Things are evolving fast in the utilities industry to build a modern distribution automation grid.
As the demand for digitized, connected and integrated operations increases across all industries, the challenge for utilities is to provide reliable energy delivery with a focus on efficiency and sustainable sources.
The pressing need to improve the uptime of critical power distribution infrastructure is forcing change. However, as power networks merge and become ‘smarter’, the benefits of improved connectivity also bring greater cyber security risks, threatening to affect progress adversely.
Electrical distribution systems across Europe were originally built for centralized generation and passive loads – not for handling evolving levels of energy consumption or complexity. Now we are entering a new world of energy, with more decentralized generation, intermittent renewable sources like solar and wind, a two-way flow of decarbonized energy and an increasing engagement from demand-side consumers.
The grid is moving to a more decentralized model, disrupting traditional power delivery and creating more opportunities for consumers and businesses to contribute back into the grid with renewables and other energy sources. As a result, the coming decades will see a new kind of energy consumer – one who manages energy production and usage to drive cost, reliability and sustainability tailored to their specific needs.
The rise of distributed energy is increasing grid complexity. It is evolving the industry from a traditional value chain to a more collaborative environment in which customers interface dynamically with the distribution grid, energy suppliers and the energy market. Technology and business models will need to evolve for the power industry to survive and thrive.
The new grid will be considerably more digitized, flexible and dynamic. It will be increasingly connected, with greater requirements for performance in a world where electricity makes up a higher share of the overall energy mix. There will be new actors involved in the power ecosystem such as transmission system operators (TSOs), distribution system operators (DSOs), distributed generation operators, aggregators and prosumers.
Regulation and compliancy
Cybersecurity deployment focuses on meeting standards and complying with regulations. This approach benefits the industry by increasing awareness of the risks and challenges associated with a cyber attack. As the electrical grid evolves in complexity, with the addition of distributed energy resource integration and feeder automation, a new approach is required – one that is oriented towards risk management.
Currently, utility stakeholders are applying cyber security processes learned from their information technology (IT) peers, which is putting them at risk. Within the substation environment, proprietary devices once dedicated to specialized applications are now vulnerable. Sensitive information available online that describes how these devices work can be accessed by anyone, including those with malicious intent.
With the right skills, malicious actors can hack a utility and damage systems that control the grid. In doing so, they also risk the economy and security of a country or region served by that grid.
Regulators have anticipated the need for a structured cyber security approach. In the US, the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) requirements set out what is needed to secure North America’s electrical system. The European Programme for Critical Infrastructure Protection (EPCIP) does much the same in Europe. We face new and complex attacks every day, some of which are organized by state actors and this is leading to a re-evaluation of these and the overall security approach for the industry.
Due to the shift towards open communication platforms such as Ethernet and internet protocol (IP), systems that manage critical infrastructure have become increasingly vulnerable. As operators of critical utility infrastructure investigate how to secure their systems, they often look to more mature cyber security practices. However, the IT approach to cyber security is not always appropriate, given the operational constraints utilities are facing.
These differences in approach mean that cyber security solutions and expertise geared toward the IT world are often inappropriate for operational technology (OT) applications. Sophisticated attacks today are able to leverage co-operating services like IT and telecommunications. As utilities experience the convergence of IT and OT, it becomes necessary to develop cross-functional teams to address the unique challenges of securing technology that spans both worlds.
Protecting against cyber threats now requires greater cross-domain activity where engineers, IT managers and security managers are required to share their expertise to identify the potential issues and attacks that may affect their systems.
A four-point approach
Cybersecurity experts agree that standards by themselves will not bring the appropriate level of security. It’s not a matter of having ‘achieved’ a cyber-secure state. Adequate protection from cyber threats requires a comprehensive set of measures, processes and technical means and an adapted organization.
It is important for utilities to think about how organizational cyber security strategies will evolve over time. This is about staying current with known threats in a planned and iterative manner. Ensuring a strong defence against cyber attacks is a continuous process and requires ongoing effort and a recurring annual investment. Cybersecurity is about people, processes and technology. Utilities need to deploy a complete programme consisting of proper organization, processes and procedures to take full advantage of cyber security protection technologies.
To establish and maintain cyber-secure systems, utilities can follow a four-point approach.
The IEC Advisory Committee on Information security and data privacy (ACSEC), is working on the same issues, which will be incorporated into the forthcoming IEC Guide 120, Security aspects – Guidelines for their inclusion in publications, under development by ACSEC.
1. Conduct a risk assessment
The first step involves conducting a comprehensive risk assessment based on internal and external threats. By doing so, OT specialists and other utility stakeholders can understand where the greatest vulnerabilities lie, as well as being able to document the creation of security policy and risk mitigation.
2. Design a security policy and processes
A utility’s cyber security policy provides a formal set of rules to be followed. These should be led by the ISO/IEC 27000 series of International Standards on IT Security Techniques, which provides best-practice recommendations on information security management. This series of Standards is developed by ISO/IEC JTC 1/SC 27: IT security techniques, a Subcommittee (SC) of ISO/IEC JTC 1, the Joint Technical Committee set up by the International Organization for Standardization (ISO) and IEC. The purpose of a utility’s policy is to inform employees, contractors and other authorized users of their obligations regarding the protection of technology and information assets. It describes the list of assets that must be protected, identifies threats to those assets and describes authorized users’ responsibilities and associated access privileges as well as unauthorized actions and the resultant accountability for violation of the security policy. Well-designed security processes are also important. As system security baselines change to address emerging vulnerabilities, cyber security system processes must be reviewed and updated regularly. One key to maintaining an effective security baseline is to conduct a review once or twice a year.
3. Implement the risk mitigation plan
Select cyber security technology that is based on international standards, to ensure appropriate security policy and proposed risk mitigation actions can be followed. A ‘secure by design’ approach that is based on international standards. These can help further reduce risk when securing system components.
They include, among others, the IEC 62443 series of publications on Security for industrial communication networks and for industrial automation and control systems (IACS), the IEC 62351 series of International Standards on Power systems management and associated information exchange and the IEEE 1686 Standard for Intelligent Electronic Devices Cyber Security Capabilities, developed by the Institute of Electrical and Electronics Engineers (IEEE).
4. Manage the security programme
Managing cyber security programmes effectively requires not only taking into account the previous three points, but also the management of information and communication asset lifecycles. To do that, it’s important to maintain accurate and living documentation about asset firmware, operating systems and configurations. It also requires a comprehensive understanding of technology upgrade and obsolescence schedules, in conjunction with full awareness of known vulnerabilities and existing patches. Cybersecurity management also requires that certain events trigger assessments, such as particular points in asset life cycles or detected threats.
For utilities, security is everyone’s business. Politicians and the public are increasingly aware that national security depends on local utilities being robust too.
Mitigating risk and anticipating attack vulnerabilities on utility grids and systems is not just about installing technology. Utilities must also implement organizational processes to meet the challenges of a decentralized grid. This means regular assessment and continuous improvement of their cyber security and physical security process to safeguard our new world of energy.
* This is the edited version of an article first published in Power Engineering International.
Didier Giarratano is Head of Marketing Cyber Security at Energy Digital Solutions/Energy, Schneider Electric. He is a member of Working Group (WG) 3 of the IEC Systems Committee on Smart Energy (SyC Smart Energy/WG 3: Smart Energy Roadmap), and of IEC Conformity Assessment Board (CAB)/WG 17: Cyber security.