The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

WARNING: SIGN-IN

You need to be a member of Energy Central to access some features and content. Please or register to continue.

Post

2020 OT Cyber Security Trends for Electric Utilities

image credit: © Michael Borgers | Dreamstime.com

This item is part of the Cybersecurity - Special Issue - 04/2020, click here for more

Introduction

If you are a cyber security professional, think back to 2010. Perhaps you had to explain what cyber security was to your executive management team or board members?  Without a doubt, you had to explain what it meant to your family and friends. Fast forward to 2020 and everyone knows something about cyber security. The Ukrainian utility hacks, revelations of sensitive data exfiltration from all types of businesses, and publicized municipal ransomware attacks served as potent examples of the impacts of cyber security failures. The importance of cyber security is now fundamentally understood. In 2020, there are two different ongoing challenges for utility cyber security executives educating their colleagues – helping them sort reality from hype and understanding and anticipating cyber security issues in order to future-proof strategic cyber security decisions. 

EPRI’s Cyber Security research team assembled their prognostications about cyber security trends for the next 5 years to help utility executives manage their operational technology (OT) cyber security strategies and communicate effectively within their organizations. Our assessments are divided into two sections. The first section addresses trends that will impact utility technologies, processes, and human resources. The second section discusses challenges and opportunities that focus on specific technologies or issues. Trends can impact one or more of the specific technologies or issues covered here.    

Why does EPRI put the emphasis on utility OT cyber security? These specialized environments include industrial control systems (ICS), Supervisory Control and Data Acquisition (SCADA) systems, and other systems that monitor and control operations in substations, generation plants, and the wires that transport high and low voltage electricity. There are many cyber security tools and services designed for IT environments, but these often don’t work well in OT environments. Mission-critical applications in OT environments rely on high availability and integrity. Breaches can result in loss of life, property damage, and economic repercussions for utilities as well as the populations they serve.  The almost 300 years of expertise and experience within our cyber security R&D teams is leveraged here to deliver guidance for effective OT cyber security strategies and tactics. 

Trends for the 2020s

Tool Sprawl will trigger “single pane of glass” solutions.  Growing numbers of OT cyber security tools and increasing complexity in features and functions create problems for utilities attempting to centrally manage the variety of tools and the data they deliver.  Integrated Security Operations Centers (ISOCs) are one answer, but for many utilities, continued growth in solutions and the training burdens to achieve tool competency will trigger demands for single pane of glass solutions that do not require significant system integrations at initial deployment and after any system upgrade. Cyber tool selection will move towards solutions that are either natively integrated or easily interconnected instead of a collection of unconnected “best of breed” solutions, with the focus being on tools that are capable of exchanging data.

What this means for utilities: This problem has not been as acute on the utility OT side as it has been for IT cyber security. However, as more IT-oriented cyber security tools are adapted for OT use and adopted by utilities, this will become a challenge for utility OT cyber security teams. Utilities and vendors may consider the following steps: 1) understand primary OT cyber security requirements, 2) identify technology and process gaps, and 3) conduct pilots or demonstrations to test performance and deployment processes.  The largest utilities, with resources available to maintain interconnections, may choose to maintain mature ISOCs that are comprised of best of breed tools, but smaller utilities may opt for fully integrated solution platforms for their ISOCs.  Vendors will value industry consensus on the information that is most meaningful for integrated platform solutions that help ISOC operations. 

Zero trust becomes the new utility cyber security model.  This conceptual model, which essentially means “never trust, always verify any access to any device connected to a network at any time” continues to gain acceptance and incorporation into utility OT cyber security strategies. Current models presume that trust is established once within a network, and successful attacks take advantage of that trust. Zero trust can answer security challenges introduced with edge computing deployments and exacerbated by the proliferation of grid-connected devices within utilities and at the grid edge, plus address insider threat concerns.  

What it means for utilities:  A little paranoia can be useful for utility cyber security postures.  A zero trust approach requires authentic credentials at every device, and that means utilities must change their cyber security strategies and practices, as well as make investments that distribute intelligence for access authentication across networks.  In the future, 5G-based cyber security functions may play a role here, but more research will be needed to ascertain the OT cyber security use cases, supporting technologies and processes, and costs for model conversions. Utilities are advised to develop zero trust migration plans that budget for the necessary revisions to existing security architectures and solutions.  

Cyber security automation and Automated Threat Mitigation (ATM) move from ideas to implementations. Utility OT environments are typically “followers” in technology innovations for several valid reasons.  Most importantly, OT environments in general do not refresh technology at velocities comparable to those in IT environments. That offers EPRI and its utility members the opportunity to evaluate the viability of IT-based solutions adapted for OT use. Solutions that help utilities centrally and securely manage asset deployments and upgrades will make their debut in the next 5 years.  Automated Threat Mitigation (ATM) will rely on data in the form of analytics and other data-intensive functions to substitute for and/or enhance human skills and experience. Automation may also address resource gaps as all business sectors scramble to find cyber security professionals to fill their ranks. 

What this means for utilities:  As the attack surface and threat vectors grow, so do the types and volumes of data that overwhelm human abilities to organize it to comprehend and take action. Artificial Intelligence (AI) and other machine learning capabilities can aid utilities in monitoring and managing cyber security tools and processes across their operations and these vast amounts of cyber security data. There is a hugely important caveat around data-intensive capabilities like AI.  The building blocks for any cyber security automation solutions are properly prepared data as defined by data governance policies and the skilled resources to fully realize the benefits of all data-intensive solutions. The way forward on ATM will require deliberate data preparation through data governance policies that include cyber security data requirements. For instance, next generation intrusion detection technology will use more sophisticated mathematical modeling to detect attacks. But there’s another point to consider. Attackers are also studying AI and other data-intensive technologies to exploit vulnerabilities in utility cyber security defenses. It’s another arms race between utilities and their attackers.    

Increasing attack variety, velocity, and volume drive new models and tools.  Utilities are confronting new types of attacks as more communications-enabled devices are grid-connected. Any grid-connected device could be the initial entry point for attackers intent on breaching utility cyber security defenses. Attack velocity and volumes will continue to increase for similar reasons. New solutions are required that help utilities “scale up” their responses to exponentially greater numbers of intrusion alarms across expanded attack surfaces. The threats are dynamic, the resulting cyber security strategies must be too.

What this means for utilities:  Security through obscurity is over.  Proactive defense based on a zero trust concept is the appropriate strategic direction to help reduce the risks incurred by increasing numbers of communicating devices (many that enhance grid operations) as these are deployed in utility operations. Deception technology products hold significant potential to help reduce alarm volumes and help cyber security resources manage the new normal in attacks and attackers. Deception technologies are a proactive defense deployed to detect, analyze, and defend against attacks in real-time. While common in some IT environments in some business sectors, these are almost non-existent in utility OT environments.  Hands-on experience in deception technology, gained through collaborative research and knowledge sharing, can help utilities understand how to reduce security risks and vulnerabilities in their OT environments and provide practical knowledge to guide the procure­ment and deployment decisions. Budget for investments in the technologies, services, and resources to manage the security of your assets. 

More mergers and acquisitions (M&A) impact utility assumptions about product lifecycles. Cyber security industry consolidation was active in 2019 and will continue as larger companies acquire smaller competitors to grow customer bases and smaller companies merge with adjacent tool vendors to establish and build natively integrated platform solutions. Startups will continue to be absorbed by larger companies who leverage their innovations into existing solutions. There’s an arms race between vendors just like there is an arms race between utilities and their adversaries.

What this means for utilities: Utilities and their stakeholders cannot expect cyber security solutions to last decades before replacement. Cyber security technology evolves at a velocity that is atypical for utility OT environments. It can happen through M&A activity, vendor innovation cycles, or technology responses to new threats.  Utility executive teams and stakeholders must understand that ongoing cyber security procurements and requests for investments will appear in utility budgets and faster asset replacement cycles must be accommodated in depreciation schedules. Procurement contracts should include strong guarantees and financial penalties for support and service levels to ensure continued product life until upgrade or replacement. Larger utilities with sufficiently skilled resources may consider using technology escrow accounts to ensure solution continuity. 

These are major cyber security trends that will impact utility cyber security strategies in the next 5 years and are reflected in EPRI’s R&D roadmaps. There are technology challenges and opportunities that will factor into the above-mentioned trends. Some of them are already in play in utilities such as supply chain security. Others are new to utility OT environments but may have significant influences on utility cyber security strategies, procurement plans, and practices. 

Technology Challenges and Opportunities

4G platform.  5G capabilities will rollout over a period of years. Therefore, for targeted utility communications use cases, EPRI expects to see 4G technologies remain in place this decade. Current Wi-Fi technologies offer some interesting possibilities to provision security, such as Device Provisioning Protocol (DPP) or Easy Connect™ that could play into grid edge security plans. 

What it means to utilities: 4G and 5G will coexist for a number of years. 4G, with improved security for devices, could factor into utility cyber security plans using Wi-Fi for the grid edge.  Continued research in 4G cyber security capabilities, particularly for authenticated IoT and grid-edge devices, may identify solutions that benefit utilities as their attack surfaces expand at a lower cost than migration to 5G. 

5G platform. This latest evolution of wireless communications technologies lives up to the term game-changer when it comes to cyber security.  5G is more than increased wireless transmission speeds and the potential to support mission-critical applications that cannot tolerate data communications errors or delays. Its native cloud capabilities leverage software-defined networking and virtualized network functions, which hold significant promise (and disruption) to cyber security activities.  

What it means to utilities:  5G will impact utility cyber security strategies. EPRI has identified the major OT cyber security implications for utilities, which are too numerous and extensive to recapitulate here. Virtualized security functions are capabilities that may disrupt existing OT cyber security architectures and strategies at utilities.  The potential benefits of 5G to enhance, improve, and expand utility OT cyber security are considerable and merit further investigation. 

Edge computing.  Distributed energy resources (DER), Internet of Things (IoT), and Industrial Internet of Things (IIoT) proliferation forces utilities to rethink centralized computing models for grid operations. These all have the potential to be “grid-connected devices” that impact grid operations. The devices and their networks must incorporate authentication and other security capabilities on a significantly bigger scale than in the past. Edge or distributed computing offers a scalability solution to support growing numbers of grid-connected devices, and that impacts utility cyber security architectures, intrusion detection deployments, and the networks transporting data to processing and storage destinations. 

What it means to utilities: Zero trust concepts are useful approaches to think about securing edge computing capabilities. Data availability and integrity, two predictable requirements in core grid operations, are just as prevalent in distributed grid operations where grid-connected devices are concerned. 5G will also play a role in enabling distributed computing through virtualized services.

Improved integrations.  Application Program Interfaces (APIs) are data exchange points between two different systems or applications that ensure that data is transmitted in expected formats and conforms to application rules. Building and maintaining APIs as system upgrades occur adds to total cost of ownership (TCO) in the form of systems integrators and more regression testing for each change. APIs are not perfect solutions and are security vulnerability points.  Better integration can be achieved with the Integrated Adaptive Cyber Defense (IACD) system that creates standards-based, open source software frameworks to encourage seamless integrations between various commercial, off the shelf (COTS) systems.

What it means for utilities: Demand for single pane of glass solutions, coupled with M&A activity will increase the need for secure, non-proprietary APIs that enable faster, more secure, and more cost-effective integration of different vendor solutions. Utilities are advised to ask their vendors about their support of IACD and include IACD support in their requests for proposals from OT cyber security vendors. COTS solutions also prominently factor into 5G platforms. Proprietary may become a 4 letter word. 

Supply chain security.  Complex supply chains comprise most hardware and software deployed by utilities. Open source software may have many developers.  COTS and proprietary hardware may have components built by hundreds of manufacturers.  The threat of built-in vulnerabilities is growing for utilities, which need tools and techniques to realistically assess and manage integrity risks in their supply chains.  One interesting question focuses on the possibilities for AI to verify component integrity and automate supply chain security processes.

What it means to utilities:  Tools like physically unclonable functions (PUF) or Secret Unknown Ciphers (SUC) generate digital fingerprints that are unique identifiers for components.  These tools are only part of the answer.  Utilities need supply chain security assurance built on common models that utilities and their vendors adopt. EPRI is conducting research on the Technology Assessment Methodology (TAM) to fill this need.  This model establishes a consistent understanding of supply chain roles and responsibilities for design, build, and run activities that help ensure integrity and security. 

Timing technology security.  Advanced grid operations require accurate time stamps on data to ensure data integrity across their systems.  As more communicating devices are connected to utility networks, this reliance on precision timing increases.  Utilities, labs, and academic institutions have confirmed some vulnerabilities in precision timing that pose risks to grid applications that rely upon highly accurate timing.  Applications that require accurate data timestamps range from mission-critical functions such as protective relaying to wide area protection systems and MPLS networks.

What it means to utilities: The complete risks associated with exploitation of these timing vulnerabilities are not well-known. Without a full understanding of risks to utility OT environments, cyber security teams lack the knowledge to identify, prioritize and effectively mitigate these risks to ensure operational integrity and security.  EPRI has ongoing research into timing vulnerability issues and mitigations and is convening an interest group on timing vulnerabilities to accelerate stakeholder awareness and support of a technology and research roadmap to resolve vulnerabilities. 

Conclusion

The trends and technology challenges and opportunities described above will have significant impacts on utility OT cyber security strategies and operations.  Many of the topics, including 5G, Grid 2 Edge cyber security, and supply chain security discussed here already appear in our roadmaps.  Others are in foundational R&D like our ISOC data research to prepare for introductions or demonstrations of these technologies in the next couple of years.

There are threat actors determined to cripple electric grids.   The trends, challenges, and opportunities outlined here need the active support and involvement in research by all utility sector stakeholders to engineer the greatest likelihood of success – the reduction of cyber security vulnerabilities and threats to electric grid critical infrastructure. 

Christine Hertzog's picture

Thank Christine for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.

Discussions

Matt Chester's picture
Matt Chester on Apr 28, 2020 4:20 pm GMT

Exciting to see all the technological solutions coming along to further protect the cybersecurity of the utility industry-- do you think the new technology implementations open up any vulnerabilities as they are introduced, though, from needing to be used and understood by the employees in the utility industry who aren't focused on cybersecurity? Is there a learning curve or human-based vulnerability that gets introduced?

Christine Hertzog's picture
Christine Hertzog on Apr 28, 2020 5:04 pm GMT

Any new technology has the potential to be deployed incorrectly, and that might impact cyber security or other functional aspects.  In the triad of people, process, and technology, too often the emphasis is on technology without consideration of changes to processes or skills.  Basic cyber security awareness and best practices by all industry stakeholders certainly can help reduce risks for the mission critical infrastructure in utilities. 

Matt Chester's picture
Matt Chester on Apr 28, 2020 9:09 pm GMT

Agreed, Christine-- in fact I think there's a unique danger in the technology solutions being deployed but without the processes and skills because the decision-makers will likely have a false sense of security that leaves them even more vulnerable

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »