The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

Post

“Shields Up” is the New Standard for Electric Utilities… But What About DERs?

image credit: © Tashatuvango | Dreamstime.com
Michael Smith's picture
Principal KLN Group

If you have been active in the North American utility IT/automation markets over the last 30+ years, chances are that you have subscribed to a publication, read a research report, or attended an...

  • Member since 2021
  • 18 items added with 5,916 views
  • Apr 27, 2022
  • 738 views

This item is part of the Special Issue - 2022-04 - Cybersecurity 2022, click here for more

Cybersecurity has been on the list of utility challenges for some time. With the connected nature of geographically distributed assets and the dependence on IT and control systems to keep the lights on, utilities are typically right up there with financial markets as one of the most critical and cyber-vulnerable industries. A 2019 industry survey of 1,700 utility OT staffers responsible for cybersecurity  from Daily Energy Insider reports that 56 percent said they experienced at least one shutdown or operation data loss in the last 12 months due to some form of cyber hack.

The utility industry has been grappling with cybersecurity for decades, but more formally since the NERC CIP (“North American Electric Reliability Corporation Critical Infrastructure Protection”) program was introduced in 2006 and approved by FERC (“Federal Energy reliability Commission”) in 2008 with the intent of regulating, enforcing, and managing security of the electric system. While having a formal, auditable standard like NERC CIP was a leap forward for the electric utility industry, this did raise questions of if NERC CIP compliance was equal to optimal security (cyber and physical). Looking at this in today’s environment with China, Russia, and other bad actors clearly postured to threaten or even attack the US electric grid, this is no longer simply a compliance exercise. It has now become quite literally a matter of life and death.

Your access to Member Features is limited.

The urgency of electric utility cybersecurity is illustrated by the U.S. Department of Homeland Security's Cybersecurity & Infrastructure Security Agency’s “Shield’s Up” alert issued on February 12th of this year, that states that "every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety." S & P Global, reporting on this alert, noted that “The alert said organizations should be ready to detect unusual network behavior as well as make sure all software is up to date and that all remote access requests are validated with multifactor authentication.”

Just a couple of weeks later, NERC released statement that the "suite of Critical Infrastructure Protection Reliability Standards is ready to address those additional security challenges.” Further, as also noted by S & P Global, Scott Aaronson, senior vice president for security and preparedness at the Edison Electric Institute, wrote that "member companies (electric utilities) are closely monitoring the situation and are coordinating across the industry and with our government partners."

Having  noted that standards are being enforced and that utilities are committing resources to ensure higher levels of cybersecurity, one development in grid operations where the dynamics of cybersecurity are both challenging and promising is with the rapid growth of DERs (“Distributed Energy Resources”). DERs present an interesting posture for the grid in that on the one hand all of these assets are typically not owned or operated by a utility (rooftop solar, electric vehicles, in-home energy storage systems among the most prominent examples). This creates an environment where concepts like enforcement and control run head-on into the flexibility and autonomy of DERs.

On the other hand, DERs provide the opportunity for customers to keep the lights on when a cyber attack might prevent the local utility from delivering electrons to some or all of its customers. DERs that are part of a microgrid also provide “islanding” capabilities whereby the microgrid functions independently from the grid, creating a potentially safer power source for individual residents, a neighborhood, or large commercial and industrial (“C & I”) facilities.

Conversely, all of those connected DERs and a myriad of other connected devices create a potential cyber-nightmare for utility cybersecurity professionals. As noted above, these are typically not owned or operated by the utility. This creates a scenario not entirely unlike thumb drives being moved around and plugged into various PCs and devices: where a cyber attack hits and what it ultimately impacts is virtually impossible to identify, let along control.

This shifts and expands the cyber risk from managing a control system where all of the points are known and managed to one where there is little-to-no control for the majority of the assets and devices that touch the network, in this case the electric grid. As pointed out in a recent document from NREL (the US “National Resilient Energy Laboratory”), titled, Resilient Energy Platform: “Both the control network and the devices become potential points of compromise.”

This same NREL paper calls for a Resilient Energy Platform that “helps countries and localities address power system vulnerabilities by providing strategic resources and directing country support to enable planning and deployment of resilient energy solutions. This includes curated reference material, training materials, data, tools, and direct technical assistance in planning resilient, sustainable, and secure power systems.” Not a “platform” in the truest, traditional sense of the word, but surely a framework for utility leaders to apply in helping prevent catastrophic cyber attacks. Additional info is available at https://resilient-energy.org/.

As the utility industry takes on the “Shields Up” posture, vigilance is the call of the day, but also important are resources needed to meet these challenges and creative approaches to developing cybersecurity protocols and processes that reach beyond the traditional boundaries of internal information and control systems.

Michael Smith's picture
Thank Michael for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
Discussions
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
Matt Chester's picture
Matt Chester on Apr 27, 2022

Conversely, all of those connected DERs and a myriad of other connected devices create a potential cyber-nightmare for utility cybersecurity professionals. As noted above, these are typically not owned or operated by the utility. 

Well if we want a positive spin on it, then I'll say anyone working in the cybersecurity / energy intersection never really has to worry about job security-- we're going to need a LOT of expertise in the years to come :)

Barry Jones's picture
Barry Jones on May 2, 2022

Playing devil's advocate, I'm not certain the value in "Shields Up." Why? Well i would ask why did you let your shield down? If we want to focus on security it's the day to day processes and people ensuring that they take the extra time to "dot the I and cross the T."  Speaking of which, there is little in our industry about staffing levels and risk. The largest risk to the IoT and ICS/OT environments from my perspective is lack of resources followed by lack of bench strength in key areas where one needs them. After all separation of duties and roles is a tenant of good cyber security practices.

Richard Brooks's picture
Richard Brooks on May 3, 2022

This article raises some good points about the cybersecurity challenges with DER. Cybersecurity controls are also exacerbated by the fact that many DER resources are connected to the Distribution grid, which is the domain for State utility commissions, which have differing cybersecurity requirements across the US. The hope is that CISA, in its expanded role, will be able to provide consistent cybersecurity best practices to cover the entire electric grid across States, not just the BES.

John Benson's picture
John Benson on May 9, 2022

Good post and a good resource, Michael. 

I clicked through the above link and found that: "This platform is developed, in part, by the National Renewable Energy Laboratory, operated by Alliance for Sustainable Energy, LLC, for the U.S. Department of Energy (DOE). Funding provided by the United States Agency for International Development (USAID)."

-John

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »