ECO RESET Bitola
Association for Environmental Protection and Energy Efficiency
Project
“Cyber security in energy sector – crucial part for the energy independence”
CYBER SECURITY OF ENERGY PLANTS
Supported by
ECO RESET Bitola
2373168 Ontario Inc, M4S2R9 Toronto Ont Canada
Nowhere is cyber security more important than in the energy sector. Improving energy access is central, modern energy services drive economic growth and power schools, hospitals, critical infrastructure and essential services. Convergence of growing energy demand, integration of renewable energy technologies and grid modernization continued to transform the energy sector. But as energy systems continue to advance technologically, they have become increasingly vulnerable to cyber-attacks. USAID together with the American Energy Association (USEA) and “Energetics Incorporated” is working to develop tools and resources to improve cyber security in the energy sector by creating a manual “Cyber Security and Digitization of the Electric Power Sector” manual. This guide provides an introductory overview of the cyber landscape that utilities should be aware of. One of the key messages of the handbook is that new technologies can help, but a trained, dedicated workforce and the processes they put in place and enforce are essential to stay on top of cybercrime.
The goal is to integrate cybersecurity into utility business processes involving people, processes and technology, no matter where those utilities are in the world. Many companies are slow to acknowledge cybersecurity risks, often waiting for an incident to cause a crisis, forcing them to act. However, it is an almost universal truth to which the answer is that it is a cheaper and more efficient option if the organization has prepared for such a situation. With the right policies and investments, organizations can improve their security posture, reduce the risk of cyber-attacks, and if an attack does occur, minimize its impact.
While all businesses need to address the potential impacts of a cyber-attack, utilities must also consider the cyber-physical consequences. Utilities rely on operational technology (OT) so that systems and Devices increasingly control the physical work of delivering energy to customers. Hackers may seek access to these cyber-physical devices and cause security problems, service interruption and/or destruction of physical assets; the likelihood of a successful attack depends in part on how OT networks are built and managed. The potential threat to energy delivery elevates cyber security beyond normal business into the realm of concern for a matter of national interest.
Cybersecurity and Digitization in the Power Sector Handbook provides a comprehensive introduction to the cyber security threats, vulnerabilities and risks facing today’s power sector utilities. The manual also introduces potential solutions to these problems. Integrating cyber security into the utility business model is extremely important. Investments in cyber security generally do not generate revenue. Their purpose is to protect income-generating assets and ensure the availability of those assets. The role of cyber security in protecting OT utilities has only recently begun to gain importance but is fast becoming a vital factor. As digitization trends accelerate and utilities integrate long-distance digital connections with former analog equipment, cybersecurity risks become a key concern. Over time, OT has been optimized by increasing connectivity and visibility into systems, moving from manual control, to wide area control, to a future highly connected state (smart connected systems, Internet of Things [IoT]), with data flowing through the system and outside it (eg to vendors). Advanced functionality from digitization provides tremendous value for utilities, but also introduces cybersecurity risks. Ability to make changes to the network via computer so that cyber intruders if they gain access to these systems can do great damage.
Additionally, the generation mix is changing to include more distributed energy resources, making grid control more complex. To maintain safe and reliable electricity delivery, utilities must gain visibility into what is happening on the grid and improve their ability to manage assets.
The 2015 cyber-attacks on a distribution company in Ukraine demonstrated unequivocally the vulnerabilities introduced by digital advances. The attackers used the controller’s functionality to cause power outages and then tried to destroy the machines so that the affected enterprise could not react. It may seem unrealistic that such an attack would be carried out against you, but good risk management practices are necessary because cyber-attacks can be devastating – not only to your security but also to public safety, regional security and the regional economy. Where a large-scale attack is unlikely, utilities are vulnerable to common cyber incidents stemming from outsiders looking for weaknesses in utility networks. These actors have a wide range of motivations, from reckless curiosity, from illegal acquisition of benefits, malice, etc. Regardless of their objective, adversaries have access to increasingly effective and innovative tools and techniques. One of the most effective ways to integrate cybersecurity into your operations is to drive a culture of security from executive management down through all levels of staff. A culture of security encourages conversation and coordination across company segments on security issues, particularly between information technology (IT) and OT staff. Increasing communication can be a low-cost way to begin to understand and address cybersecurity risks. A safety culture also instills in staff the knowledge and behavioral patterns that protect utility systems. In short, a security culture leads to fewer cyber incidents.
There are many frameworks for assessing cybersecurity posture, capabilities or maturity, and developing improvement plans. Basically, every framework tends to follow the same three steps:
1. Assessment of the current situation: Where are we now?
2. Desired future state: Where do we want to be?
3. Gap analysis and prioritization: How do we get there from here?
Choosing a cybersecurity framework (ie, identifying the “right” framework) is less important than getting started. Frameworks are simply tools to help you understand your current status, set future goals, and develop a roadmap for achieving those goals. Developing the technical details of a cybersecurity roadmap can be challenging, especially for those new to cybersecurity. Making investments in cybersecurity can resemble the old advertising adage: “Half the money I spend on advertising is wasted; “The problem is that I don’t know which half.”
A cybersecurity technology or policy will really add value to your company. To help with decision-making, this Handbook devotes several sections to identifying and protecting your most important assets. The manual also explains the role of measurement and metrics in validating or adjusting those decisions. As your organization matures beyond the basics, you’ll learn to recognize potential threats, potential impacts, and internal vulnerabilities…and prioritize accordingly.
The first steps you take to improve your cybersecurity capabilities usually have the biggest impacts, reducing risks more substantially than subsequent actions. As your organization matures and capabilities advance, incremental improvements result in less risk reduction and decisions may require more consideration of your organization’s specific goals. For utilities, the most important operational and safety objectives usually focus on OT. OT differs from IT in that OT must operate 24–7 with limited scheduled downtime. Also, OT has a life cycle of up to 30 years and is therefore not easily replaceable, and threats may have changed significantly since OT was installed.
…..