Contributed by Matthew Cosnek (Manager of Security Solutions, Emerson) for the power and water industries
The energy landscape is changing rapidly, driven by aggressive decarbonization efforts. Governments and businesses are striving to achieve ambitious sustainability goals, including net Zero. A December 2021 IEA (International Energy Agency) report titled “Renewables 2021: Analysis and Forecast to 2026” bears this out, predicting renewables will comprise nearly 95 percent of the increase in global power capacity through 2026.
While the ongoing shift toward renewable energy sources offers environmental benefits, the decentralized nature of renewables is among the factors creating cybersecurity vulnerabilities that must be planned for and mitigated, according to the Royal United Services Institute for Defence and Security Studies’ January 2022 report “Security a Net-Zero Future: Cyber Risks to the Energy Transition.”
The industry is responding and investing more in cybersecurity measures. According Navigant Research, there is a global market for energy IT and cybersecurity software and services that is expected to grow from $19 million in 2020 to over $32 billion by 2028.
The electric utility industry is well aware that cyber threats are not new. No matter what assets you have, whether they are fossil, solar, wind, or other renewable sources, the fundamental principles of cybersecurity best practices will remain the same. It starts with the organization’s overall philosophy.
It is essential to protect power-generating plants and other critical infrastructure by developing a security strategy that ensures SCADA control systems and organizations are secure, compliant, and maintains generation reliability. A security strategy that is focused on both compliance and security. Security best practices can help to maintain a strong security posture.
Aligning with industry best practices that are tailored to the requirements of renewable energy generating assets and the owner’s organization can be a challenge. One way to approach cybersecurity that accomplishes this involves four key areas—Identify, Protect, Detect and Respond/Recover.
Cybersecurity is an organizational risk that can affect strategy, compliance, operations and finances as well as reputation. Cybersecurity is not something that a risk-based approach to cybersecurity can protect against. AllThreats to automation and controls but to identify vulnerabilities and make strategic decisions based upon the likelihood and impact of each vulnerability.
This starts with identifying and inventorying all cyber assets. Many utilities use spreadsheets or databases to track cyber assets. It is important to note the location and asset tag of each asset and how it is connected to other devices. It is also important to understand the network connections between equipment. To show how devices and systems are interconnected, utilities need to create and maintain detailed network topology charts. This will help them gain an understanding of what they have and how it is interconnected.
Understanding the interconnectedness of equipment and systems is the first step to identifying the challenges in securing operations and complying with compliance obligations. Next, perform an initial vulnerability assessment to establish baseline. Vulnerability assessment should be performed every 12-18months to track improvements.
A vulnerability assessment should include a ports and service baseline and comparison. This allows you to identify and compare the open ports and services currently in use with those that have been identified by equipment vendors as being required for operation. With current network diagrams and accurate data, important hardening enhancements can be identified to increase the network perimeter’s resilience. Potential vulnerabilities can be mitigated by hardening ports and services as well as network devices.
Vulnerability assessments can help expose what could be improved to enhance a system’s (or an asset’s) overall security posture. Once an organization has a good understanding about how their renewable generators work together and how secure they are, the next step will be to determine what can and should be done to strengthen the SCADA/control systems and secure them.
This category includes system hardening, user management, patch management strategies and anti-virus and spyware prevention programs. Human factor prevention is also included.
It is important that you use common sense to ensure that initiatives are practical and not too restrictive that they compromise reliability. Consider the difference between unique and shared accounts. According to best practices in other industries, every user who logs onto a system should have a unique user account. This policy is not easy to implement when operators change shifts. Logging out at end of shift so that the next operator can log on could cause the utility to lose access to the system until that operator logs in. Operators often use shared accounts in the power industry. Engineers, administrators, and other personnel usually have their own accounts so that activity can tracked.
Multiple tools and techniques can be used to enhance security. Even though operators may share user accounts with each other, security cameras and logbooks can be used to track down the identity of those who may have inadvertently or maliciously caused the incident.
It is also important to consider the “Human Factor.” In most cases, the number-one threat to the system is not someone from halfway around the world hacking into a system; it is the person who just returned from vacation and wants to show everyone his or her pictures and unknowingly inserts an infected USB drive into a computer. A good first step to address the human factor is cybersecurity awareness training, setting up a secured USB program, as well as policies that limit what can be done on the system.
After creating security programs, hardening systems, defining a defense strategy, and setting up security protocols, it is important that all operating systems are closely monitored. This includes security incident and event management (logging), configuration change management management, network monitoring, and internal policy audits.
Utility companies should review the logs manually or deploy a solution that monitors assets and alerts personnel when thresholds are exceeded. Keep in mind that alerts may not always indicate that someone is trying to hack into the system—it could be something else entirely. For example, if a system password is changed and a process on a machine cannot log into it, it’s possible to see hundreds or thousands of failed log-in attempts. This is not malicious but it indicates that something has changed and should be addressed.
Another guideline is to track all system changes—even those that are purposely made. If an engineer makes changes on a control sheet to confirm that the change is permissible, they should document it. Any changes not confirmed to be permissible could be cause for concern. You can manage change through both manual and automated processes.
Owners of renewable assets should be prepared in the event that something goes wrong, even if they do everything right. Respond/Recover is the right tool to help. No matter whether a site has been designated as a critical asset or not, it must have an Incident Management Plan that details the actions to take in response to external and internal malicious threats and attacks. Not only is it important, but so too are disaster recovery procedures.
While there are many ways to implement a disaster recovery process, one thing that every organization should be aware of is the importance of having backups. Reliable backups, whether they are complete machine images or control logic, can help reduce the time taken to recover from certain incidents. No matter what approach you choose, any response plan must be well-planned and tested annually.
Security is not a project or product. It is a process that is constantly evolving. Renewable asset owners must consider cybersecurity as part their overall system life-cycle care program and regular maintenance program. Organizations should plan for regular maintenance, as well as an update plan for security-related products every 2 to 3 years, in order to remain current. Anti-virus software may run on a computer for years, but if it isn’t updated regularly, does it provide the same level of protection as before?
Secure systems through cybersecurity initiatives Operational reliability is essential. It is not enough to meet compliance obligations. A strong security program doesn’t necessarily guarantee that an organization will be compliant-ready. Utility companies can ensure compliance and reliable plant operation by focusing both on compliance and best practices.
These cybersecurity guidelines can be used to ensure that renewable assets continue producing clean, renewable and dispatchable electricity when it is most needed.
About the author
Matthew Cosnek manages security solutions at Emerson for the water and power industries. He is responsible for setting the direction of Emerson’s security solutions business including establishing product and service roadmaps and providing sales support. Matthew is a leader of the Ovation Cyber emergency response team, and helps to ensure that Emerson gives timely notice to its users about current threats and malware campaigns. He has a BSc in Computer and Electrical Engineering Concentration, a Masters of Business and a variety of industry certifications that focus on the defense and security of Industrial Control Systems.