An Inflection Point for Utility OT Cyber Security

The electricity subsector is undergoing rapid changes with a proliferation of energy sources, intelligent systems and resiliency expectations.  Two recent reports do an excellent job of documenting recommendations for the grid of the future (National Academies of Science, Engineering, and Medicine 2021:  The Future of Electric Power in the United States and the future of cyber security for critical infrastructure (Cyberspace Solarium Commission report July 2020).  Both reports are concerned with changing threat vectors for mission-critical infrastructure, particularly the  volume, velocity, and variety of cyber attacks. 

The current approach to cyber security is tactical and event-driven, too often changing its focus in reaction to external influences.  This is not a sustainable situation for mission-critical infrastructure, especially given important metatrends that are also impacting the electricity subsector.  These metatrends are decarbonization, digital transformation, valuation, and resiliency expectations.  These metatrends force a rethink of today’s approach to OT cyber security.  Fundamentally, the subsector must stop treating OT cyber security as an extrinsic afterthought and reformulate its perceptions of it as an intrinsic principle persistently and consistently applied in organizations, their technologies, their practices and policies, and their workforce skills.

The Electric Power Research Institute (EPRI) published a new whitepaper titled Preparing for the 2030 Energy System: Why We Need a New Cyber Security Vision that describes these metatrends, their impacts on OT cyber security, and our position on intrinsic cyber security.  What is intrinsic cyber security?  Some characteristics include embedding cyber security into the design and deployment of technologies, processes and policies and creating frictionless cyber security data interactions.  It is a widespread acknowledgment of the value of cyber security.  Consider it this way.  No utility would ever design a substation and then turn it over to a safety department and say, “make it safe.”  Unfortunately, “make it secure” after the fact is the reality that confronts OT cyber security resources.  OT cyber security must become the security paved road – the easiest path for deploying and managing secure systems.  It must become intrinsic to utility operations.     

Deploying intrinsic OT cyber security to enhance and improve grid resiliency is an ambitious vision, and a vitally important goal for critical infrastructure that helps maintain the safety and security of societies and economies.  Intrinsic security is a worthy vision for the electricity subsector to drive towards.  EPRI invites industry stakeholders to help create the roadmap and join us on the journey to achieve this vision.  The starting point is to download our whitepaper and contact us to get involved in the development of the roadmap.