Cybersecurity incidents and threats are an everyday occurrence. For several years running, this topic has been at or near the top of the growing list of issues that keep power industry leaders awake at night. At the same time, technology advancements and customer expectations are driving electric utilities to become increasingly digital and interconnected with networks beyond their direct control. Some experts argue the United States needs to pursue much more serious defensive measures to protect electric infrastructure, and thereby, our physical and economic security. Are microgrids a possible solution and should utilities be taking the lead in developing them as cyberattack countermeasures?
Last month, there were national reports about a cyberattack that targeted the City of New Orleans. All government computer systems were shut down in order to mitigate damage and investigate the incident. At about the same time, Tom Alrich, a power industry consultant who writes an excellent blog, shared some downright chilling information about cyberthreats to the U.S. power grid. Quoting from several sources, he reminded readers that Russians have the ability to execute cyberattacks to electric networks in the United States. They have installed 200,000 malware implants in critical U.S. infrastructure, and amazingly, there does not appear to have been any formal resolution or even an investigation of the 200,000 alleged implants.
Tom's 'News from the Russian front' blog has a postscript where he goes on to mention a book entitled, The Fifth Domain, in which the authors argue that the threat of foreign cyberattacks on U.S. infrastructure is so serious that a new backup power grid not connected to the internet is needed to protect our country. You are probably thinking that — and Tom also points out the obvious — the cost of such an endeavor would be so staggering that it will never be done. So what should be done by public utilities to reassure their customers regarding the security of the grid, if the government is not stepping up to address alleged threats?
One possibility that is a bit more practical than a completely redundant grid is the installation of highly secure backup facilities to protect critical infrastructure and countermeasure systems against cyberthreats. The U.S. military has demonstrated such tactics at several bases over a period of years in a program called the Smart Power Infrastructure Demonstration for Energy Reliability and Security (SPIDERS). Designed to address both technology demonstration and transfer, the program used microgrid projects to protect critical assets from loss of power because of cyberattacks, sustain critical operations during prolonged power outages, and document the use of distributed energy and conservation resources as part of the solution.
Utilities may correctly argue that the connection of microgrids to their systems could be part of the problem of cybervulnerability as easily as part of the solution. The same is true of any inadequately protected device being connected to the grid, whether it is a smart inverter, disconnect, or other piece of electronic equipment. That is why cybersecurity is an issue for every part of the grid and every device connected to it, particularly systems intended to enhance cyberprotection or provide backup. The microgrid industry has a response for this concern. One vendor calls it defense in depth (DID).
Advocates argue microgrids offer grid systems resiliency through diversification with multiple decentralized power sources — segmented architecture that allows microgrids to function with other microgrids, with the main grid or independently; and frequently, built in redundant power sources within individual microgrids. Cybersecure microgrids are build on this diversification with fail-safe backup mechanisms built into the microgrid control systems to prevent an intrusion from corrupting the network.
An expert from S&C describes a cybersecure microgrid as containing perimeter firewalls, multiple backup controllers, hardened hardware via removal of unnecessary software and communication points, encryption of internal data, removal of nonessential code and protocols, use of whitelisting and other authentication protocols for devices attempting to access the system, and monitoring of internal communications and processes. S&C also recommends that direct connections between microgrids and the utility or to the internet should not be used. Instead, such points of connection should use secure gateways and firewalls.
Utility leaders recognize the growing vulnerability of their operations to cyberthreats and available intel indicates utility organizations of all sizes and types are striving to achieve higher levels of cybersecurity. Unfortunately, the threat is also growing. Microgrids designed to backup critical infrastructure and mount cyber countermeasures appear to be practical solutions to bolster security. Electric utilities, microgrid developers, and cybersecurity experts all have expertise to assist in the identification of microgrid backup measures that could provide additional levels of security for individual customers and the entire grid.