Cybersecurity Series: What are Power Companies Facing? (Part 2/5)

The U.S. electric grid consists of more than 7,000 power plants, 55,000 substations, 160,000 miles of high-voltage transmission lines and millions of miles of lower-voltage distribution lines. The system is interconnected with a series of networks to ensure reliability . The design allows the power grid to withstand small interruptions such as equipment failures and fallen trees, as well as large-scale natural events such as storms and hurricanes. Despite these strengths, the power grid is becoming increasingly vulnerable to a different kind of risk: cyber threats.

The power industry is keeping up with current trends in technology. For example, traditional electricity meters have given way to digital smart meters. Power substations are increasingly controlled via internet-enabled networks and software; these substations are crucial for converting electricity from high-voltage transmission lines to lower voltage for household use.

Current Challenges with Cybersecurity

• The interconnected nature of the power grid, with physical and computerized elements connecting nearly every building in the country
• The exponential increase in the complexity of grid control systems
• The real-time nature of the grid
• The power industry’s slower pace of technological advance, with most grid infrastructure in active operation for a decade or longer
• A general lack of knowledge or strategy to mitigate new cybersecurity risks

Current Circumstances with Cybersecurity

However, the risks from a steady rise in physical and cybersecurity-related events, combined with the 2015 Ukraine power grid cyberattack, demonstrate that the capability does exist for cyberterrorists to interfere with power distribution.

A recent survey conducted by Utility Dive established that physical and cybersecurity is a top concern for all types of utilities: “with 73% of those at IOUs, 72% of those at munis, and 64% of those at co-ops saying it is important or very important."

Industry Regulations on Cybersecurity – 4 Main Sources 

1. CIP

The CIP is developed by the North American Energy Reliability Corporation (NERC) and mandated by the Federal Energy Regulatory Commission. Their standards are absolutely crucial for power companies to follow (while the remaining three on this list are more-so suggested guidelines). The NERC oversees the grid in the U.S. and Canada, and its CIP compliance rules dictate how electric companies must protect the power grid, both physically and electronically. This includes monitoring the grid for attacks and requiring safeguards (such as multi-factor user authentication to keep unauthorized intruders from accessing control networks). 

Failure to comply with the CIP regulations can result in substantial fines.

The NERC also provides extensive cybersecurity resources for the industry, including threat sharing, collaborative support, and monthly briefings on critical-infrastructure security topics. The organization hosts tabletop simulation exercises, where electricity companies can practice defending against major attacks.

2. FERC & Homeland Security

Additional guidelines and regulations have been issued by the Federal Energy Regulatory Commission (FERC) and the Department of Homeland Security on a range of topics: attack reporting and incident response, Bring-Your-Own-Device (BYOD) policy, and intelligence sharing.

3. U.S. National Institute of Standards and Technology

The U.S. National Institute of Standards and Technology also created its own recommendations, which are gaining momentum among distribution utilities, but are not mandatory. It helps organizations develop techniques to prevent attacks, detect and respond to them when they happen, and investigate what happened after an attack.

4. Industry Organizations

Additional guidelines and resources have also been created by several industry organizations such as the Edison Electric Institute, the American Power Association, and the National Rural Electric Cooperative Association.

How Can Power Companies Be More Secure?

To better address future of cyber threats, utilities will need to see cybersecurity as a risk management issue rather than just an IT issue, as it has been.

To begin to tackle the level of cyber security necessary, the research firm Zpryme estimates that U.S. utilities will spend $7.25 billion on grid cybersecurity by 2020.

In addition to the guidelines offered in the standards provided by NERC and NIST, Boston Consulting Group published a report that makes recommendations for utilities to improve their cybersecurity measures, which mentions:

• Making cybersecurity a business imperative
• Building a culture that supports and sustains cybersecurity as a top priority
• Identifying, taking inventory, and classifying all information and assets
• Segregating IT systems from OT systems by partitioning the networks or, if possible, completely separating them
• Implementing multifactor authentication when feasible, granting users system access only after confirming identity through several ways
• Password management
• Privilege management (role-based permissions for access)
• Focusing on training, education, and mentoring 
• Introducing secure messaging to replace or reduce email and SMS, which are typically more insecure forms of communication

Despite companies investing millions on cybersecurity awareness and training tools for employees, 90 percent of all cyberattacks worldwide begin with email phishing. Many consider the phishing risks to energy and utilities a primary national security concern, as each industry admits to a digitally amateur workforce — either unaccustomed to or untrained for the cyber-physical demands of the Industrial Internet of Things (IIoT) and the connected plant.

Power companies face extensive operational changes to ensure the security of their plant in the future. As cyber threats continue to evolve and advance, the industry will need to respond and adjust. Cybersecurity measures should consider the possible dangers and put in place a plan to mitigate those risks. Threats will continue to change, therefore continual assessment and improvement to keep critical infrastructure safe is imperative.

Stay tuned for future posts that look closely at how changing cybersecurity needs are impacting telecommunications companies, as well as CATV and broadband providers.  Click here to read the first post in this series.

Share your current concerns surrounding cybersecurity and the power grid in the comments below.

To learn more about the interconnected web of joint use infrastructure and about managing infrastructure assets, read this free eBook.