August 24, 2020
Key takeaways from this article include the following:
Nation-state campaigns are ramping up against grid operators and contractors.
The explosive growth of renewable energy is causing growing pains for grid operators.
Resilience has long been a priority for electric utilities, but the threats to the grid are unparalleled.
The stakes are high for electric utilities. The U.S. Department of Energy has warned that Russia and China have advanced cyber-programs that pose a risk to the bulk power systems that provide electricity to most of the nation. Ukraine has already suffered two wide-scale power outages — in 2015 and 2017 — believed to be the handiwork of Russian cybercriminals.
In addition to cybersecurity risks, much of the domestic utility landscape finds itself in flux, wrestling with aging infrastructure on the one hand and an influx of distributed energy resources on the other. The problem is most acute in California and Australia, where electric system malfunctions have sparked massive wildfires. But even nations such as Germany that have invested heavily in grid modernization and green energy have struggled to achieve electric grid stability.
[For all our IoT World coverage, read our IoT World 2020 conference guide.]
While upgrading the grid can improve utilities’ ability to predict demand and compensate for fluctuations stemming from distributed energy resources, connected technologies also magnify cybersecurity risks. To tame the chaos, utilities need an integrated approach that reduces risk in the physical and cyberdomains.
Building a Grid That Can Withstand Physical and Digital Chaos
While cybersecurity is a central concern for grid operators, renewable energy is a competing priority. Nearly half (46%) of grid operators reported that renewable energy was a central concern, according to the 2020 State of Electric Utility survey. Rounding out the top three priorities were distributed energy resources and grid reliability, selected by 30% and 29% of respondents, respectively. Tied for fourth were security and aging grid infrastructure, at28%.
All of these priorities, however, are interrelated. Exponential increases in solar and wind power, for instance, can lead to reverse power flows that cause grid instability. That is, instead of electricity moving unidirectionally from power plants and substations to users, the energy flow often flows in the opposite direction, given the rise in wind power as well as rooftop solar power for commercial and residential real-estate properties. “We have about 70,000 solar panels installed every hour,” said Michael Enescu, a visiting associate professor at California Institute of Technology at IoT World. “Electric vehicles also cause tremendous stress on the grid,” he said.
Laying the foundation for electric grid stability will require significant investment and deliberation, Enescu acknowledged. It will also require integration. “All of these devices — wind turbines and solar panels — they become [internet protocol] endpoints on the network so we can collect the data in realtime,” he said.
As utilities modernize their grids, they should maintain endpoint visibility and segmentation while prioritizing threat detection and establishing an integrated security operations center, said Marc Blackmer, product manager, IoT at Cisco. Achieving those objectives can be difficult considering the wide equipment footprint. “If you look at distribution and transmission, for example, you’ve got substations in all these different places,” Blackmer said. The rise in renewable energy sources ranging from rooftops to wind farms underscores the need for a holistic approach for grid management. In many cases, utilities will have to determine what is “the best configuration for millions of devices to optimize power flow such that it minimizes cost while ensuring safety and reliability,” Enescu said. To support such functionality, Enescu recommended utilities deploy an IoT-enabled power grid with decentralized control.
Integrating a diverse set of equipment can prove challenging. Microgrids, for instance, can optimize grid stability, given their ability to operate independently from the grid. But microgrids’ connection to the power grid can provide new avenues for cyberattack. Complicating matters further is the fact that microgrids are typically not owned and operated by traditional grid operators.
Find Strength in Collaboration
The power and utilities industry has long prioritized partnerships to manage grid changes. “We are an industry that truly collaborates — whether that is intelligence sharing, working with our energy sector [Information Sharing and Analysis Center] or working with the government,” said Tom Wilson, chief information security officer at the Southern Company in a webinar.
Collaboration can help utilities address black swan event–related uncertainties and improve situational awareness regarding evolving cybersecurity threats. “Another thing we have done as an industry is collaborate on exceptions,” Wilson said. Given the unpredictability inherent in grid management, utilities are frequently forced to make exceptions to security processes. “When you work together as an industry, there is a strength in numbers when you can say, ‘All of my peers, even though all of their computers are remote, are going to patch over those networks,” Wilson said.
Cross-industry and government alliances were also a recommendation outlined by the congressionally mandated Cyberspace Solarium Commission. “There are roles that only the government can play,” Wilson said, citing diplomacy, trade and sanctions as relevant examples, given the nation-state dimension to power grid cybersecurity.
Commit to Long-Term Secure Remote Access
Before COVID-19, about 7% of the U.S. civilian workforce had access to a “flexible workplace” benefit, according to the 2019 National Compensation Survey (NCS) from the federal Bureau of Labor Statistics. The percentage of white-collar workers in the U.S. working remotely is now more than 90%, estimated Jason Haward-Grau, a leader in KPMG’s cybersecurity practice.
Remote work is not necessarily new for utilities. Southern Company has “spent years designing and building secure remote access for a variety of scenarios,” Wilson said. The Southern Company relied on remote access, for instance, during the so-called snow apocalypse that hit Atlanta in 2014 and the 2019 Super Bowl held in the city. “Getting to scale, being able to support a truly huge telework presence was already there,” Wilson said.
In many cases, line workers still must physically access equipment to make repairs. After a storm, for instance, Southern Company might send more than 1,000 workers to repair damaged power lines. “But for the corporate office buildings, we are not in a rush to get back to the office,” Wilson said. It is likely that “certain jobs become more [telework-based] than they ever have before,” he added.
Reevaluate Risk of In-Person and Digital Processes
Despite the shift to remote work, a significant portion of work on the electrical grid is still physical, whether it is repairing downed power lines or embedding sensors in substations or power plants. COVID-19–related restrictions have often complicated such work, Wilson said, especially for jobs that formerly required multiple workers to be present at a single site. Southern Company has reduced the size of crews, deploying individual workers for tasks when possible.
COVID-19 restrictions can pose a challenge for security tasks requiring physical equipment access. Electric utilities should have clear policies about which types of workers — including contractors and vendors — should be granted physical access to equipment.
Similarly, utilities with insider threat programs should adapt, Wilson said. Because many insider threat programs are based on physically observing workers to identify suspicious behavior, the shift to telework can be vexing. “You have to shift back to your electronic capabilities for observation because you don’t have that direct presence,” Wilson added.
While the threat of elite nation-state actors to sabotage domestic power grids warrants a robust response, frequently, the insider threat risk is underestimated, Blackmer said. “Somebody could accidentally enter a value into a process,” he said. “The risk is not always malicious. Somebody might have made a mistake.”
About the Author(s)
You May Also Like