Federal regulators have stepped up oversight of the security of the nation’s power utilities as they work to safeguard the grid from threats and incidents such as widespread, long-duration blackouts caused by digital saboteurs.
But cyber threats linger, particularly within the area of operational technology (OT). As efficiency efforts drive IT and OT systems to converge, hackers can gain access to the OT infrastructure via an IT route, fueling a need for utility leaders to assess, plan and implement OT protection strategies for critical assets. This position represents a fundamental shift, as security once set up under IT is now being integrated into a broader IT/OT approach.
Hackers pose a very real threat. The U.S. Department of Homeland Security has labeled cyber attacks on critical infrastructure among the nation’s most serious security challenges. Government and utility leaders have heard the message loud and clear, and are focusing their full attention on improving cybersecurity defenses across IT and OT networks.
Black & Veatch’s 2018 Strategic Directions: Smart Cities & Utilities Report survey shows that cybersecurity remains a challenge for utilities across the country. When asked to identify the top three major challenges with their current distribution system automation and communication capabilities, nearly half (46 percent) of survey respondents pointed to cybersecurity; old and obsolete equipment and a lack of staff to support future needs and requirements tied for second, each with 35 percent (Figure 1).
Figure 1. What are the top three major challenges your team is facing with your current distribution system automation and communication capabilities? (Select top three choices)
When asked separately where cybersecurity measures will be implemented in their networks within the next three years, 64 percent of respondents said addressing shortcomings in their core assets as their top priority. Edge assets such as switches, regulators and capacitor banks were ranked second (43 percent) and backhaul third (34 percent).
Addressing core vulnerabilities may be the quickest, easiest route, and utilities may be able to resolve them by leveraging in-house resources. Focusing on physical assets may prove to be more complex, as it involves a far larger scale. In addition, many infrastructure assets were designed and built years ago without security in mind, during a time of “security through obscurity,” which meant that the prevalence of analog systems brought security through technological obscurity.
In recent years, sophisticated rogue actors illustrated the need for upgraded system defenses. In 2011, the Stuxnet computer virus reportedly destroyed centrifuges involved in Iran’s nuclear program. Rather than simply steal information from the computers it infected, the virus was able to damage the physical equipment that the system controlled. In 2013, Iranian hackers breached the command-and-control system of a dam near Rye Brook, New York, managing to gain access to the floodgates — a breach Sen. Charles Schumer of New York called “a shot across our bow.”
And in September of last year, The Associated Press reported that cybersecurity firm FireEye warned that a group of hackers suspected of working for the Iranian government was targeting the aviation and petrochemical industries in the United States, Saudi Arabia and South Korea.
Across the digital landscape, threats are limited only by the imagination and deviousness of those carrying out attacks. Video surveillance cameras and wireless routers also may be vulnerable to online intruders, cybersecurity experts have warned.
When asked which cybersecurity methods they plan to adopt within the next three years, 68 percent of the Black & Veatch survey respondents cited upgrades in network access control and 64 percent pointed to security layers such as firewalls and intrusion-detection systems — all relatively simplistic doors to close. More than half said they expect to deploy encryption techniques (Figure 2).
Figure 2. What cybersecurity methods does your organization plan on implementing in the next three years? (Select all that apply.)
Asset managers appear to have embraced the reality that these efforts will require upfront capital investment, with half of respondents planning to invest less than $10 million and a quarter planning to invest between $10 million to $50 million. A much smaller percentage (5.5 percent) plans to invest between $50 million and $100 million.
Figure 3. How much capital do you plan to invest in communication infrastructure over the next three years? (Select one choice)
While the most insidious threats tend to come from faceless cyber-attacks, asset managers continue to pay close attention to ensuring physical security as well. When asked which methods they plan to implement in the next three years, survey respondents cited physical security methods such as electronic card readers, motion detection systems, infrared cameras and extending WAN/LAN communications to support physical security methods (Figure 4).
Figure 4. What physical security methods do you plan on implementing in the next three years? (Select all that apply)
The rapid evolution of electric grids and communications networks can make it difficult to plan safeguards, but asset managers must assess their risks and adopt responsible security measures that are flexible and scalable, shunning dismissive attitudes that such investments simply become outdated within a few years.
A truism of cybersecurity is that the risk level is never zero. The quest for brawnier security begins with a deep-dive assessment of critical infrastructure to understand the networks, cyber asset inventories and existing risks, then deciding what risks are acceptable and which to remediate. Quantifying those risks are instrumental to prioritizing and justifying investments in cyber protection to maintain an acceptable level of risk and a sustainable security posture.