The power sector is undergoing tumultuous change; it is daunting and, yet, quite exciting. Digital technology is making it possible to monitor and control our transmission and distribution networks more precisely than ever before. Smart grids are transforming the electric industry from a largely centralized unidirectional platform to a multidirectional network of generators and loads. We have the potential to create significant virtual resources involving building energy efficiency and demand management, small and large distributed generators, and even fleets of EVs that can consume and supply load as needed. However, there is a “but”; all this fantastic potential — essentially all the power industry tools and strategies that can deliver a more efficient and sustainable future — are dependent on secure digital networks and the cloud to function. Is the U.S. power sector better prepared than other industries recently in the news to protect itself in today’s cyber environment?
Consider the Colonial Pipeline, the largest U.S. supplier of refined energy products, which was hacked in May when a ransomware gang compromised a legacy VPN account, causing the pipeline to curtail operations for days and ultimately pay a ransom of more than $4 million in bitcoin. To those of us not on the cybersecurity front lines, the Colonial Pipeline hack appeared like a novel event and the first for an extended period. Entities close to national cyberterrorism tell a different story: This event followed a pattern that other companies have experienced, but the intelligence about cyber events is not being shared or shared quickly enough. Finger-pointing in multiple directions cited Colonial’s failure to participate in voluntary security audits and the Transportation Security Administration’s failure to be more transparent about cyber threats and defense.
Security experts believe the Colonial Pipeline IT invasion and more recent ransomware attacks on the JBS meat processing business and the software company Kaseya (and its clients) are just the start of more vigorous and vicious attacks on U.S. businesses and critical infrastructure by foreign nationals. Speaking at the EEI annual convention, Co-chairs of the Electricity Subsector Coordinating Council (ESCC), Tom Fanning and Bill Fehrman, discussed ESCC’s charge to work with administration officials from the White House, cabinet agencies, federal law enforcement, and national security organizations to respond to national-level disasters or threats to critical infrastructure. They also highlighted ESCC’s cyber mutual assistance program modeled after the phenomenally successful collaborative assistance approach used by utilities responding to storm emergencies.In addition to an emphasis on collaboration all-around, Fanning argued for a tougher response by the federal government in response to attacks on the nation’s energy infrastructure.The U.S. House of Representatives offered its own ideas on increased preparedness with the voice vote passage of H.R. 2928, 2931, 3078 and 3119. These bills empower DOE assistance with grid security; require voluntary cybersecurity testing of products and technologies intended for use in the bulk-power system; encourage public-private partnerships with states, industry and federal agencies to enhance the physical and cyber security of electric utilities; strengthen DOE's ability to respond to pipeline and liquefied natural gas facility threats; and elevate energy emergency and cybersecurity responsibilities as a core function for DOE.
Early cyber risk warnings, greater government involvement in grid security, and more public-private partnerships, including collaborative extreme event response coordination, will aid utility preparation and response to cyber incidents. However, the advancing integration of IT and OT and the rapidly evolving digitalization of mission-critical operational technology also warrant much greater attention to internal preparation, including continuous training, and multiple levels of defense.
Utilities that have already focused on security for legacy endpoints may avoid the travails of the Colonial Pipeline operators. Also, many power companies have invested in automated threat detection and remote management of physical security; they are conducting incident response planning, regular security reviews and vulnerability assessments. Some are using asset discovery to evaluate the visibility of their operating environment; monitoring early detection of attacks against known OT-specific vulnerabilities; and practicing network segmentation and the use of internal firewalls.
The next level of preparation for digital utilities may be dedicated SCADA/ICS/digital operations systems security teams; role-based access controls; hardened networks; isolation of OT data processes; and use of deception technology and other advanced protection for cloud-based applications. In today’s environment, these steps may become mandatory to prevent loss of critical operating data and intellectual property; avoid outages that may result in service interruption, loss of revenue, put physical safety, the environment and equipment at risk; diminish company reputations; risk lawsuits, and result in regulatory violations.
Consider attending T&D World’s Black Sky Hazards and Grid Resilience seminar on Oct. 11-12 in Dallas, Texas, to learn how utilities are preparing for issues such as cyberterrorism, high altitude electromagnetic pulse, intentional electromagnetic interference, physical attacks, and natural disasters. Risk assessment, planning, and prevention; response and recovery; and technology innovations will be discussed.