Cyber security of our electric grid is a high priority with utilities and the government. Heightened perhaps because in May, “…an anonymous Western utility became the first to report a malicious ‘cyber event’ that disrupted grid operations. … There were no blackouts, no harm to power generation and evidently very little effect on the Western transmission grid,” but that the system was breached is the concern. (Source)
A recent POWER magazine report described the basic cyber security framework for power companies.
Identify: Identify the systems, devices, users, data, and facilities that support daily business processes, and appropriately prioritize them. Employ effective risk assessment tools and risk management strategies.
Protect: Develop and implement the appropriate safeguards to ensure the delivery of critical infrastructure services. Properly segment networks, patch systems, remove default or shared passwords, and monitor for unauthorized access or activity.
Detect: Establish appropriate tools and activities to identify the occurrence of a cybersecurity event. Detection needs to occur not only at the perimeter but also within the network. Think like the attacker – setting deceptive decoys and lures for misdirection provides useful safeguards for alerting on and derailing attacks.
Respond: Have the appropriate tools in place. Organizations should continually pressure test tools and processes and conduct incident dry-runs to ensure familiarity, so as not to be put in a situation where teams are learning while responding.
Recover: Maintain plans for resiliency and the ability to quickly restore any capabilities or services that suffered impairment. Use detection tools that capture indicators of compromise and generate forensics on the event. Learn how the threat started and if the attacker has any markers in the system.
It all sounds so logical. Straightforward. Cyber attackers, however, regularly probe for soft spots in the system. Power organizations must check for vulnerabilities and keep them closed.
The industry and stakeholder groups are working together on cyber security. Organizations such as the National Association of Regulatory Utility Commissioners – a well-known and respected group – has developed a Cybersecurity Manual to help state public utility commissions and utilities understand and mitigate cyber risk, for instance. (NARUC cyber report)
The North American Electric Reliability Council, more commonly known by its acronym, NERC, develops and enforces power industry reliability standards. It has been working with the industry to establish guidelines and processes for cyber protection.
Utilities work diligently to prevent cyber-security problems. Different utilities have varying degrees of sophistication to fight cyber threats. What can customers do to help? Little on the actual cyber security front, but a lot when it comes to being prepared. If a cyber event stopped power, customers who are prepared for an outage reduce problems for everyone.
CNBC did a good summary on November 16 about the way utilities practice for cyber attacks: The energy industry practices for a ‘black swan’ cyberattack that could take down the grid.