Part of Grid Network »

The Grid Professionals Group covers electric current from its transmission step down to each customer's home. 


Next-Gen Grid Operations Bring New OT Security Concerns

image credit: © Leowolfert |
Michael Rothschild's picture
Senior Director of OT Solutions Tenable, Inc.

Michael is the Senior Director of OT Solutions who comes to Tenable by way of the Indegy acquisition. He focuses on the OT product line. Michael is an advisory board member at Rutgers University...

  • Member since 2020
  • 1 items added with 759 views
  • Aug 3, 2020

Power grids are evolving. The rise of the Smart Grid, the introduction of renewable resources and the evolution of a variety of storage options require grids to be more flexible than ever before. Balancing supply and demand while incorporating new sources of intermittent energy, such as wind and solar power, means the grid must respond and adapt in real-time. That is not an easy task.

To face these challenges, grids are becoming increasingly more intelligent, interconnected and digitized. As a result, OT network visibility, security and control must be achieved from the grid level all the way to the bay level and individual intelligent electronic device (IED). Improving smart grid inter-connectivity, leveraging modern TCP/IP based standards such as IEC- 61850 and IEC-60870-5-104, and employing new techniques of data acquisition are becoming the de facto industry standard. An interconnected network, while creating great efficiencies, also yields a much wider attack surface with the capacity to easily move from one provider to the next. As a result, grid based industrial cyber threats have become core risks to safety, reliability and business continuity. Below are just a few major examples of attacks that directly affected electrical and grid operations.

In order to secure electrical and grid operations, it is important to understand the changing attack surface and attack vectors which continue to be fluid and ever evolving.

Flying Blind And Without Context

In grid environments, “last mile” activity can involve sending legitimate protocol commands to controllers, relays and IEDs. These commands can be in documented protocols such as IEC-61850, IEC-60870-5 and DNP3 or in proprietary vendor protocols. Disruption can have dire consequences on safety and grid stability. These types of events should be accounted for in full.

Attacks, however, should be identified long before the last mile. Traffic should be monitored everywhere including at the substation bus itself. Events should be clearly understood and should incorporate enough context to discern if the events are malicious in nature or part of regular operation. The solution should be adaptable to the specific needs of each power grid to minimize false-positives and keep network managers focused on regular operations.

To identify OT security events that impact grid and power operations, multiple detection engines are essential.

  1. DPI engines for both documented and proprietary protocols to identify “last mile” and reconnaissance events.
  2. General traffic mapping and traffic visualization need to identify and alert on communication attempts from external sources.
  3. An anomaly detection mechanism should be used to pinpoint traffic patterns that are outside of the regular network operation.
  4. Signature based detection should be leveraged to identify known threats which are used by attackers for establishing beachheads or propagating through the network.

Unidentified Assets

Power networks tend to have large infrastructures. Many different devices are spread across a vast area and sometimes across several networks. These same networks generally have many generations of devices in addition to a variety of makes and models.  Active querying of each and every device, in their native language,  for both documented and undocumented protocols  will achieve maximum situational awareness and provide coverage of all devices in the distributed power grid network. It should scale for large networks with many heterogeneous devices. What’s more, it should account for dormant devices that are not communicating regularly over the network.

Combining network monitoring (passive technology) along with device querying (active detection) can protect the devices in the OT environment which are the targets for an attack, as well as the network which is the method of attack propagation and spread. This provides the required visibility of all types of devices that are found in power networks such as IEDs, EMS servers, GPS time servers, protection devices, and gives deep situational information into each and every asset including information such as model number, firmware version, patch level and ladder logic in the backplane.

Changes Without A Papertrail

Unlike traditional IT networks which rely on routers, switches and servers, PLCs and DCSs are the brains of OT operations. Regular changes to PLC programming are essential to distribute loads and run the greater grid infrastructure. And while changes to PLCs are expected and required, they can also be the result of a programming error or a malware event.

Snapshotting changes to the PLC environment provides a paper trail as to the delta of before and after a change is made. In the case where a change has negatively impacted the environment, the ability to quickly see the changes and have the option to roll back to a “last known good state,” protects the environment against accidents, careless behavior and attacks that can bring down operations.

Vulnerability Overload

Power networks tend to contain a mix of older devices which, at times, are upgraded or replaced. With various patch levels across each device type, maintaining an up to-date patch management program can be difficult. If this is performed manually, the potential exists for misses and mistakes, not to mention the dedication of massive amounts of time and effort. That said, maintaining deep awareness of the state and characteristics of every device is necessary. This includes accurate matching between the specific condition of the devices and the available knowledge base on vulnerabilities. Because of the dynamic nature of grid environments, this body of knowledge should be updated regularly and kept in sync with newly discovered vulnerabilities.

After building an accurate asset inventory and extracting detail on devices (e.g. model, firmware, patch levels, installed software, serial number), you’ll be able to surgically identify the patches required and triage what patches need to be applied first based on the severity of an exploit, asset criticality and active targeting of the exploit based on a single and prioritized risk score.


Cybersecurity is now widely recognized as a core requirement for power networks. To mitigate new and emerging risks, it is essential to maintain full visibility into all operational assets including IEDs, RTUs PLCs, breakers, meters, drivers and other devices.

From a security perspective, it is essential to leverage both passive detection as well as active querying technology to detect any threat to grid environments. Bringing control to a grid environment requires controlling configurations and changes made to PLCs and identifying & prioritizing vulnerabilities that must be dealt with now versus the ones that can wait until later.

Security landscapes for grid providers will continue to change based on new threats, new technologies and new demands placed on it. Having the right level of visibility, security and control will help secure these critical infrastructure environments based on the threats that are apparent today, as well as being forward compatible to address unacceptable threats in the future.

Michael Rothschild's picture
Thank Michael for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.

No discussions yet. Start a discussion below.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »