By Mike Prescher and James Yang
For power suppliers wanting to be vigilant about the threat that hackers pose to the grid, a March 2019 intrusion may have been a benign warning about vulnerability. When hackers disabled a Utah-based renewable energy developer’s control system for about a dozen solar and wind farms in the West, the grid’s operators were left blinded for more than 10 hours to those 500 megawatts of generation sites. Thankfully, no outages resulted.Download the Report
It was the latest salvo in an evolving but unceasing chess match between U.S. utilities and the mischief-minded who are eager to disrupt, using a keyboard as their weapon. Each is trying to think two moves ahead of the other, with utilities disadvantaged by the fact that the rules keep changing.
With the influx of distributed energy resources (DER), power grid and communications networks are becoming more integrated and complex, uniquely challenging utilities and widening their exposure to those seeking to maliciously exploit them, or simply disrupt them. The industry’s embrace of internet-connected sensors — in short, digital transformation — expands its vulnerability through a much broader “attack surface.”
Without question, utilities understand the risks and have staved off sizable disruptions, in part thanks to the North American Electric Reliability Corporation’s (NERC) critical infrastructure protection (CIP) guidelines that have proven to be good road maps toward what should be a more proactive, robust and holistic approach to securing critical infrastructure.
As hackers grow more sophisticated, utilities know they must do likewise. Black & Veatch’s 2020 Strategic Directions: Smart Utilities Report survey finds that utilities are embracing the need to enhance their cyber defenses. With
the uptrend of adopting cloud computing and packetized Internet Protocol (IP) networks in the operations technology (OT) telecommunications environment, utilities acknowledge that a formal, robust network and security operations center (NOC/SOC) becomes a new common denominator of cyber defense.
This more proactive pursuit of an enhanced monitoring-and-response cybersecurity posture comes as these new IP packet-oriented requirements compete against other legacy considerations, including that pesky thing called aging infrastructure.
Cyber Monitoring: Not Just for the Big Kids Anymore
Faced with the need to modernize, utilities are prioritizing, making it unsurprising that two-thirds of respondents named reliability a major driver in their efforts to upgrade. Roughly four of every 10 survey takers cited quests to bolster operational efficiency, address aging infrastructure and increase monitoring, control and automation. Just 12 percent of respondents said cybersecurity is among their top priorities.
But when asked separately whether they’ve implemented or plan to put into action active cybersecurity monitoring of communications and data devices, eight of every 10 respondents said they either have adopted such measures or have done so with plans to bolster them.
But the good news is that two-thirds of the largest utilities say they expect to increase their cybersecurity safeguards going forward. And most respondents, utilities both big and small, say they have a plan for cyber oversight.
Options for stepping up cyber defenses can take many forms, not the least of which are in-house SOCs dedicated to preventing, detecting and responding to cyber threats and hacking incidents. Such investments — ideally positioned in tandem with, but isolated from, any NOC — help utilities better safeguard
their critical infrastructure and highly sensitive operational information. This offers utilities more control over their security monitoring, incident response and communications with regulators and law enforcement entities.
Creating a SOC — or some form of internal security operations capabilities — can be time-consuming and expensive, which often leads to security monitoring being outsourced. In either case, the survey shows that utilities value the concept, with more than half of respondents saying they have turned to that measure and it operates around the clock.
Utilities serving populations of more than 500,000 are overwhelmingly the ones with SOCs that work 24/7, perhaps because they’re better equipped to fund them, and they exist in areas where more qualified resources are available.
While such responses are commendable, none of them reflect the extent to which each of those SOCs is truly effective, or whether they have shortcomings. Are there multiple dedicated, full-time people assigned to that cybersecurity role? Are they fully qualified? Is that worker regularly reviewing logs? Is there intrusion monitoring and detecting?
Another thing to ask: Why do one-third of respondents have no SOC at all?
Perhaps it’s simply a matter of budget, given that nearly two- thirds of respondents at the nation’s smaller utilities (which serve fewer than 500,000 residents) say a SOC isn’t part of their game plan. There also may be some connection with smaller electric utilities having fewer NERC-CIP-rated “high” and “medium” assets and systems.
Click here to continue reading this feature on the Black & Veatch website.