Cybersecurity has been a major concern area for utilities for decades due to roles played by them as operators of critical infrastructure systems and providers of essential services. Cyberattacks have the potential to damage a country’s power grid with their major goal being to cause widespread infrastructure failures. So, concerns about cybersecurity continue to be at the top of utilities’ agendas, driven by the rising interconnected nature of infrastructure and systems, and the growing number of attacks, targeting utilities.
A recent report ‘Thematic Research: Cybersecurity in Power’ released by GlobalData, a leading data and analytics company, reveals that cybersecurity is at the top of utilities’ agendas. It is now undoubtedly a growing concern for the power industry. This trend will continue as many power utilities have to deal with increasing regulation, attack frequency, and the threat of state-sponsored cyberattacks on crucial infrastructure. The need to connect a growing range of market participants to core utility systems and the growth of private consumer data, coming into utilities’ systems through smart metering and smart home initiatives, also builds up additional risks and regulatory responsibilities. Utilities’ investment in cybersecurity, split across technology, services, and internal skills development, will only accelerate as they try and address these challenges.
Figure 1: The Cybersecurity value chain
Power utilities’ cybersecurity threats will continue to grow. Utilities’ existing systems are now becoming increasingly connected through sensors and networks and, due to their dispersed nature, are becoming increasingly difficult to control. This growing attack surface can potentially provide an opportunity for attackers to target the grid as they did in Ukraine in December 2015. Hackers attacked three power distribution companies in the country and disrupted the electricity supply temporarily. This was followed by another cyberattack in Ukraine’s capital Kyiv in December 2016 that caused a power outage during 17-18 December. Recently, the European Network of Transmission System Operators for Electricity (ENTSO-E), which represents 42 European transmission system operators (TSOs) in 35 countries, become the latest victim of a cyberattack.
As utility infrastructures become more interconnected, smart, and decentralised, a centralised approach to secure them is difficult and will become increasingly untenable. While central monitoring and oversight are essential, it is not sufficient, since a central system cannot react quickly enough to threats, especially as control becomes fragmented across numerous systems such as microgrids. There will be a rising burden on edge elements and local systems to be resilient to cyberattacks while also having the flexibility to support the resilience of the wider energy system in case of a cyberattack on the electricity grid.
Many governments are grappling with the challenge of securing their countries’ critical national infrastructure against cyberattacks. Utilities cannot risk opening up critical infrastructure assets to cyberattacks that could cause dangerous equipment failure, widespread blackouts, or a compromise of clean water supplies. While the Internet of things (IoT) has become a key enabler in the modernisation of critical utilities’ infrastructure, it has also exposed power utilities to a host of new threats and vulnerabilities. Security, therefore, remains the number one obstacle to wider industrial IoT uptake. The integration of IT elements into utilities’ operational systems has opened up industrial control systems such as SCADA to potential cyberattacks, which is a growing concern among utilities. IoT, if it moves beyond point applications to encompass analytics and a holistic view of utilities’ infrastructure, could enhance aspects of security by helping manage infrastructure more effectively and monitor unusual patterns. At the same time, it is also a major enabler of more efficient grids, enhanced maintenance, asset management, and better customer outcomes (in terms of customer service to utilities’ end-user). In order to balance the benefits of the IoT with its risks, vendors need to support more robust security standards for devices, communications, and data management.
Power grids are now increasingly becoming the target point for hackers and cyberattacks. Concerns about cyberattacks on critical infrastructure, especially the electricity grid, are nothing new. Electricity grids depend on industrial control systems (ICS) to provide essential services. If these systems are at risk of a cyberattack, that can pave the way for serious catastrophic events. However, the growth in cyberwarfare and the rapid proliferation of smart and connected grid components will mean that investment in cybersecurity will remain a top priority for utility IT departments. As the grid becomes smarter, it also becomes more vulnerable to attacks, which can compromise critical infrastructure systems and disclose private user information. The growing proliferation of IoT and smart devices massively increases the density, diversity and a number of attack vectors that utilities have to tackle, and extends the attack surface vulnerable to cyber threats to hitherto isolated elements of the operational infrastructure.
Many governments are tackling the challenge of securing critical infrastructure against cyberattack and are attempting to respond to increasing cyber-risks. In January, the Federal Energy Regulatory Commission (FERC) consented to reliability standards for Transmission System Planning Performance Requirements (RM19-10-000, TPL-001-5) and Cyber Security — Communications between Control Centers (RM18-20-000, CIP-012-1). The approved cybersecurity standard boosts the current Critical Infrastructure Protection (CIP) standards on alleviating risks involved with communications between the bulk electric system (BES) control centres. It necessitates the concerned entities to safeguard the confidentiality and integrity of real-time assessment (RTA), as well as real-time monitoring of data that is transmitted between BES control centres. The FERC has also recognised North American Electric Reliability Corporation (NERC) 2019 Five-Year Performance Assessment (RR19-7-000), which continues to highlight its ability to come up with and enforce the commission’s reliability standards.
There are a number of challenging factors involved in securing power utility systems. Securing operational technology (OT) and ICS systems such as SCADA, smart substations, and distribution management systems is crucial for utilities. In the past, these systems were often air-gapped – essentially isolated from external systems – and tended to be based on arcane software and communication protocols that were difficult to attack. This has been changing rapidly, however, and increasingly the lines between IT systems and OT systems are being blurred as operational systems become more digitised and connected. Securing these emerging hybrid IT/OT systems is challenging because it requires new ways of thinking and new skills, covering both areas and managing networked ICS.
Because of the tactical significance of uninterrupted access to power and water in many countries, utilities are facing regulatory pressure and will need to showcase their compliance and due diligence against cyberattacks much more strongly. Major utilities comply with the cybersecurity standards and requirements only when it is mandatory since non-compliance is penalised. With this approach, utilities are not promoting the construction of a comprehensive and secure electricity grid. This reduces utilities’ interest in reducing the risk of a cyberattack on their grids. A lack of enforceable standards is also restricting the growth of the cybersecurity market for the smart grid. By putting better cybersecurity systems in place, utilities can have a better understanding of their risk profile and provide assurance to regulators that they have taken adequate measures to address their risks.
Another challenge that utilities have to deal with is to come up with a unified method for security, which incorporates physical security and cybersecurity, and covers the complete organisation. One of the recent attacks on power grids includes the one at ENTSO-E, which affected its administrative IT systems. ENTSO-E believed that its operational transmission system operator (TSO) systems have not been impacted. Other attacks such as the Stuxnet attack in 2009 in Iran where a computer worm advanced through Microsoft Windows systems and the attack on the Ukrainian grid have attempted to target both IT systems and ICS/OT systems in the same attack. Utilities should adopt cybersecurity measures that can correlate threats across all of these areas. This is where the role of artificial intelligence (AI) and behavioural analytics, along with ubiquitous IoT data, comes into play and will provide support for the emergence of such solutions.
There is an acute lack of adequate mechanisms for power utilities to report cyberattacks. Utilities are reluctant to report cyberattacks on their critical infrastructure as they are worried their vulnerabilities may be exposed if the information is leaked. This has led to a lack of visibility in the industry, where information sharing could avert recurrence of similar attacks.
The ongoing Covid-19 crisis is making power utilities more prone to cyberattacks. With most utilities now working remotely, attackers will strive to benefit from the rush to remote systems and undermanned facilities. Utilities need to comprehend the new cyber-risks involved with home-based work such as social engineering attacks and less reliable internet connections and accordingly set-up baseline defences relevant to remote working. This will help to decrease the consequences of cyberattacks.