Technology and the critical infrastructure that support our personal pursuits and business operations are ripe targets for cyberattacks. In particular, the electrical grid that transmits electricity from its point of production to end consumers – and the critical systems that monitor and control the grid – are vulnerable to large scale, disruptive attacks. In the last quarter century, technological advances in the energy industry have revolutionized grid management. From smart meters to emerging battery storage technologies for intermittent energy sources, technology has allowed utilities to substantially improve grid reliability and resilience. But as the grid continues to electrify with increasing shares of renewable output, cybersecurity risks continue to increase.
The energy industry has become increasingly reliant on big data: utilities and plant operators continually harness an ever-expanding volume of data from a variety of sophisticated meters and plant equipment. For example, smart inverters allow installers and operators to quickly diagnose operations and maintenance issues and even adjust to improve grid functionality by minimizing voltage fluctuations. Supervisory control and data acquisition (SCADA) systems and industrial control systems (ICS) continue to become more and more connected, allowing improved real-time management of power plants. While grid modernization and its associated connectivity provide substantial improvements to grid management capabilities, it also exposes the grid to new risks.
Advances in Technology Bring Cybersecurity Risks
As the industry capitalizes on technologies that allow for real-time data collection, interpretation, active control, and management of both renewable and traditional resources, there is even more opportunity for hackers to disrupt these systems. Specifically, in order to operationalize real-time data collection, devices and systems have to be connected to the internet, as well as to other devices. This is typically referred to as the internet of things (IOT). The IOT creates a network of data points and devices that have the ability to collect, analyze and share useful data, allowing everyday technologies, like thermostats, refrigerators, and washing machines, to become “smart,” learning and adapting to our preferences.
As a result of this interconnectedness, cybersecurity must be addressed at the consumer and component level. Each control with a physical or cyber access point presents an opportunity for intrusion. Access to the components must be controlled and data integrity protected. Increasingly, power plant operators, independent system operators, and utilities are implementing cybersecurity programs and requiring their vendors to do the same to reduce the risk of vendor-based system breaches.
Renewable energy systems contain several layers of cybersecurity elements that companies should consider. First, companies must determine who will be authorized to access systems for remote, cyber, and physical control of the data. Access should be subject to multi-factor authentication and monitored carefully for intrusion and anomaly detection. Security protocols, applications, patches and maintenance should be regularly deployed and implemented. Operational policies and procedures should support and encourage human interaction with systems whenever reasonable. Additionally, periodic security assessments and robust emergency response plans should be regularly performed, updated, and understood by team members.
The U.S. power grid has long been considered a likely target for cyber-attacks. In March of 2018, CNN reported that the U.S. government accused Russia of remotely targeting the U.S. power grid. The Department of Homeland Security cited what it called a multi-stage effort by a foreign entity to target specific critical infrastructures within the U.S. Given the increase in sophistication of cyber-attacks coupled with spikes in global tensions between countries, the possibility of cyber-warfare on significant infrastructure is a real threat. The question is not whether there will be a significant cyber-attack on the Nation’s power grid, but when it will happen and what can be done to mitigate the damage.
Vendors as Attack Vectors
Cyber criminals have become increasingly sophisticated and opportunistic. This has resulted in a targeted campaign on vendors as the ‘weak link’ in an attack against an enterprise organization or critical industry. The energy industry has taken several steps to secure systems from these types of attacks. For example, utilities and plant operators often establish separate internal-to-plant and external-to-plant-vendor internet networks to minimize the potential of a cyberattack on output-critical systems. They impose limitations on external devices used by vendors, including requiring vendors to develop data and systems security programs that provide intrusion detection and interception procedures in the event of a breach. Energy companies often require vendors to use national standards and best practices, particularly relating to coding practices that seek to avoid key coding and programming errors. Some standards are developed in connection with government agencies or research universities. For example, many companies are now required to use encryption algorithms endorsed by the National Institute of Standards and Technology (NIST) to protect sensitive and proprietary data.
The industry is largely moving towards including these types of requirements, along with specific requirements regarding data security standards, data governance, and data incident response (such as increasingly shorter times to notify contractual parties of a data breach), and identifying specific damages provisions in the event of a cyber-attack. Contractual provisions are often accompanied by a stipulation that data breaches and system hacks may cause immediate and irreparable harm, allowing the counterparty to seek injunctive and other equitable relief. Counsel for vendors should carefully review these contractual provisions to ensure their clients are aware of the significance of such clauses. Similarly, counsel for enterprise companies should consider not only which contractual provisions to include, but also the mechanisms and oversight provisions to be built into the agreement to ensure vendor compliance.
Practical Steps to Mitigate Risk
Counsel should advise clients involved in the energy industry to assess cybersecurity risk and consider implementing the following key preparations to help prevent these attacks and/or mitigate the fall-out from an attack:
- Develop a cybersecurity program and procedures that identify risks and implement protections. This includes a thorough assessment of possible threats, analysis of potential vulnerabilities, and investigation of the potential consequences of action or inaction in normal business operations. At a minimum, companies should identify which individuals will have remote, cyber, or physical control of data or system access – limiting that control and access, and subjecting it to multi-factor authentication.
- Continually monitor systems for intrusion andanomaly detection.
- Regularly deploy and implement applications, patches and maintenance to company systems – which requires ongoing monitoring of emerging cybersecurity threats.
- Conduct periodic security assessments and enact robust emergency response plans.
- Implement operational policies that support andencourage human interaction with systems whenever possible. Every individual with system access should be trained in security protocols and should be familiar with the emergency response plan including, but not limited to, shutdown procedures in the event of a breach.
- Develop an education protocol for key personnel.
Some of the greatest challenges to preventing cyber-attacks are a lack of knowledge or strategy to mitigate new risks that emerge as a result of increased complexity and interconnectedness of modern electrical systems. Counsel should advise energy clients to educate themselves about the risks, threat actors, attack vectors and prior incidents involving power grid attacks. Preventing an attack will require not only improving the security of the power grid, but understanding the vulnerabilities from both a human and a technical perspective. For example, attackers can use social engineering techniques to gain information about systems, networks, and controls relating to power generation, transmission or distribution. Social engineering is the process of using deception to manipulate individuals into divulging confidential or personal information to be used for fraudulent purposes. Another example of social engineering is spear phishing, where a would-be cyber-attacker sends a legitimate-looking email containing malicious software to infiltrate a network and directly access controls within a system or gather information that can be transmitted back to the attacker. Many of these initial threat vectors can be prevented simply by educating companies about the potential threats and how to deal with them.
The electrical grid continues to evolve and is becoming more advanced and fluid. Although originally designed as a one-way transmitter of energy to the end consumer, it is now more agile and required to accept energy from multiple sources such as excess energy produced by consumers via distributed solar PV installations. With technological advances such as the interconnection of distributed energy resources (DERs) such as battery and storage systems, the Nation’s power grid will continue to become a more interactive system. This allows for unprecedented opportunity in the adoption of increased volume of renewable energy sources – but also presents ever-increasing cybersecurity risks.
What We Can Expect Next
Each October, the U.S. Department of Homeland Security, in partnership with the National Cyber Security Alliance, observes National Cybersecurity Awareness Month (NCAM). 2018’s theme was “Cybersecurity is our shared responsibility and we all must work together to improve our Nation’s cybersecurity.”
NCAM’s focus on resources and critical infrastructure coincided with the U.S. Department of Energy (DOE) announcement of $28 million to support the research, development, and demonstration of next-generation tools and technologies to improve cybersecurity and resilience of the Nation’s critical energy infrastructure. This infusion of funds may help jumpstart the operationalization of this year’s theme of “shar[ing] responsibility” for technical improvements and ensuring cybersecurity is a top priority for critical infrastructure industries.
Utilities often find it difficult to find the funds to keep up with the latest developments in cybersecurity technology. As a result, we may see government-enabled incentives to help bridge this gap in the form of grants or low-interest loans for cybersecurity upgrades.
Many U.S. utilities have identified areas where the federal government can help to protect the electrical grid from cyber-attacks. Information sharing is a key component for combating cyber-attacks to critical infrastructure systems. The confidentiality of threat intelligence information is critical for all parties involved. As a result of the need to share information, we may see additional federal legislation to provide greater safeguards for information sharing between utilities and the federal government.
Many industry experts believe that the federal government should take a more pro-active role in defining what constitutes a cyber-attack and clearly defining the government response against threat actors. Utilities, vendors, and other electric sector participants are seeking clear and defined processes, supported by law, identifying how the government will punish and dissuade would-be attackers.
More than ever, it is critical that private companies, government agencies, and cyber-experts collaborate to identify cybersecurity risks and develop programs, processes, and procedures to mitigate these risks. Companies who demonstrate a working knowledge of cybersecurity issues – and who implement appropriate protocols to mitigate cybersecurity risks – will find themselves well-positioned to succeed in our rapidly-transforming energy economy.
Republished with permission. The original article, "Grid Electrification: Addressing Cybersecurity Threats and Mitigating Risk in the Renewable Energy Era," first appeared in the Winter 2018 edition of the ABA Forum newsletter, 2x4x10: Sharing Ideas, Building Connections with Division 10.