Over the past year, the energy industry has witnessed an uptick of cyber threats from both state actors and private entities. These risks have increased in tandem with the digitalization of energy systems and growth of distributed energy resources (DERs). While utility companies are aware of the value of new cyber security methods, many have been slow to adopt solutions. Yet new vulnerabilities in power grids are being revealed each day, forcing these companies to concentrate on both the security of a physical grid and the digital layer that now exists.
In addition, policies and standards that support a more secure grid are emerging to emphasize the need for these critical efforts. For instance, the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards were first introduced in 2005 to help regulate, enforce, monitor and manage the security of electrical systems in North America. Since then, these standards have continuously been updated to keep pace with the evolving digital grid assets and the increase in cyber attacks. Today’s NERC CIP standards include best practices for digital and physical security, personnel training and change management.
What’s more, many companies (and countries) are acting on net-zero pledges made in 2021. These pledges, coupled with the evolution of NERC CIP and similar global security standards programs, will likely bring cybersecurity technology to the center of power companies’ priorities. And with high-profile cyber attacks now being used as tactics during political and civil unrest, now is the time for utilities to identify risks and take measures to mitigate them.
Why are grid systems becoming a common target for cyber crime
As electrical grids become more modern and digitized, they are more accessible targets for cyber attacks. Cyber criminals can gain a number of gateways when they infiltrate a grid. By falsely illustrating data such as power use, these attackers can obtain large financial benefits. In the same vein, they can easily manipulate the market by changing what a utility company sees as the grid performance, making it possible to influence buy and sell decisions.
During attacks, cyber criminals can also gain access to individual DER devices – which could possibly include disturbing or disconnecting someone’s service, spying on their business, understanding their whereabouts or even pinpointing the entry into one’s network. This type of infiltration can happen both at an individual level and on a much larger scale. For instance, if a cyber attack targets a grid system that powers government buildings, they could easily compromise a country’s whole infrastructure by obtaining sensitive information found in those networks.
How are grid systems vulnerable to cyber attacks
Currently, three main factors are driving cyber risk susceptibility for utilities:
- Physical access – Often, the computing devices a cyber criminal will target are found on customer premises (i.e. their home, business, etc.) and not one centralized location, making it more difficult to ensure security for all customers, due to larger attack surface.
- Simple, low capability DERs – Most DERs are simple devices, running simple real time operating systems (RTOSs). They are not able to run modern cyber security software (like a firewall or anti-malware software). This provides attackers a large attack surface. Additionally, as the systems are cheap, and readily available, attackers can have access to devices to learn their weaknesses.
- Lack of standardization – Across grid systems, there is a severe lack of consistency in security standards. Discrepancies in the rollout, scale, and details of these protocols across different markets and regions make it difficult for utilities looking to introduce a more reliable security system to build a comprehensive solution. Widespread inconsistency is a major roadblock to broader implementation of these efforts across regional and global grids. Industry experts hope that the continued evolution of standards like NERC CIP will help alleviate this problem.
How can grid systems prepare for the future
Fortunately, the industry is making great headway to help advance grid systems and enable them to support new and necessary cyber activity. In a new report, “Cybersecurity Certification Recommendations for Interconnected Grid Edge Devices and Inverter Based Resources,” the U.S. Department of Energy’s (DoE) National Renewable Energy Laboratory (NREL) introduces updated security and testing protocols for DERs and other assets capable of communicating with the grid. Government entities and industry groups must both recognize the need to develop a strong cybersecurity position and adopt policies that make assessment and security practices standard across the board. There are also precautions individual utility companies can take to better equip themselves against cyber attacks.
If they aren’t already, utilities must integrate large-scale, IoT focused solutions that are adaptive to the network. The most effective are those capable of anomaly detection and network awareness, utilizing AI and machine-learning analysis. Distributed energy resource management systems (DERMS) are gaining traction and offer operators both scalability for change management and intelligent system visualization of front-of and behind-the-meter assets. Building out new practices that identify and isolate rouge DER devices are essential. These could include re-positioning a detection logic closer to the edge of a grid’s footprint.
As the use of DERs increases throughout the utility industry, power companies need to understand the inherent cyber risks associated with adopting DERs. The industry must begin prioritizing the infrastructure needed to quickly identify and isolate such devices. Moving forward, companies must begin looking for DERMS that not only helps integrate DERs into a grid, but also addresses the cyber risks associated. These threats will always be involved when DERs are in use, and if the utility industry does not start to account for them, grid security will be compromised.
Recent events have once again demonstrated that the energy industry must no longer see cyber security as an afterthought or unnecessary expense. Updates to NERC CIP and the introduction of new government and industry frameworks are great first steps in achieving this new level of security across grid systems. Utility companies, system operators and technology providers must begin putting these measures into practice now, to lead permanent change in how the industry identifies and neutralizes cybersecurity threats.
Noam Arbel is CTO and Chief Architect of mPrest, a leading developer and provider of distributed asset orchestration and optimization software for energy, defense, and commercial markets. Noam has over 25 years of software architecture, leadership, and development experience and has worked with IOT systems, large web based SaaS systems, and cloud solutions.