T&D World recently hosted a live webinar with utility industry experts, Sean Stalzer from Dominion Energy Services and Bob Lockhart with the Utilities Technology Council, who discussed best practices in planning, situational awareness, and response to cyberattacks. The webinar was specific to utility industrial control systems (ICS) and was a real treat, including a candid conversation about the current threat landscape. There was a recognition of the importance of collaboration for the industry to achieve its security and reliability goals.
The Threat Is Real
Cybersecurity threats continue to evolve, increasing the difficulty for utilities to detect and mitigate. Utilities are experiencing expansion in the potential attack surface, the industrialization of IT/OT attacks, and possible attacks are also moving deeper into utility systems. Utilities are transitioning from older and more rigid legacy systems to more flexible approaches to modernize the electric grid; this enables remote operation of the grid, but also makes cybersecurity controls more difficult. Our adversaries have become more stealthy, and defending against these threats is time-consuming and costly for utilities.
The threat of a cyberattack on our nation's power grid is the new normal, and the stakes are high. Stalzer shared the following quote from Brian Harrell, Assistant Secretary for the Cybersecurity and Infrastructure Security Agency (CISA), which epitomizes the cybersecurity role of today's utility. "Owners and operators are on the frontline today of national security. It's not the government. It is in the bulk power system. You guys are kind of the protectors of our way of life, so to speak."
If a country wanted to get into a physical war with the United States, it would first hit the bulk-power system. Our bulk-power system is what is standing up all other critical infrastructure. Utilities have to defend against this threat because they are all entry points into the grid. Utilities are currently targets of hostile nation-states, and we are arguably already in a cyber-war, both on an offensive and defensive basis. China has a national program to develop an ICS weapon to take down both the gas and electric sectors. Russia, North Korea, and Iran are continually attempting attacks on the U.S. electric sector. And, there are criminal organizations that are threats as well. Cyber threats are getting riskier every day, with attacks increasing, especially since the beginning of the COVID-19 pandemic. We have a larger remote workforce, and our enemies are hopeful that we are distracted. Stalzer shared that while Dominion blocks 222 countries, they still get attacked 3 billion times per month, spot 350,000 phishing attempts per month, and regularly detect activity from hostile nation-states.
The government is working hard in this area, but it is not all-knowing or actively defending us to the degree we often assume. Additionally, we must be mindful that meeting NERC compliance standards does not equate to security. The number of laws addressing cybersecurity is growing, and compliance is essential, but it is the minimum standard. Compliance isn't agile: it doesn't address insider threats, integrate the cyber and physical security threat response, or look for emerging threats. Thus, the industry must focus on much more than cybersecurity compliance to achieve its security and reliability goals.
It Takes a Village
Success in cybersecurity is always a team effort. Stalzer and Lockhart both emphasize the importance of collaboration across both the entire utility organization and industry. IT/OT convergence is key to securing the full utility; it is hard work, and everyone in the organization has to be pulling in the same direction. Lockhart discussed the importance of bringing all of the utility functional areas together to understand what is going on entirely. Relatedly, Stalzer discussed the typical dynamic between engineering and IT teams. Often, the ICS environment is managed by engineers that usually do know their systems better than anyone else. The IT and Cybersecurity Departments aren't always welcome, often because there are horror stories about security taking down the whole ICS environment. However, Stalzer cautions that engineers should allow the security teams to help them; IT are experts in ICS as much as engineers are cyber experts. These groups need to work together to achieve the common goal of reliability.
This topic is very complex, and we've only scratched the surface here. If you are interested in hearing more about what these experts had to say, you can check out an on-demand version of this webinar, and many others at https://www.tdworld.com/resources/webinars/
Also In The October Issue
Several of our T&D World authors also discuss cybersecurity solutions in this issue. In this month's Charging Ahead column, Gene Wolf writes about "Smarter Cybersecurity" and looks at digital twin and artificial intelligence as cyber solutions. In his Grid Talk column, David Shadle discusses risk-based business continuity planning. As utilities proceed down this road, merging IT and OT is often involved, making cybersecurity even more critical. And finally, Lauren Callaway discusses the relationship between security and investment gaps identified in a recent ASCE report.
Until next time, stay safe and healthy.