With a central role in modern electrical systems, digital substations are of particular interest to cybercriminals. Their use of Ethernet communications to transfer information between substations and utility enterprise systems makes them more vulnerable to attacks, giving hackers the ability to disrupt operations at banks, gas stations, and emergency services. From January through August 2022, there were 101 cyberattacks nationwide on equipment that delivers electricity.
Utility systems and substations, which have a key role in today's electrical infrastructures, can be vulnerable to cyberattacks without proper security measures and protection. Because coordinated cyberattacks can cause highly disruptive outages, substation cybersecurity is essential and should be based on concepts that include defense-in-depth, cyber kill-chain mapping, and intelligence-driven cybersecurity.
New Cyber Threats Force Electric Utilities' Hands
Cybersecurity was not a priority for many electric utilities until recently, prior to national regulatory standards. Advanced threat groups using Pipedream, a malware kit specifically developed to disrupt industrial processes, have attacked critical infrastructures and industrial control systems. Other cyber incidents, like the 2021 ransomware attack on the Colonial Pipeline's IT system — which also raised fears that ransomware would threaten its operational technology (OT) system — have brought to light the threat of cyberattacks, highlighting the importance of cybersecurity for electric energy OT.
In enterprise environments, data theft and manipulation are the primary concerns. Attacks are usually financial and related to productivity losses, repair costs, or the theft of sensitive information. But attacks on electrical supply systems can have a major impact on customers and critical infrastructure.
In the United States, the Biden administration has committed to improving the security of critical infrastructure in banks, electric utilities, and hospitals against cyberattacks with the release of a new National Cybersecurity Strategy. A major component of this is the US Department of Energy's National Cyber-Informed Engineering Strategy. It proactively manages cyber-risk throughout the development of new energy infrastructure, rather than developing a patchwork of security controls after these connected devices are widely deployed. The strategy seeks to guide energy sector efforts to incorporate cybersecurity practices into the design life cycle of engineered systems to reduce cyber-risk.
While regulation is a good starting point for implementing baseline protections and good hygiene practices, it is not enough to ensure the security of our electrical grids. Continuous security strategy improvement, including real-time monitoring and detection capability, is necessary.
Stick to the Basics and Adjust Accordingly
When establishing a cybersecurity architecture, utility companies should establish baseline policies for protection and create standard control systems. Cybersecurity is about risk management, and understanding the consequences of these risks is paramount. The systems' cybersecurity requirements and interfaces should be based on best practices and consequence-driven risk assessments.
Utilities need to focus on three main areas to develop a successful cybersecurity program:
- Determine security program ownership and responsibilities: Anyone involved with electric energy OT control systems, especially system owners or operators, need to make cybersecurity a priority. Using best practices, industry standards, and regulations, each stakeholder must determine the requirements needed for a top-notch security program.
- Create a security strategy with the help of system integrators: System integrators must ensure that systems use and configure the security capabilities of all cyber assets. This includes network architecture, firewalls, and manufacturers' guidelines. This will allow integrators to assess an organization's cyber maturity throughout its lifetime and allow it to adapt to new threats in real time.
- Ensure your manufacturers are informed of any security vulnerabilities through a defined process: Manufacturers must address known vulnerabilities through a defined development process that includes threat modeling, security reviews, and robustness testing. This gives them visibility into the vulnerabilities of the handling process over an entire life cycle.
While developing the appropriate security architecture, companies need to be nimble enough to adapt to new approaches and strategies as new threats emerge.
- Develop top-down security policies that map back to specific goals and objectives: These policies should include technical, procedural, and organizational guidance. It must be clear that security is everyone's responsibility, and the organization's maturity will develop into a security culture.
- Establish processes to enforce policy while leaving room to adapt to change: This includes employee hiring, access restrictions, incident handling, and disaster recovery. The policy should also address security incidents and breaches.
- Remember that no computer system is 100% secure and all contain unknown vulnerabilities: To exchange information in a timely manner, manufacturers and system operators must closely partner. When they share knowledge about incidents with each other and other stakeholders, they can help others prepare for future vulnerabilities. This collaboration will facilitate the timely sharing of operational and strategic threat intelligence.
Balance Between Reliability and Security
Because digital substations are critical elements of electrical systems, they are a prime target for sophisticated cyberattacks. To create a solid cybersecurity strategy, organizations should begin by defining the essential elements and functions of the system. Their strategy should anticipate new threats and adapt, while ensuring ownership across its operations.
The security architecture must also meet the goals of the utility's cybersecurity policies without affecting performance. It must protect critical assets but include communications infrastructure that permits the flow of information. All cybersecurity solutions must help an energy company operating digital substations maximize protection without sacrificing operational reliability.