidance for the NIST Cybersecurity standards may find value in this reference from the Healthcare sector


No discussions yet. Start a discussion below.

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network® is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »