With a compliance deadline for new federal utility cybersecurity standards [NERC CIP v5] looming, utilities around the U.S. are assessing and addressing risks -- at least for bulk power grids.
But security for local power distribution grids may be getting overlooked in this rush to meet the standard.
“The standard addresses the most critical assets of the BES, but a lot of utilities haven’t been looking as hard at the rest of their grids, leaving key areas of the grid unprotected,” said Lowe.
Distribution grids contain many of the same kind of assets found on transmission grids. While the regulatory oversight differs for transmission and distribution, the line between the two is blurry.
“Electronic access control and monitoring systems can be deeply connected, not only within utilities, but between business and operational systems. A smaller utility might share some equipment with a larger utility through the use of a jointly owned substation, and there might be physical and logical access to each other’s sites and systems,” said Gamble.
This requires many utilities to look beyond NERC CIP to consider vulnerabilities more holistically.
There are some unique challenges to securing local grids. Smart metering systems represent one of the most acute cyberattack vectors to distribution networks. And utilities that moved earliest on smart meter rollouts may face the greatest vulnerabilities.
Many municipal and cooperative utilities are flying under the radar of NERC CIP entirely, since they only have distribution grid assets.
“State utility commissions are starting to look at what’s escaping NERC CIP,” said Lowe. “Utilities should be getting ahead of the curve on distribution grids and getting their strategic plan in place. Otherwise you’ll just be constantly playing catch-up and have difficulty keeping pace with the rising security threats."
Smart grid and AMI deployments pose a challenging threat vector because they are so deeply connected to other systems throughout many utility departments: business, IT and OT.
Cyber intrusions are often opportunistic. Cyber vulnerabilities can be exploited by the lack of a properly implemented and maintained layered defense.
According to Lowe and Gamble, the solution for many of these threats -- at all levels of the grid -- is proper understanding and management of the risk together with control implementation and monitoring of people, processes and technology.
“The trend we’re seeing is that utilities are moving from firefighting compliance mode, to an enterprise risk-based cybersecurity group focused across OT and IT, with top-level leadership,” said Gamble. “This way, compliance becomes an output of security, rather than a driver.”
Meanwhile, employee retirements are creating another challenge. The steady turnover of utility technical and security staff is starting to have a profound impact on cyber and physical security.
As utility personnel depart, the people assuming their responsibilities typically do not bring the same knowledge of how the systems all work together. New staff being hired for their cybersecurity expertise often come from different industries and may not have a deep understanding of how utilities function.
Orienting the staff with various departments and process can instill a broader sensitivity to operations as well as security.
“The key is creating 'security by design' -- learning how to embed risk-thinking into everyday activities,” said Lowe.
“Realizing how security risks add up across an organization is essential,” said Gamble. “Often these risks rise from, and are seen as, technical problems; however, human aspects or business processes are a significant part of the solution.”