Understanding risk: cybersecurity for the modern grid.

23/08/2017
Didier Giarratano, Marketing Cyber Security at Energy Digital Solutions/Energy, Schneider Electric discusses the challenge for utilities is to provide reliable energy delivery with a focus on efficiency and sustainable sources.

There’s an evolution taking place in the utilities industry to build a modern distribution automation grid. As the demand for digitised, connected and integrated operations increases across all industries, the challenge for utilities is to provide reliable energy delivery with a focus on efficiency and sustainable sources.

The pressing need to improve the uptime of critical power distribution infrastructure is forcing change. However, as power networks merge and become ‘smarter’, the benefits of improved connectivity also bring greater cybersecurity risks, threatening to impact progress.

Grid complexity in a new world of energy
Electrical distribution systems across Europe were originally built for centralised generation and passive loads – not for handling evolving levels of energy consumption or complexity. Yet, we are entering a new world of energy. One with more decentralised generation, intermittent renewable sources like solar and wind, a two-way flow of decarbonised energy, as well as an increasing engagement from demand-side consumers.

The grid is now moving to a more decentralised model, disrupting traditional power delivery and creating more opportunities for consumers and businesses to contribute back into the grid with renewables and other energy sources. As a result, the coming decades will see a new kind of energy consumer – that manages energy production and usage to drive cost, reliability, and sustainability tailored to their specific needs.

The rise of distributed energy is increasing grid complexity. It is evolving the industry from a traditional value chain to a more collaborative environment. One where customers dynamically interface with the distribution grid and energy suppliers, as well as the wider energy market. Technology and business models will need to evolve for the power industry to survive and thrive.

The new grid will be considerably more digitised, more flexible and dynamic. It will be increasingly connected, with greater requirements for performance in a world where electricity makes up a higher share of the overall energy mix. There will be new actors involved in the power ecosystem such as transmission system operators (TSOs), distribution system operators (DSOs), distributed generation operators, aggregators and prosumers.

Regulation and compliancy
Cyber security deployment focuses on meeting standards and regulation compliancy. This approach benefits the industry by increasing awareness of the risks and challenges associated with a cyberattack. As the electrical grid evolves in complexity, with the additions of distributed energy resource integration and feeder automation, a new approach is required – one that is oriented towards risk management.

Currently, utility stakeholders are applying cyber security processes learned from their IT peers, which is putting them at risk. Within the substation environment, proprietary devices once dedicated to specialised applications are now vulnerable. Sensitive information available online that describes how these devices work, can be accessed by anyone, including those with malicious intent.

With the right skills, malicious actors can hack a utility and damage systems that control the grid. In doing so, they also risk the economy and security of a country or region served by that grid.

Regulators have anticipated the need for a structured cyber security approach. In the U.S. the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) requirements set out what is needed to secure North America’s electric system. The European Programme for Critical Infrastructure Protection (EPCIP) does much the same in Europe. We face new and complex attacks every day, some of which are organised by state actors, which is leading to a reconsideration of these and the overall security approach for the industry.

Developing competencies and cross-functional teams for IT-OT integration

Due to the shift towards open communication platforms, such as Ethernet and IP, systems that manage critical infrastructure have become increasingly vulnerable. As operators of critical utility infrastructure investigate how to secure their systems, they often look to more mature cybersecurity practices. However, the IT approach to cybersecurity is not always appropriate with the operational constraints utilities are facing.

These differences in approach mean that cybersecurity solutions and expertise geared toward the IT world are often inappropriate for operational technology (OT) applications. Sophisticated attacks today are able to leverage cooperating services, like IT and telecommunications. As utilities experience the convergence of IT and OT, it becomes necessary to develop cross-functional teams to address the unique challenges of securing technology that spans both worlds.

Protecting against cyber threats now requires greater cross-domain activity where engineers, IT managers and security managers are required to share their expertise to identify the potential issues and attacks affecting their systems

A continuous process: assess, design, implement and manage
Cybersecurity experts agree that standards by themselves will not bring the appropriate security level. It’s not a matter of having ‘achieved’ a cyber secure state. Adequate protection from cyber threats requires a comprehensive set of measures, processes, technical means and an adapted organisation.

It is important for utilities to think about how organisational cybersecurity strategies will evolve over time. This is about staying current with known threats in a planned and iterative manner. Ensuring a strong defence against cyberattacks is a continuous process and requires an ongoing effort and a recurring annual investment. Cybersecurity is about people, processes and technology. Utilities need to deploy a complete programme consisting of proper organisation, processes and procedures to take full advantage of cybersecurity protection technologies.

To establish and maintain cyber secure systems, utilities can follow a four-point approach:

1. Conduct a risk assessment
The first step involves conducting a comprehensive risk assessment based on internal and external threats. By doing so, OT specialists and other utility stakeholders can understand where the largest vulnerabilities lie, as well as document the creation of security policy and risk migration

2. Design a security policy and processes
A utility’s cybersecurity policy provides a formal set of rules to be followed. These should be led by the International Organisation for Standardisation (ISO) and International Electrotechnical Commision (IEC)’s family of standards (ISO27k) providing best practice recommendations on information security management. The purpose of a utility’s policy is to inform employees, contractors, and other authorised users of their obligations regarding protection of technology and information assets. It describes the list of assets that must be protected, identifies threats to those assets, describes authorised users’ responsibilities and associated access privileges, and describes unauthorised actions and resulting accountability for the violation of the security policy. Well-designed security processes are also important. As system security baselines change to address emerging vulnerabilities, cybersecurity system processes must be reviewed and updated regularly to follow this evolution. One key to maintaining and effective security baseline is to conduct a review once or twice a year

3. Execute projects that implement the risk mitigation plan
Select cybersecurity technology that is based on international standards, to ensure appropriate security policy and proposed risk mitigation actions can be followed. A ‘secure by design’ approach that is based on international standards like IEC 62351 and IEEE 1686 can help further reduce risk when securing system components

4. Manage the security programme
Effectively managing cybersecurity programmes requires not only taking into account the previous three points, but also the management of information and communication asset lifecycles. To do that, it’s important to maintain accurate and living documentation about asset firmware, operating systems and configurations. It also requires a comprehensive understanding of technology upgrade and obsolescence schedules, in conjunction with full awareness of known vulnerabilities and existing patches. Cybersecurity management also requires that certain events trigger assessments, such as certain points in asset life cycles or detected threats

For utilities, security is everyone’s business. Politicians and the public are more and more aware that national security depends on local utilities being robust too. Mitigating risk and anticipating attack vulnerabilities on utility grids and systems is not just about installing technology. Utilities must also implement organisational processes to meet the challenges of a decentralised grid. This means regular assessment and continuous improvement of their cybersecurity and physical security process to safeguard our new world of energy.

@SchneiderElec #PAuto #Power
Advertisements

Power distribution for the digital age.

01/06/2017
Éirin Madden, Offer Manager at Schneider Electric Ireland talks about the smart devices that enable facility managers to take preventive measures to mitigate potential risks in power distribution.

Éirinn Madden

We are currently witnessing the rise of a new chapter in power distribution. After all, today’s digital age is going to impact our lives and business as much as the introduction of electricity did at the end of the 19th century. This is going to bring with it a wave of innovations in power that will blur the lines between the energy and digital space. The traditional centralised model is giving way to new economic models and opportunities, which redefine the core basics of power distribution; efficiency, reliability, safety, security, and performance.

Many of us know the inconvenience of experiencing a blackout at home, but the impact is much more far reaching when it occurs in your corporate facility – from lost revenue and unhappy tenants, to more extreme scenarios like the loss of life. Recently, tourists and shoppers in central London were plunged into darkness after an underground electric cable faulted on a high voltage network caused an area-wide power cut. Theatre shows were cancelled and shops were closed, leaving shoppers and storeowners frustrated and disappointed.

A call to get smart 
How can such outages be prevented? At the core of smart power distribution systems are smart devices that enable facility managers to take preventive measures to mitigate potential risks. These devices have become more than just responsible for controlling a single mechanism. They now measure and collect data, and provide control functions. Furthermore, they enable facility and maintenance personnel to access the power distribution network. 

In many places throughout the power network the existing intelligence can be embedded inside other equipment, such as the smart trip units of circuit breakers. These smart breakers can provide power and energy data, as well as information on their performance, including breaker status, contact wear, alerts, and alarms. In addition to core protection functions, many devices are also capable of autonomous and coordinated control, without any need for user intervention.

Today, hardware such as the Masterpact MTZ Air Circuit Breaker (ACB) has evolved to include new digital capabilities. One of these primary new digital technologies revolves around communication abilities, providing a way to send the data the device is gathering to building analytic software, where it can be put to use.

Building analytics is another enabler for smart power distribution systems, offering an advanced lifecycle managed service that delivers automated fault detection, diagnosis, and real-time performance monitoring for buildings. Information is captured from building systems and sent to cloud-based data storage. From that point, an advanced analytics engine uses artificial intelligence to process building data and continuously diagnose facility performance by identifying equipment and system faults, sequence of operation improvements, system trends, and energy usage. 

Combatting operational efficiency decline
One of the biggest challenges facing facility managers today is the need to maintain existing equipment performance. Components are prone to breaking or falling out of calibration, and general wear and tear often results in a marked decline of a buildings’ operational efficiency. What’s more, reduced budgets are forcing building owners to manage building systems with fewer resources. The issue is then further exacerbated by older systems becoming inefficient over time. Even when there is budget at hand, it is time-consuming and increasingly difficult to attract, develop, and retain staff with the right skills and knowledge to make sense of the building data being generated. 

When it comes to switchgear in particular, there is the challenge around spending when it comes to maintenance and services. There is no doubt that regularly scheduled maintenance extends the life of existing switchgear. However, at some point facilities must decide whether to maintain or replace with new equipment. Of course, although keeping up with equipment maintenance has its challenges, especially with limited resources, the safety and reliability of a facility depends on it and must be the priority. 

Looking ahead with building analytics
For many building owners and occupants, they are also looking at how building analytics can be used beyond just safety and reliability to make a difference to the bigger picture of workplace efficiency. From comfort to space, and occupant services, to management dashboards, organisations are now placing more emphasis on well-being at work. When building analytics recommendations are implemented, the results are obvious – enhanced building performance, optimised energy efficiency through continual commissioning, and reduced operating costs — all with a strong return on investment and an improved building environment.

@SchneiderElec #Power #PAuto @tomalexmcmahon