The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 


You need to be a member of Energy Central to access some features and content. Please or register to continue.


Cybersecurity: A Systems Approach through STAMP

image credit: Credit: MIT Study

In 2015, Russian hackers gained access to Ukranian utility networks and manually switched off power to electrical substations. Hackers were back in 2016, when malware took down a fifth of the country’s national capital’s grid. 

As grids become increasingly automated, both attacks brought home the importance of putting robust cybersecurity practices to protect control systems. They also emphasized the rapidly evolving nature of such attacks. Earlier, cyberattacks were targeted at IT infrastructure. With the rapid advance of algorithms through utility infrastructure, however, operational technology has also become fair game. For example, the 2016 malware disabled a Siemens digital relay, preventing access to circuit breakers. 

But the view from the grid trenches is not particularly encouraging. A Siemens survey of utilities at the end of last year found that utility checklists and processes for cyber hygiene are aimed at satisfying regulatory mandates for cybersecurity instead of being based off a comprehensive assessment of their internal operations and systems. Cybersecurity investments also  tend to prioritize protection of high-value assets, meaning their focus is on ensuring that the most expensive equipment is not damaged or taken offline during an attack. Given the constraints on spending for utilities, that focus makes sense from a financial perspective. But it leaves other assets and infrastructure vulnerable to attacks. 

Overarching these problems is an approach based on prevention of cyberattacks rather than containing their impact. That approach is a carryover of traditional information security (IS) practices in which redundancy is introduced into systems to make them immune to attacks. But grid systems are a heterogeneous combination of operational and information technology. In fact, data center servers are below transformers in the equipment hierarchy for utilities. What’s more, control elements within the grid system are both automated and manual. 

How then should one design a cybersecurity strategy for such systems?      

A Systems Approach to Cybersecurity Planning

An MIT study released earlier this year proposes an answer to that question by defining an approach known as Systemic - Theoretic Accident Model and Processes (STAMP). That might sound like a mouthful but it is actually not very different from current approaches in its application. The STAMP process distinguishes itself from other cybersecurity practices by treating control systems in a utility’s operations as a single entity and mapping interdependencies between components to find linkages between different pieces. In turn, this helps identify critical components and pieces essential to functioning in case of an attack. 

The STAMP process begins with defining critical functions necessary for the functioning of a control system. These functions are defined as those losses or hazards that are most critical to the success of the mission or goal of a target system. Thereafter, control loops are refined to simulate various error scenarios. 

As an example, consider the diagram above that identifies and evaluates various reasons that might lead to an unsafe AVR command. The erroneous inputs could be generated as a result of human or machine error and cascade down the loop and contribute to a system hazard at the grid level. A subsequent causal analysis reveals contributing factors to the system breakdown. Again, these factors can be a combination of human and machine-generated errors and a post-damage analysis determines the best course of action, whether it is in terms of communication channels or introducing redundancies or checks into the system. 

The authors claim that the STAMP approach can result in considerable cost-savings. For example, the introduction of a $6,000 relay helped prevent damage to $11 million worth of transformer equipment based on the results of their study.

Evaluating the STAMP approach 

To be sure, the STAMP approach is not novel thinking. Variants of this approach have been used in different industries and are found in disaster recovery literature and planning strategies. But the paper’s authors claim that this is the first such instance of its application to the utility industry. 

The case study’s example is an interesting one. This is primarily because, along with policy and process changes, the approach suggests introduction of redundancy into the system to mitigate the impact of a cyber attack. That redundancy takes the form of the relay mentioned earlier. There are two implications to this. 

The first one is on costs. While it may save on expensive breakdown costs, the STAMP process also itself inflates operational costs for utilities. For large utilities, which have expensive asset and infrastructure management budgets, those costs could be considerable. 

The second one is on operations. The study does not consider the impact of regulation on the STAMP approach. Various federal and regulatory agencies have started policing cybersecurity practices at utilities. The STAMP approach  does not obviate the need for traditional information security practices. It complements and adds to them for effective cyber security practices. But the flip side might be an increase in regulatory overhead. 

Does the introduction of new processes and equipment have any effect on compliance measures related to cybersecurity? For example, how might the STAMP approach work with NERC’s Critical Infrastructure Protection (CIP) standards? These questions become important when you consider the prospect of a complex, interconnected renewable energy-powered grid in which the number of interconnections between regions multiply. 

For all its drawbacks, however, the research takes conversations about cybersecurity in a holistic direction. As utilities increase their spending on cybersecurity practices, they are also looking for efficiencies. Those efficiencies mainly take the form of automation. But Robotic Process Automation (RPA) involves tradeoffs. Even as it reduces costs, RPA increases reliance on machines for control systems. Through its holistic approach, STAMP can help instigate a vital balance between humans and machines during moments of crisis.

Rakesh  Sharma's picture

Thank Rakesh for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.


Mark Silverstone's picture
Mark Silverstone on Apr 15, 2020 1:07 pm GMT

Thanks for bringing this study to our attention.   I had some contact Dr. Leveson and STAMP  some years ago.  While much of it goes over my head, I know it to be highly applicable to many risk management issues and extremely thorough in its approach.  I think the biggest problem with many cyber security and other safey systems is the false sense of security, i.e. the complacency, displayed by many with respect to high impact risks in crucial operations in many areas including aviation, shipping operations, oil and gas operations,  financial controls and, surely, utilities.

Particularly worrying are the antiquated data systems still in use.  You have to be a bit worried when, as recently occurred, an institution recently advertised for experienced COBOL programmers, software that came in and went out of use 40+ years ago, or so I thought.  Indeed, your question with regard to NERC´s CIP is very appropriate.


Rakesh  Sharma's picture
Rakesh Sharma on Apr 24, 2020 8:05 pm GMT

Thanks, Mark, for your comment. From the little I understand (and I understand *very* little since I have not worked in IT in the utility industry), STAMP sort of combines business continuity planning and disaster recovery programs in IT departments. Process mapping and analysis is complemented with a study of IT systems to mitigate the impact of a disaster (as opposed to preventing it by putting cybersecurity software in place). The antiquated data systems problem is one that was prevalent in the financial services industry up until some years ago. The Y2K bug at the turn of last century was due to the use of outdated COBOL systems. 

Mark Silverstone's picture
Mark Silverstone on Apr 28, 2020 1:22 pm GMT

Hi Rakesh. I think SABRE, the software that airlines use for booking tickets is similarly antiquated. There have been spectacular crashes of the system in recent years, shutting down entire large airlines for a day or more.  I do not know, but I would like to, if there are any safety implications with SABRE´s vulnerabilities.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »