An Inflection Point for Utility OT Cyber Security

Posted to EPRI in the Digital Utility Group
Christine Hertzog's picture
Principal Technical Leader, Cyber Security Strategic Initiative, Electric Power Research Institute

Christine Hertzog is a Principal Technical Leader focused on OT Cyber Security research at EPRI.  She conducts research on new technologies suitable for OT environments and informs industry...

  • Member since 2010
  • 286 items added with 155,206 views
  • Mar 10, 2021

The electricity subsector is undergoing rapid changes with a proliferation of energy sources, intelligent systems and resiliency expectations.  Two recent reports do an excellent job of documenting recommendations for the grid of the future (National Academies of Science, Engineering, and Medicine 2021:  The Future of Electric Power in the United States and the future of cyber security for critical infrastructure (Cyberspace Solarium Commission report July 2020).  Both reports are concerned with changing threat vectors for mission-critical infrastructure, particularly the  volume, velocity, and variety of cyber attacks. 

The current approach to cyber security is tactical and event-driven, too often changing its focus in reaction to external influences.  This is not a sustainable situation for mission-critical infrastructure, especially given important metatrends that are also impacting the electricity subsector.  These metatrends are decarbonization, digital transformation, valuation, and resiliency expectations.  These metatrends force a rethink of today’s approach to OT cyber security.  Fundamentally, the subsector must stop treating OT cyber security as an extrinsic afterthought and reformulate its perceptions of it as an intrinsic principle persistently and consistently applied in organizations, their technologies, their practices and policies, and their workforce skills.

The Electric Power Research Institute (EPRI) published a new whitepaper titled Preparing for the 2030 Energy System: Why We Need a New Cyber Security Vision that describes these metatrends, their impacts on OT cyber security, and our position on intrinsic cyber security.  What is intrinsic cyber security?  Some characteristics include embedding cyber security into the design and deployment of technologies, processes and policies and creating frictionless cyber security data interactions.  It is a widespread acknowledgment of the value of cyber security.  Consider it this way.  No utility would ever design a substation and then turn it over to a safety department and say, “make it safe.”  Unfortunately, “make it secure” after the fact is the reality that confronts OT cyber security resources.  OT cyber security must become the security paved road – the easiest path for deploying and managing secure systems.  It must become intrinsic to utility operations.     

Deploying intrinsic OT cyber security to enhance and improve grid resiliency is an ambitious vision, and a vitally important goal for critical infrastructure that helps maintain the safety and security of societies and economies.  Intrinsic security is a worthy vision for the electricity subsector to drive towards.  EPRI invites industry stakeholders to help create the roadmap and join us on the journey to achieve this vision.  The starting point is to download our whitepaper and contact us to get involved in the development of the roadmap.

Founded in 1972, EPRI is the world's preeminent independent, non-profit energy research and development organization, with offices around the world.
Matt Chester's picture
Matt Chester on Mar 10, 2021

The current approach to cyber security is tactical and event-driven, too often changing its focus in reaction to external influences

What's it going to take to get people out of this reactionary approach? Many in utilities, of course, recognize cybersecurity must be woven into all daily practices, but any gaps are still a risk across the grid. 

Dudley McFadden's picture
Dudley McFadden on Mar 17, 2021

Page 3 of the whitepaper (emphasis added): 

Modern societies depend on electricity to sustain life, health, safety, and economic livelihoods. Utilities have an indirect social contract with the people within their service territories. That social contract creates the expectation that utilities will protect their electrical grids from service disruptions caused by physical and cyber-attacks. This
social contract goes beyond the explicit regulatory requirements that define compulsory risk management compliance.

I imagine many utility company managers assume their IT security manager or Chief Information Officer oversees Operations Technology cyber security.  Sure about that?  Maybe it takes a regulatory compliance workgroup to drive collaboration between OT, IT, and physical asset protection.

Christine Hertzog's picture
Thank Christine for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »