Prioritizing Cybersecurity Key to Ensure Safe, Secure Utilities
Electric utilities are making progress with cybersecurity, but gaps remain
Facing inevitable attacks to their networks by hackers, electric utilities are making progress in prioritizing cybersecurity to ensure that they can deliver and maintain safe, secure utilities for all. However, this year’s Strategic Directions: Electric Industry Report shows even as leaders work to ensure grid security, major gaps remain in the areas of asset security control and security risk awareness.
In this year’s report, survey respondents ranked cybersecurity as second only to reliability as a top industry issue. This is driven by continually increasing security concerns caused by highly publicized hacking incidents and uncertainty about North American Electric Reliability Corporation (NERC) supply chain security standards.
A Growing Need for Cybersecurity Resources
A significant percentage of utilities are considering procuring managed security services to handle grid security, which is surprising because the industry is traditionally adverse to relinquishing control. Utilities should consider developing this capability in-house by using a shared information technology (IT) and operational technology (OT) approach, which will provide a single and clear view of what is taking place across the entire electric network operation.
Nearly 55 percent of respondents don’t know whether their organization has completed real-time OT monitoring. Without this capability, OT networks are allowing outside communications into their critical infrastructure without knowing their effect on operations. With real-time cybersecurity monitoring, a utility can quickly identify a hacker on its network and immediately react.
Ensuring that OT environments are secure is of paramount importance to maintaining secure utilities. Attacks on OT environments can cause real-world impacts, including potential injury and loss of life. OT environments typically require 24/7 availability and thus are more challenging to secure through regular security hygiene such as patching and configuration. Combining IT infrastructure and staff knowledge and skills with OT helps give utilities a clear end-to-end picture of real-time network operation, offering greater cybersecurity protection.
Mitigating Cybersecurity Breaks
A top security concern among the electric utility industry is understanding corporate-level risk. For example, when a hacker enters a system and extracts data, the resulting publicity can be very damaging to the utility’s reputation. The utility management must be able to respond that they are able to mitigate the issue and take steps to further strengthen network security.
Approximately 25 percent of respondents were concerned about cybersecurity measures being taken in new projects. Although security applications can add costs, they remain imperative to ensure safe, secure utilities. When security measure’s aren’t part of the project mix, it becomes more difficult and expensive to retrofit security around a project where it was never considered.
Another security concern centers on the availability of Internet of Things (IoT) devices linking to electric networks — e.g., smart parking meters, streetlights and thermostats, among other types of monitoring. For example, a city municipality may want to install smart streetlights but doesn’t have the staff or infrastructure to manage it, so they use the utility’s network while contracting a vendor to remotely manage the streetlights. As a result, the utility has two third parties with network access on the same infrastructure as the electric grid control center.
To effectively protect assets in the cybersecurity realm there needs to be a culture of security risk awareness and response across the utility workforce. There is a tendency for utility employees to be wary of raising security issues because of concern for repercussions. It is vital that there is a security risk culture as strong as the engrained safety culture that the utility workforce has historically demonstrated.