Guidehouse

Guidehouse is a leading global provider of consulting services to the public and commercial markets with broad capabilities in management, technology, and risk consulting.

Post

Securing the Grid in the Fourth Industrial Revolution

Posted to Guidehouse

image credit: ID 110983750 © Visual Generation | Dreamstime.com

Connect with Guidehouse

Fill out this form to receive more information from Guidehouse.

The Fourth Industrial Revolution is underway, and the technological advances it encompasses bring exciting new capabilities to the power industry. Ubiquitous connectivity will provide data and visibility to a degree that grid operators have never before enjoyed.

Increasingly, fiber networks are being extended within the distribution grid to substations and other critical assets or to interconnect burgeoning solar and wind installations. These high capacity broadband networks enable real-time monitoring of power flows and video monitoring, improving the physical security of critical installations.

New low power wide area (LPWA) networking technologies mean that utilities can affordably build pervasive sensing and measurement applications. They also can apply analytics for asset management, predictive maintenance, and power quality monitoring, among others. Grid edge computing and the cloud further strengthen the utility operator’s ability to apply the latest technology and computing power throughout the distribution network. Increasingly, industrial concerns will lead to the deployment of advanced private 4G wireless networks across utility territories, creating a virtually seamless evolution to 5G and the new capabilities it will enable. Robotics, automated vehicles, and augmented and virtual reality applications will become integral to operating the grid of the future.

Sounds great, right?

It will be—but utilities creating strategies for this hyper-connected, intelligent grid of the future must also understand, and plan for, the potential cybersecurity risks these new technologies will enable. The anticipated rise in interconnected, interdependent systems will inevitably broaden the surface area for potential cyber attack.

And while serious hacks to the grid have been few to date, there is no doubt that bad actors will increasingly target critical systems that are foundational to modern society. This is not hyperbole, the risks are great and growing.

That said, available solutions increase in sophistication by the day. Regulatory requirements and standards are becoming more stringent—as they should. Importantly, the industry must hire and support more and more cybersecurity specialists to keep up with the black hats and secure their operations. The challenges for utilities trying to modernize their grid while keeping the lights on are many.

Understanding the Issues

Grid managers need to understand the magnitude of the financial risk. Cybersecurity must not be viewed simply as a compliance issue, a mere cost center where the boxes should be checked as cheaply as possible. Companies must have a comprehensive cybersecurity program. This begins with an understanding of their current enterprise architecture, their external connections, and their cybersecurity capabilities. Full company security integration must be planned across existing IT and OT operational silos. Companies should understand their cyber gaps as well as their ability to operate their business if a bad actor exploits those weaknesses. The problems are not static. Cybersecurity needs to evolve rapidly—the security of the grid is not a one and done problem. Companies must identify a plan to prioritize and mitigate these weaknesses.

These are significant problems and the availability of skilled cyber experts has historically been limited in the utility industry. While lessons may be learned from other industries that are further down the cybersecurity path, every sector is still struggling to protect their critical assets from cyber criminals. Some large corporations may be further along in this journey and have more mature cybersecurity programs; however, many of their business partners and interconnections are very unprotected.

The Department of Defense spends billions of dollars every year to protect its network, systems, and data. Even with robust education campaigns, control of internet access points, major efforts to remove legacy software, asset discovery technology, and a huge drive to modern, automated technology, it still suffers from significant data theft. These thefts come not from their own networks but from the hundreds of thousands of industry partners who develop technology and provide them services—the “weak link.” Cyber bad actors will go to the easiest target of opportunity. 

Guidehouse supports many federal government agencies across nearly every aspect of their cybersecurity programs, including development of C-suite level programs and plans, engineering and architecture services, solution gap analysis, implementation of identity and access architectures and programs, certification and readiness assessments, and incident prevention and response services. These areas are critical to ensuring a robust cybersecurity program.

Prioritize for Risk Management

Every board and every CEO should be worried about their protections against cyber bad actors. At the minimum, they should:

  1. Develop a comprehensive cybersecurity plan. Cybersecurity threats go well beyond typical IT with all systems now interconnected and accessible.
  2. Understand cyber risks to their systems and the corresponding impact to their business. Will they be shut down, will they endure huge financial fines, will their technology be destroyed, will their data be manipulated, will their proprietary data be stolen?
  3. Identify active threats and prioritize. What is the specific threat to their sector? Could it be a simple malicious novice or a criminal/nation state threat?
  4. Develop a cybersecurity architecture/roadmap. Prioritize and determine how to address current and future risk from an enterprise perspective. Many companies buy multiple security products and do a horrible job of implementing, patching, and integrating them into a cohesive security architecture.
  5. Develop a resiliency plan. How can I ensure I can maintain my business under a cyber attack? Is my data backed up (beyond the cloud), do I have redundancy, am I closely monitoring in an automated way all of my critical systems?
  6. Implement the plan fund. Implement and track the plan, update as necessary.
  7. Monitor and develop active response. Implement automation to detect and respond.
  8. Be prepared for an intrusion. Know how you will react, andrun table-top exercises so you are prepared for an actual intrusion.
  9. Ensure they develop and implement an employee cyber awareness program. Run a cyber awareness program, test your workforce, see how vulnerable you are from the board room to the mail room, and educate!

To learn more about this topic, join Guidehouse's experts for a lively discussion on the benefits and threats brought about by Fourth Industrial Revolution advances and how utilities can prepare for the best and protect against the worst.

Richelle Elberg's picture

Thank Richelle for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.

Guidehouse
Guidehouse is a leading global provider of consulting services to the public and commercial markets with broad capabilities in management, technology, and risk consulting.

Discussions

Bob Meinetz's picture
Bob Meinetz on May 11, 2020 6:47 pm GMT

Richelle, reading your article I'm reminded of a generally-accepted maxim in engineering: "Complexity in any system comes at a cost in reliability." The same holds true with complexity and security. For example, with

"...but utilities creating strategies for this hyper-connected, intelligent grid of the future must also understand, and plan for, the potential cybersecurity risks these new technologies will enable."

you raise the question: does hyper-connecting our grid with additive technologies, beyond what are absolutely necessary, not actually increase our vulnerabity to potential cyberthreats?

Before monitoring and developing C-suite level programs and plans, or implementation of identity and access architectures and programs - maybe utilities and grid architects should make simplification a priority. It's not as profitable for third-party software vendors or consultants, but it's sure a lot safer for their customers. After all, C-suite level programmers can be bad actors, too - and how intelligent does a grid really need to be?

 

Matt Chester's picture
Matt Chester on May 12, 2020 1:16 pm GMT

These thefts come not from their own networks but from the hundreds of thousands of industry partners who develop technology and provide them services—the “weak link.” Cyber bad actors will go to the easiest target of opportunity. 

No doubt that the bad actors care not who the weak links are, they will simply find them and take advantage-- but it certainly creates challenges for those in the system who may feel like they did all they can with their cybersecurity only to be undercut by a third party on their network. When it comes to issues like this, how should organizations identify whose responsibility it is to find and secure those weak links, especially if they're taking place outside their enterprise? 

Linda Stevens's picture
Linda Stevens on May 15, 2020 5:21 pm GMT

Excellent article. Every day you hear of a security breach related to personal data, and you have to assume there are many more incidents that don't make the news. Moving from a centralized network to distributed will definitely expose more weaknesses if utilities don't get in front of it from the start. It is, in my opinion, why IoT is so risky. 

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »