Cybersecurity Awareness Month Q&A Series: What are the best lessons you've learned about utility cybersecurity that should be more widely shared?

I don’t heavily work with utilities, but the following challenges and lessons learned is what I gathered from my discussion with utility representatives. Hope this helps!

Challenges

• Maintaining security for legacy devices
• Maintaining ownership: Rapid increase in quantity and diversity of connected devices operating autonomously resulting in loss of exclusive ownership of utility OT and IT systems
• Lack of visibility into operating assets: Vast majority of new grid assets will be customer owned and this could result in the lack of visibility for utilities to monitor, maintain, and secure assets directly
• PUCs started asking utilities to establish Functional Integration Program for their DER fleet that includes cybersecurity requirements. However, utilities don’t have enough guidance on where to start and what to use as their starting point.
• Lack of national or industry adopted cybersecurity requirements: Utilities need to start thinking proactively to identify risks that will be associated customer or aggregator owned DER/IBR assets. They also need to kickstart incentives-based programs to motivate customers, aggregator, and manufacturers to incorporate security in the device and/or system.
• Accessibility to threat and risk information: Take a more holistic perspective of the energy producer and utility relationship.

Lesson Learned

1. Isolate internal and external communication from each other.
2. Use signature and context-based firewalls, gateways, and secured ports to separate the security domains.
3. Disable unused ports and services.
4. Use authentication to ensure correct identities of personnel, customers, and vendors.
5. Use TLS 1.2 or higher to ensure encryption, authentication, and data integrity.
6. Use IDS/IPS to monitor communication network traffic.
7. Establish validation mechanism for all application software patches and software data updates (trust but verify)
8. Use role-based access control for all communications, human-machine interface, and other places as appropriate

I can say with 100% confidence that human behavior is the most likely reason a cyber attack is successful, i.e. social engineering works, people click links on phishing emails, people mis-configure firewalls and other applications, i.e. Active Directory, humans fail to patch vulnerable software and all of this human activity enables successful cyber attacks. The take-away lesson is: educate your people to be "cyber street smart" to avoid becoming a victim of cyber-crime.