Claire Volkwyn spotlights the changing dynamics of utility cybersecurity.
The utility industry is transforming with new opportunities that are improving operational efficiency, productivity and resiliency across the electricity value chain.
The attack surface for utility infrastructure continues to expand as intelligent distribution systems, sensors and IoT devices aid in the visibility of the electrical system and assist with ensuring power delivery in the most efficient and reliable manner.
With this expansion comes a greater need to ensure that security is properly implemented end-to-end. According to an ESG survey, 74% of respondents say their organisation has been impacted by shortages of security skills. The security landscape is getting more complicated and the stakes are rising. As we connect everything, anything can be disrupted and everything from the cloud to the edge needs to be considered and protected.
Cloud computing represents a major shift from traditional computing, one that enables users – whether businesses or government agencies – to do more, faster. In part, this shift is due to the way in which cloud services are provisioned and maintained, allowing customers to tap into the power of cloud data centres and services without having to build, manage or maintain them.
Data hosted on premise is not free from cybersecurity risks. It is subject to many of the same cyberattacks as cloud solutions, but with the disadvantage of lacking the immediate access to cloud providers’ multinational resources and security measures, which are a major focus for these providers.
Cloud providers recognise that trust is a fundamental part of their business model and do their utmost to keep it. Moreover, cloud providers also use security to differentiate themselves, hiring the best talent in the space and dedicating significant resources to its development. For example, Microsoft invests more than $1 billion in security annually.
Additionally, a large pool of clients can work to the benefit of security, as it allows cloud providers to look for security intelligence across the whole environment, which is generally much larger than an average corporation’s traditional on-premise infrastructure.
The very process of migrating data and services to the cloud can increase the security and resilience of an organisation’s computing infrastructure. This is because migration can act as a forcing function for robust data governance, making organisations not only more aware of the data they retain, but also more purposeful about how they treat it.
And finally, it’s important to acknowledge that most technology providers have adopted a cloud-first approach. As a result, most of their innovation is delivered in the cloud and only later translated into on-premise solutions.
So, given the comparative speed of updates in the two environments that represent a significant advantage for cloud over traditional implementations, many of these developments are in security. Cloud security can not only compete with security delivered on-premise, but has several distinct advantages.
Speaking in a webinar during the DISTRIBUTECH+ series, Dr John Lemmon, global power and utilities leader at Microsoft’s Azure Energy Engineering, said that as the landscape of power and utilities – and indeed the grid in general – becomes more digitised, decarbonised and decentralised, the value proposition for cloud starts to increase.
This, he said, brings about scalability and the capability to add high-powered computing, provide more insights into what’s going on on the distribution side and coordinate with the overall transmission and utility side. Part of the transition for this digital transformation is being able to secure utility data in the cloud.
“Cybersecurity is needed across the full value chain of a utility,” Lemmon says. “And at multi-scale across different data platforms.
Lemmon explains: “it’s a case of edge security – to IoT security – to cloud security.”
“If we think about edge security, in my mind it’s one of these emerging technologies for things like SCADA listening, anomaly detection, data stream analysis, and signal analysis. Intelligence actually gives us the benefit of being able to create self-detect and self-healing algorithms for security reasons,” he says.
On the IoT side, there is automated asset discovery, vulnerability, management and integration. On the cloud side, you can collect data, process infrastructure, and detect threats through analytics and threat intelligence, and also investigate and hunt down suspicious activities and respond in an orchestrated and automated manner.
Lemmon points to responsibility as a key reason to shift to cloud computing, saying that “as you migrate from an infrastructure platform as a service and software service, the actual responsibilities for the security starts to migrate over to the cloud provider”.
He continues that many cloud providers are independently audited by a variety of organisations, including FedRAMP, the federal risk and authorisation management programme that is enabled by NIST standards and guidelines.
Joining him in the DISTRIBUTECH+ debate was Carl Imhoff, electricity market sector manager at Battelle Pacific Northwest National Laboratory. Imhoff chairs the grid modernisation lab consortium where a key focus is cyber and physical security. Imhoff notes: “There are two big transitions I wanted to highlight. The first from five years ago. A lot of the utilities were very uncomfortable getting into the cloud environment. Now, however, there’s been quite a bit of uptake and transformation in terms of their interest in engagement. Since then, we as a laboratory have been very involved in both commercial cloud activities and government cloud activities.
“The second big transition we’re seeing is one towards an acceptance of open platforms for some of the new innovation analytics that need to be delivered to the industry. We’re seeing it across the Department of Energy’s North American Energy System Resilience Modelling effort, where they’re partnering with NERC to put in place some new tools to help build resilience at a national scale.
“This is leveraging some of the big open-source platforms that we’ve developed as part of the Federal agenda there. Utilities like Avista and Duke and others are starting to look at open-source platforms for advanced distribution management systems and other things.”
About three years ago P&L worked with the Midwest ISO to develop a next generation tool to predict what the load is going to be going forward and match the generation to meet that load. It’s called the security constraint unit commitment and it’s a way they can predict supply and demand forecasts and create very large, complex computational challenges. “And then the world changes, they move the goal posts, and we have to add a lot of distributed resources and other sources of complexity into the power system markets,” says Imhoff.
“We worked with GE grid solutions, University of Florida, Cognitive Analytics and others to put together a next generation security constraint optimiser that can handle the complexity and scale of distributed resources like energy storage, etc. going forward.
“It will include both high performance computing to better segment the problem, and some advanced optimisation algorithms to improve that ability. What used to take us about three hours to calculate now is down to about 20 minutes, and it’s able to handle much more complexity in terms of the types of assets on the power system.”
Imhoff moves on to a topic he says is at the core of grid security: “The whole notion of the protection system, when the grid is close to a blackout. In the Western Interconnection, they call it Remedial Action Schemes and it can take a phenomenal amount of preplanning and design. And typically, they’re mostly manual.
“They can handle up to about 500 scenarios, but it can sometimes take months or years to go through all the analytics to set up these remedial action schemes. We started our journey a couple of years ago to see if we could leverage the emerging phasor measurement data coming off the grid – in this case, the Western System.
“And we teamed with Idaho Power and Pacificore to see if we couldn’t use high performance computing and machine learning, all benefiting from a cloud environment to do what’s called a remedial action scheme. In other words, it’s looking at real-time conditions on the system. In real time, lookups on the past performance to identify similar situations enables more precise optimisation on the real action schemes. This makes them more precise, protects more equipment more effectively, reduces the scope of a blackout and makes it easier for the operating entities to bring back online.
“I mentioned it was a manual appr oach; typically you can handle up to about 500 scenarios with this approach. But if the planners are able to use up to say 10,000 scenarios, they can look at much more complex attack planes or risk scenarios that they need to deal with to help protect the system. And they can perform at about 10 extra speeds. So instead of months to years to do the setups, it can be done in days.
“It can transform our ability to protect the system.”
Wolfgang Loew has been an active part of the European Network for Cybersecurity (ENCS) network since his company, Austrian utility EVN, joined as one of ENCS’ early members in 2014. Since then, Loew has become CISO at EVN, joined the Assembly Committee at ENCS and worked with E.DSO and various EU bodies – a man who w orks tirelessly to improve cybersecurity in the energy sector. We caught up with him in December 2020.
“We joined ENCS in 2014,” says Loew. “We weren’t founding members, but we were early to join the network as even back then, we could see the need for partnership on cybersecurity and a secure environment where we could work together with others. In particular, we wanted to work with specialists for testing and implementing network components, and we needed to do so in a trusted environment.”
EVN has worked with ENCS on a multitude of projects over the past six year, specifically on the utility’s smar t meter rollout, setting the security requirements for the components and then testing them.
“Of course, this is probably one of the most important projects we’ve undertaken with ENCS. Obviously, the smart meter rollout is happening. However, it’s essential that the whole system is designed, specified and procured with utmost care to prevent the introduction of avoidable security flaws. No cybersecurity is perfect, but when thinking about such a far-reaching initiative, anything less is unacceptable.
“So, we worked with ENCS to shape the cybersecurity requirements that we issued to potential vendors – which is helpful to the vendors too, as it gives them direction. Then we worked with ENCS specialists to conduct rigorous on-site penetration testing before any orders were placed.
“We take this approach with other components too, of course, such as RTUs. It may sound onerous for the vendors, but actually it is very collaborative. We can even involve them in the testing process so that issues can be fixed and, ultimately, we are all working towards the same outcome: a secure grid.
“Designing the specifications across both meters, network and components has meant that EVN can purchase smart meters and other components with confidence.
“EVN has always been good at prioritising security and we take the topic seriously – we have to in order to provide services our customers are expecting. Take smart meters – the project most visible to end-customers. There is a breaker unit involved, meaning a threat to security of supply, and GDPR relevant data, meaning privacy concerns. That’s two hugely important cyber threats in one component, so we see no choice but to take that seriously.
“Like a lot of industries, ours has had to cope with the abrupt shift to working from home. At EVN, we were fortunately already more or less prepared for that, but obviously needed to scale up the infrastructure to allow for everybody doing it at once.
“In terms of materially new threats, there has been a noticeable rise in phishing attacks across the sector, taking advantage of people working from home and communicating 100% digitally. In a way this has underlined a message we have been repeating for years: that security is a mindset, not a function, and the responsibility of everyone at the company, not just a few of us in infosec and IT. This will only become truer as companies move more infrastructure into the cloud. It’s a problem for COVID-19, but also for the future.”