Utilities have done a great job of inculcating a safety culture in their organizations to help reduce incidents that result in injuries and loss of life. Although still in the top 10 of most dangerous jobs, utilities have worked diligently to improve safety awareness and their reward has been a drop in the rankings. That record of success serves as a great model for utilities to create a similarly strong cybersecurity culture.
Why? Utilities are critical infrastructure that keep economies running and societies protected. The North American Electric Reliability Corporation (NERC) recently noted reliability and security are intertwined when considering protections for critical infrastructure. Utilities deploy a wide range of technologies and services as part of their cybersecurity strategies, but it has been observed culture eats strategy for breakfast. The Electric Power Research Institute (EPRI) understands culture and strategy are intertwined when it comes to utility cybersecurity.
How is a cybersecurity culture created? It takes an organizational focus applied in training; individual, department and corporate-wide performance objectives; and adoption of technologies and practices that reduce cyber risks. Just as a utility uses tools and practices that help linemen to conduct their tasks safely, utilities must similarly deploy tools and practices that let cybersecurity teams identify and protect all assets in grid operations. Cybersecurity culture creation requires commitment from all management levels, but most especially right at the top. A well-executed strategy to build a cybersecurity culture in utilities will permeate all levels of the organization.
Where to Start
Many utilities start building their cybersecurity culture with education. One example is training employees to spot email phishing attempts. This is an important first step because email is a common entry point for attackers to inveigle access methodically to systems that contain sensitive data and to critical operations. However, utility cybersecurity is not an information technology (IT) or enterprise activity alone. Strong, defense-in-depth security measures must be deployed in both utility operations technology (OT) systems and IT systems. This is a significant change from the security-through-obscurity approach that was successful in a bygone era. Grid OT assets ranging from components in high-voltage substations to smart inverters on residential rooftops are fitted with communications capabilities to transmit status and remote-control commands.
To replace security through obscurity successfully, EPRI recognized utilities need to deploy OT-based cybersecurity technologies and practices. Cybersecurity research is tailored to deliver practical defense-in-breadth as well as defense-in-depth knowledge. The electricity supply chain consists of generation, transmission, distribution and consumption. Grid modernization creates new cybersecurity challenges at all these links in the chain, and it is essential for utilities to address these challenges in a cohesive, rather than siloed, approach. EPRI recently launched a new initiative to help utilities deploy defense-in-depth and -breadth plans as well as technologies that fit within the National Institute of Standards and Technology (NIST) cybersecurity framework of identify, protect, detect, respond and recover. Following are some aspects of this initiative.
Supply Chain Security
Recent news about spurious components embedded within equipment has elevated utility concerns about compromised technology. How can utilities ensure the equipment supply chains for their deployed technologies do not introduce new vulnerabilities into their OT systems and grid operations? This is a complicated question EPRI plans to answer leveraging a defense-in-breadth perspective.
Researchers are examining a standardized approach to reduce risk in equipment procurement for adoption by generation, transmission and distribution operations. One shared or similar methodology could reduce process complexity for utilities that use it to identify equipment and service supply chain security threats as well as appropriate mitigation measures. EPRI has a long-standing tradition of structured vendor participation in select research activities. The plan is to include vendors in this research and collaboratively develop processes that improve equipment supply chain security. The overall results will help to create a strong foundation for the cybersecurity culture utilities must create.
Cyber-Hardened Substation
The utility sector already has fallen victim to supervisory control and data acquisition (SCADA) hacks, including one that impacted visibility into SCADA systems. Fortunately, the incident did not result in loss of service, but future events may have dire consequences. One crippled substation can impact thousands of customers as well as cause economic and societal disruptions. Unless they were built recently, substations in the U.S. are a combination of legacy and new equipment.
There are vendors with industrial or OT cybersecurity solutions, but the impacts of these solutions and integrations with new and existing substation equipment often are unknown and undocumented. How well do these solutions protect the underlying legacy control systems? What are the true integration costs? Answering these questions would help utilities to extend their cybersecurity cultural mind-sets so they can create implementation plans with layered approaches to reduce risks at multiple system integration points.
EPRI’s researchers will conduct blue team assessments to identify potential cybersecurity gaps as well as develop and test mitigations in the EPRI cybersecurity research lab. Then, red team tests will be conducted on the deployed mitigations to evaluate performance. This defense-in-depth research will verify cyber-hardened substations, inform substation upgrade decisions and improve cost projections. It also will contribute valuable information and experience to bolster any utility’s cybersecurity mind-set with substantial exposure to threat identification and protection considerations.
Grid 2 Edge
Insurance companies make it their business to understand risk. A recent article in the Insurance Journal noted there will be 20 billion smart home devices online by 2021. Consumer products are the epitome of manufacturing arms races to speed new features and capabilities to market. That speed often comes at the expense of security considerations. Even where security is designed into the product, all it takes is a consumer not changing the default password to create a new vulnerability. Smart devices in homes and businesses are at the grid edge, and significantly increase the attack surface utilities must manage.
Part of EPRI’s defense-in-depth and -breadth research scope addresses this issue. EPRI defines Grid 2 Edge (G2E) as the coordination of cybersecurity architectures across the entirety of utility assets, from large generation plants, to substations, to distributed renewables, to control centers and, finally, to connected appliances — consumer devices. By coordinating security across the electricity supply chain zones, utilities will be able to provide defense in breadth while making it easier to plan and manage security across the disparate zones.
New DER Task Force
EPRI recently established a task force among its utility members focused on distributed energy resources (DER) interconnected to utility grids, including photovoltaic systems, energy storage systems, electric vehicle charging systems, microgrids and other technologies supporting DERs. This group will provide guidance to research objectives and participate in research activities.
EPRI will hold a DER cybersecurity workshop this year for an invited group of stakeholders, including utilities, regulators and manufacturers, to discuss the latest best practices and lessons learned on securing DER assets. These activities will enable the industry to collaborate on reducing the risks of cyber breaches from grid-connected devices.
Challenges with Metrics
An early rock star for both electricity and telecommunications research, named Lord Kelvin, famously said: “When you can measure what you are speaking about, and express it in numbers, you know something about it. When you cannot express it in numbers, your knowledge is of a meager and unsatisfactory kind; it may be the beginning of knowledge, but you have scarcely, in your thoughts, advanced to the stage of science.” In other words, if it can be measured, it can be managed. Extensively involved in the formulation of the first and second laws of thermodynamics and mathematical analysis of electricity, he had a pretty good grasp of the value of numbers.
EPRI embraces this appreciation for numerical calculations in its cybersecurity research. The difficulties utilities experience in measuring the impacts of various OT-focused cybersecurity technologies and practices deployed to reduce risks and vulnerabilities have been observed. Many tools and services can help to assess enterprise and IT performance. Utilities readily can obtain quantifiable data about phishing rates as well as track trends going up or down to measure the success of educational efforts and anti-malware tools. Phishing scores can help to change utility cybersecurity cultures by building awareness as well as highlighting success or failure in meeting objectives.
However, on the OT side of utilities — where mission-critical operations reside — there is a paucity of mathematical approaches and tools to measure risk reduction. EPRI is developing cybersecurity metrics focused on OT data (Cyber Security Metrics for the Electric Sector: Volume 3 - Product ID 3002010426 is publicly available). This multiyear project has identified the most useful data points and created formulas to build 47 operational metrics that are helpful for cybersecurity analysts.
This is a great dashboard to communicate detailed results for informed decision making, but different roles in the utility need different ways to understand the information. The research results include a rollup of this detail into 10 tactical metrics, which are quite useful for managers and directors to assess performance and areas for improvement. Because significant investment decisions are made at the top of an organization, these cybersecurity metrics roll up to three strategic metrics called the protection, detection and response scores.
This is quantifiable information that helps utility executives to evaluate cybersecurity investment options and assess performance of deployed solutions. It also helps to drive the conversations that invoke change from the top down, which is extremely important for utilities to build a successful organizational cybersecurity culture.
Essential Takeaways
Utility cybersecurity is the responsibility of all utility employees and industry stakeholders. There are cautionary lessons and examples to encourage everyone to contribute actively to utility cybersecurity defense in depth and breadth. A cybersecurity culture is a great starting point to mitigate cybersecurity threats, but it is only part of a utility’s comprehensive cybersecurity strategy to reduce grid vulnerabilities and risk exposures. EPRI’s results and ongoing research offer many options for utilities to extend and enhance the defense in depth and breadth of their OT cybersecurity plans.
Sidebar: A Thought Exercise: It Could Happen Here
Failures of imagination are dangerous indulgences when applying the National Institute of Standards and Technology (NIST) framework of protect, detect, respond and recover to assess utility vulnerabilities. These omissions to what-if scenarios increase risks that otherwise could have been identified and addressed with appropriate mitigations.
Here is one scenario to consider. A smart inverter manufacturer’s firmware update server is hacked after a persistent spear-phishing campaign. The attacker then uploads modified firmware that calls out to malicious remote command and control servers. Remote access to the inverters then allows the attackers to interfere with normal operation of the devices, potentially causing harm to the devices and grid operations.
For more information:
EPRI | www.epri.com
NERC | www.nerc.com