In recent years, the digital utility sphere has been moving at an undeniably breakneck speed. Technology and programs on the grid are getting smarter, and high-tech sensors are being connected throughout the utility sector. These technological tools and strategies enable greater data-backed decisions and customer-focused strategies, but they come with the associated need for increased cybersecurity. Grid cybersecurity professionals constantly need to stay multiple steps ahead of any potential bad actor, and that’s why this field has seen immense focus and prioritization.
This focus on cybersecurity in the energy industry extends to the National Lab system of the U.S. Department of Energy (DOE), including the National Renewable Energy Laboratory (NREL). Recently, Energy Central was lucky enough to have Danish Saleem, Senior Cybersecurity Systems Researcher at NREL join the community as the newest expert in the Digital Utility Community. Danish adds a great amount of experience and perspective to our ever-growing Network of Experts at Energy Central, and he was kind enough to agree to introduce himself further by taking part in an interview as a part of our Energy Central Power Perspective ‘Welcome New Expert Interview Series’:
Matt Chester: Danish—thanks so much for taking the time, not just for this interview but also in agreeing to be one of the official experts in the Energy Central Digital Utility Committee. To get our community members acquainted with the type of knowledge that you bring to the table as our newest expert, can you introduce yourself, how your career path took you towards the digital utility, and what you’re working on these days?
Danish Saleem: I am a Senior Cybersecurity Systems Researcher in the Energy Security & Resilience Center at the National Renewable Energy Laboratory (NREL). I did my master’s in electrical engineering, majoring in Power Systems, from Florida International University (FIU) in 2016 and was the recipient of FIU’s highest honor award, the “Worlds Ahead Graduate." I have been with NREL for almost four years now, and these days I am leading DOE-funded projects that address the cybersecurity of distributed energy resources (DER) at the levels of network, application, and overall systems.
MC: With your role in NREL, you’re working with both the public sector and the private sector towards cybersecurity and energy security. Can you talk about how the private sector and public sector differ in how they approach these issues and how they’re able to come together to strengthen each other?
DS: Usually, the private sector is a revenue-based business. Let us take a general example of an electric utility or a device manufacturer. Now, both players have one common objective within their strategic business interest, which is how to increase revenue generation. The utility does that by selling electricity, and the manufacturer does that by selling their products and services. On the other hand, players in the public sector may or may not make revenue generation their prime objective. Let us take the example of national labs or universities. Their job is to do energy research and find solutions for the challenges industry is facing right now or will face in future. But one common area in which both sectors come together is achieving the goal of maximum cybersecurity as this has become one of the main issues for critical infrastructures. Since 2010, we have seen a lot of organizations compromised from cyberattacks, whether it’s been the WannaCry Ransomware attack, which was directed mostly against financial, health, and state governments, or BlackEnergy malware, which was directed against power energy control centers. Attacks like these have affected both sectors equally, and hence cybersecurity is now a prime concern.
One example of private and public sectors coming together is through a project I am leading at NREL. In this DOE-funded project, our goal is to perform research and develop consensus-based cybersecurity standards for DERs. We have multiple public- and private-sector players involved, including device manufacturers, utilities, vendors, aggregators, certification labs, and so on. Together, we formed a cybersecurity working group and have regularly met every other week for the past two years to develop guidelines, best practices, and standards for DERs. These measures include device-level security requirements, communication and protocol security requirements, patching requirements, role-based access controls, data-in-flight requirements, network topology requirements, etc. Both the private and public sectors have contributed equally to the development of these different domains within the broad umbrella of cybersecurity for DERs.
MC: Cybersecurity on the grid is a moving target, because as the threats evolve and advance you have to evolve ahead of them in order to stay ahead. What’s the most challenging aspect about staying forward-looking with cybersecurity and ensuring you’re ahead of any potential threats?
DS: Cybersecurity is indeed a moving target and developing a moving-target defense is not easy. As an example, the challenge with standards development is that creating an industry standard takes at least five to six years; and if that standard addresses cybersecurity, by the time it gets approved and becomes publicly available, the industry already faces new threats and challenges that the developed standard does not address. To ensure that we stay focused and ahead of upcoming threats, the IEEE 1547.3 working group has decided on an aggressive deadline (about one and a half years) for developing the Guide for Cybersecurity of DERs Interconnected with Electric Power Systems, and I believe we are on track to meet this deadline. The purpose of this guide is to provide guidelines for cybersecurity for one or more DERs that are interconnected with the electric power system. DERs include systems in the areas of fuel cells, photovoltaics, wind turbines, microturbines, other distributed energy sources, and distributed energy storage systems interconnected to the grid at typical primary or secondary distribution voltage levels.
Public and private companies around the world have traditionally been reluctant to fund research in cybersecurity because it was a low priority. That paradigm has to change if we want to stay ahead of potential cybersecurity threats. Organizations need to develop the habit of funding need-based research. We need to invest in cybersecurity research right now, yet many private- and public-sector companies have very little to no budget for it. It’s important to realize that even though funding cybersecurity may not bring an immediate return on investment, this research is fundamental to keep us ahead of the curve and protect critical infrastructure from a major catastrophe caused by a cyberattack.
MC: For people who don’t work heavily in energy cybersecurity, how would you grade the preparedness of the U.S. grid system to potential attack. Would you say people would be surprised to hear we’re more secure than they might think, or perhaps the opposite?
DS:
In May 2019, a utility in the western United States reported to DOE that they had been compromised by a denial-of-service cyberattack that targeted the company’s firewall. This attack caused a temporary disruption in the utility’s SCADA systems, and they were unable to see any activity in affected areas of their network. Another example is the Ukraine power plant attack, in which the adversaries used a method called “spear phishing,” which means they sent emails containing BlackEnergy malware to employees of three Ukraine distribution companies well before the attack was initiated. Because the employees did not have much situational awareness or enough cybersecurity training, they clicked the links attached to those emails and unknowingly gave the cyber attackers access to the system. Using this access, the hackers switched off 30 substations and affected 220,000 people for almost 6 hours.
Two years ago, the U.S. government accused another country of remotely targeting the U.S. power grid by using a multistage effort to target specific government entities and critical infrastructure. According to the Department of Homeland Security (DHS), Russia accessed U.S. government networks by initially targeting them with malware from small commercial third-party networks that were less secure. Similarly, the National Cyber Awareness System, a joint effort between DHS and the Federal Bureau of Investigation, reported that a multistage intrusion campaign by cyber actors from a foreign government targeted the networks of small, commercial energy facilities, where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the adversaries conducted network reconnaissance, moved laterally, and collected information pertaining to these facilities’ industrial control systems.
So, the question for the U.S. grid being affected from a cyberattack is not if, but when. The bottom line is that, no, we are not that secure. A lot of need-based research must happen before we can safely assume that the U.S. electric grid has adequate cybersecurity.
______________________________________
A sincere thanks to Danish Saleem for sharing his expertise on all topics related to grid-based cybersecurity and for continuing to do so as a Digital Utility Expert on Energy Central. When you see posts or comments by Danish, I encourage you to say hi, ask him a question, and just thank him for being a part of our community.
The other expert interviews that we’ve completed in this series can be read here, and if you are interested in becoming an expert then you can reach out to me or you can apply here.