Cybersecurity has been on the list of utility challenges for some time. With the connected nature of geographically distributed assets and the dependence on IT and control systems to keep the lights on, utilities are typically right up there with financial markets as one of the most critical and cyber-vulnerable industries. A 2019 industry survey of 1,700 utility OT staffers responsible for cybersecurity from Daily Energy Insider reports that 56 percent said they experienced at least one shutdown or operation data loss in the last 12 months due to some form of cyber hack.
The utility industry has been grappling with cybersecurity for decades, but more formally since the NERC CIP (“North American Electric Reliability Corporation Critical Infrastructure Protection”) program was introduced in 2006 and approved by FERC (“Federal Energy reliability Commission”) in 2008 with the intent of regulating, enforcing, and managing security of the electric system. While having a formal, auditable standard like NERC CIP was a leap forward for the electric utility industry, this did raise questions of if NERC CIP compliance was equal to optimal security (cyber and physical). Looking at this in today’s environment with China, Russia, and other bad actors clearly postured to threaten or even attack the US electric grid, this is no longer simply a compliance exercise. It has now become quite literally a matter of life and death.
The urgency of electric utility cybersecurity is illustrated by the U.S. Department of Homeland Security's Cybersecurity & Infrastructure Security Agency’s “Shield’s Up” alert issued on February 12th of this year, that states that "every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety." S & P Global, reporting on this alert, noted that “The alert said organizations should be ready to detect unusual network behavior as well as make sure all software is up to date and that all remote access requests are validated with multifactor authentication.”
Just a couple of weeks later, NERC released statement that the "suite of Critical Infrastructure Protection Reliability Standards is ready to address those additional security challenges.” Further, as also noted by S & P Global, Scott Aaronson, senior vice president for security and preparedness at the Edison Electric Institute, wrote that "member companies (electric utilities) are closely monitoring the situation and are coordinating across the industry and with our government partners."
Having noted that standards are being enforced and that utilities are committing resources to ensure higher levels of cybersecurity, one development in grid operations where the dynamics of cybersecurity are both challenging and promising is with the rapid growth of DERs (“Distributed Energy Resources”). DERs present an interesting posture for the grid in that on the one hand all of these assets are typically not owned or operated by a utility (rooftop solar, electric vehicles, in-home energy storage systems among the most prominent examples). This creates an environment where concepts like enforcement and control run head-on into the flexibility and autonomy of DERs.
On the other hand, DERs provide the opportunity for customers to keep the lights on when a cyber attack might prevent the local utility from delivering electrons to some or all of its customers. DERs that are part of a microgrid also provide “islanding” capabilities whereby the microgrid functions independently from the grid, creating a potentially safer power source for individual residents, a neighborhood, or large commercial and industrial (“C & I”) facilities.
Conversely, all of those connected DERs and a myriad of other connected devices create a potential cyber-nightmare for utility cybersecurity professionals. As noted above, these are typically not owned or operated by the utility. This creates a scenario not entirely unlike thumb drives being moved around and plugged into various PCs and devices: where a cyber attack hits and what it ultimately impacts is virtually impossible to identify, let along control.
This shifts and expands the cyber risk from managing a control system where all of the points are known and managed to one where there is little-to-no control for the majority of the assets and devices that touch the network, in this case the electric grid. As pointed out in a recent document from NREL (the US “National Resilient Energy Laboratory”), titled, Resilient Energy Platform: “Both the control network and the devices become potential points of compromise.”
This same NREL paper calls for a Resilient Energy Platform that “helps countries and localities address power system vulnerabilities by providing strategic resources and directing country support to enable planning and deployment of resilient energy solutions. This includes curated reference material, training materials, data, tools, and direct technical assistance in planning resilient, sustainable, and secure power systems.” Not a “platform” in the truest, traditional sense of the word, but surely a framework for utility leaders to apply in helping prevent catastrophic cyber attacks. Additional info is available at https://resilient-energy.org/.
As the utility industry takes on the “Shields Up” posture, vigilance is the call of the day, but also important are resources needed to meet these challenges and creative approaches to developing cybersecurity protocols and processes that reach beyond the traditional boundaries of internal information and control systems.