Posted to Energy Central in the Digital Utility Group
Matt Chester's picture
Energy Analyst, Chester Energy and Policy

Official Energy Central Community Manager of Generation and Energy Management Networks. Matt is an energy analyst in Orlando FL (by way of Washington DC) working as an independent energy...

  • Member since 2018
  • 11,684 items added with 1,764,466 views
  • Oct 25, 2022

This month is Cybersecurity Awareness Month, as recognized by CISA, and because cybersecurity has become such a critical part of utility operations we wanted to pay homage with a series of Q&A's on the topic during the course of October for our resident experts to chime in on. Feel free to answer this and other questions you see come in, and also we invite you to submit your own question as well by clicking here

Sometimes the lessons we learn come from mistakes that have been made or challenges that have been overcome in the past. But even better might be learning those lessons that others have had to tackle before you face the challenge yourself. So, with that in mind, what are some of the best or most important lessons you've learned about elevating cybersecurity in the utility sector that you think should be shared more widely? Let's share notes in the comments below. 


Your access to Member Features is limited.

I don’t heavily work with utilities, but the following challenges and lessons learned is what I gathered from my discussion with utility representatives. Hope this helps!


  • Maintaining security for legacy devices
  • Maintaining ownership: Rapid increase in quantity and diversity of connected devices operating autonomously resulting in loss of exclusive ownership of utility OT and IT systems
  • Lack of visibility into operating assets: Vast majority of new grid assets will be customer owned and this could result in the lack of visibility for utilities to monitor, maintain, and secure assets directly
  • PUCs started asking utilities to establish Functional Integration Program for their DER fleet that includes cybersecurity requirements. However, utilities don’t have enough guidance on where to start and what to use as their starting point.
  • Lack of national or industry adopted cybersecurity requirements: Utilities need to start thinking proactively to identify risks that will be associated customer or aggregator owned DER/IBR assets. They also need to kickstart incentives-based programs to motivate customers, aggregator, and manufacturers to incorporate security in the device and/or system.
  • Accessibility to threat and risk information: Take a more holistic perspective of the energy producer and utility relationship.


Lesson Learned

  1. Isolate internal and external communication from each other.
  2. Use signature and context-based firewalls, gateways, and secured ports to separate the security domains.
  3. Disable unused ports and services.
  4. Use authentication to ensure correct identities of personnel, customers, and vendors.
  5. Use TLS 1.2 or higher to ensure encryption, authentication, and data integrity.
  6. Use IDS/IPS to monitor communication network traffic.
  7. Establish validation mechanism for all application software patches and software data updates (trust but verify)
  8. Use role-based access control for all communications, human-machine interface, and other places as appropriate

I can say with 100% confidence that human behavior is the most likely reason a cyber attack is successful, i.e. social engineering works, people click links on phishing emails, people mis-configure firewalls and other applications, i.e. Active Directory, humans fail to patch vulnerable software and all of this human activity enables successful cyber attacks. The take-away lesson is: educate your people to be "cyber street smart" to avoid becoming a victim of cyber-crime.