Rising worry, new approaches: The race for cybersecurity on the grid continues.
Are the cybersecurity programs and capabilities that utilities now have in place sufficient? Not according to the C-suite leaders who responded to EY’s Global Information Security Survey 2016-17. In that study, 89 percent of the power-sector players said their cybersecurity functions didn’t fully meet their organizational needs.
Worse, 58 percent of the survey respondents admitted that they’d recently experienced a significant cybersecurity incident. And, while Internet of Things (IoT) technology opens new entry points for hackers, just 27 percent of the survey takers said their security efforts had an IoT focus.
Still, news on the cybersecurity front isn’t all gloomy. PWC’s 2016 Global State of Information Security found security budgets up by three percent, while the number of incidents detected had dropped by 24 percent. According to PWC’s research, security spending has surged 53 percent since 2012. Given the stakes, that’s good news. Below are some other promising developments in the cybersecurity realm.
Chain reaction
Bill McEvoy now runs the Distributed Energy Resources group at OSISoft, but he spent some 30 years as a utility executive with Northeast Utilities and Eversource Energy, and he is a voting member on the North American Reliability Council (NERC) Critical Infrastructure and Protection (CIP) committee.
According to McEvoy, NERC CIP now is looking at standards related to equipment and system supply chains. Why? “Your vendors might outsource to another lower-priced vendor,” McEvoy says. “How do you know your smart devices don’t have an intrinsic vulnerability?”
Here’s a case in point: McEvoy once saw a utility trying to contract for a new T&D energy management/SCADA system. Because it was an energy management system, it had to go through procurement,” he recalls. “The vendor wanted to do a database of the SCADA system in Romania. It took a month and a half to get that vetted.”
This utility performed due diligence regarding the vendor’s supply chain. That’s not always an easy task to do. Ahead, McEvoy foresees certification requirements as well as procurement processes that show where equipment is coming from.
When the Federal Energy Regulatory Commission (FERC) ordered NERC to develop such standards in July 2016, the standards were supposed to cover supply chain management for industrial control system hardware, software and services associated with bulk electric system operations. The new standards likely will address software integrity and authenticity, vendor remote access, information system planning, as well as vendor risk management and procurement controls.
But, rather than a one-size-fits-all approach, the standards will probably require responsible entities to develop their own plan to meet objectives. The goal will be to provide flexibility in to how organizations comply with supply chain security mandates.
Machine learning
Author Clive James once said, “It is only when they go wrong that machines remind you how powerful they are.” They’re fast, too.
That’s why the California Public Utilities Commission (CPUC) authorized California Energy Systems for the 21st Century (CES-21). It’s a project being conducted by California’s three largest investor-owned utilities—Pacific Gas and Electric, Southern California Edison and San Diego Gas & Electric—along with the Lawrence Livermore National Laboratory (LLNL).
One part of this initiative is focused on cybersecurity as it relates to Internet-of-Things technology. Called the Machine-to-Machine Automated Threat Response project, this investigation aims to develop automated response capabilities to protect critical infrastructure against cyber-attacks.
Ultimately, this effort may produce modeling that will help California’s big three and other utilities meet cyber threats by having one machine respond to another. This research project is slated to wrap up in October, 2017.
Keeping it real
Another research initiative that may eventually help utilities test their cybersecurity tools is the Cyber-Physical Experimentation Environment for RADICS project underway at the University of Illinois Urbana-Champaign campus. RADICS stands for Rapid Attack Detection Solution and Characterization System.
Specifically, the Illinois researchers are building out highly realistic and detailed simulation models for development and testing of power system optimization and control algorithms.
“Reference models are based off what ideal design might be” says Tim Yardley, principal investigator and associate director for technology at the University’s Information Trust Institute. But, he adds, ideal conditions rarely prevail.
“When you get into the real world, you have actual manufacturers’ devices connected by actual power lines, and each of these have characteristics associated with them,” he explains. He adds that even if two devices from different manufacturers have the same function, “their behaviors may not be exactly the same.”
Yardley’s team will be creating their models from data supplied by hundreds of utilities and grid operators. In addition, the team has a test bed that includes some $10 million in hardware and software. Through actual historical data, virtualization, simulation and physical devices, the researchers will be able to build high-fidelity grid representations for use in cybersecurity studies.
Given the large number of utilities that supplied data, the team’s models will have coordinates based on comprehensive North American geography along with network structure, characteristics and consumer demand that mimics real grid profiles. The data also will reflect detailed testing of both naturally occurring grid disturbances—such as animal intrusion or planned maintenances—as well as cyberthreats.
Much of the developed software will be open source and available for utility use. Yardley says the aim is to help utility staffers prove out emerging technology so that they don’t need to worry if the technology will do what it’s intended to do.
“Utilities can use our facility or use the technology developed here to validate at a level that’s never been possible before,” he concludes. “This is not a tool just for academic research, but a tool to help utilities increase their operational efficiency and harden their systems.”