By Tom McDonnell, North American Power Generation Industry Leader, Rockwell Automation
The cyber attack on Ukraine’s power grid in December 2016 brought the industry’s vulnerabilities into sharp relief. For decades, the more familiar territory of physical security threats had dominated the conversation.
Right before Christmas, the grid attack cut power to 103 cities and towns, putting almost 200,000 Ukrainians without power for several hours, and the global utility industry felt the ripple effects. The urgency to address and attempt to prevent cybersecurity threats mounted.
For years, cybersecurity trailed behind reliability, environmental regulations and aging infrastructure in the list of issues confronting power producers. Cybersecurity moved to the No. 2 spot in 2016. In fact, U.S. industrial control systems were hit by cyber attacks at least 245 times over a 12-month period between 2014 and 2015, according to the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team.
While every industry is prone to attack, the energy sector led all other industry verticals with almost one-third of the attacks. Power is a fundamental resource. Because it fuels civilization and is critical to economic and military defense infrastructure, it’s an obvious target for security threats.
For that reason, power generators are actively working and evolving in how to effectively navigate the cybersecurity landscape. We’ll take a look at where the challenges are and the ways power producers can address cybersecurity concerns and regulations more efficiently and effectively.
When it comes to acting on relevant regulatory standards, power producers have to take a holistic approach. The positive news is that, in general, power producers are ahead of the curve when it comes to cybersecurity compared to other industrial companies.
Consider the recent “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” which calls for an assessment of cyber readiness and vulnerabilities. The electrical industry already is doing this to comply with industry regulations and standards, including the North American Electric Reliability Corp.’s (NERC) CIPTM, the Cybersecurity Act of 2015 and National Institute of Standards and Technology (NIST) standards.
People rely on power producers to provide economic security, environmental stability and health infrastructure service in their daily lives. Given the potential for national security threats, these standards are crucial.
The integration of renewable generating assets, propagation of distributed generation and need for an integrated regeneration infrastructure has led to multiple progressions in the industry. The first is the convergence of IT and operational technology (OT) systems into a Connected Enterprise for greater collaboration and plantwide efficiency.
The second industry shift is the increase of intelligent devices and smart equipment, which serve as the foundation of a connected power plant.
As power producers work to implement IT/OT convergence and intelligent devices, they must keep cybersecurity threats top of mind. The electric power industry, for instance, follows threat mitigation methods that focus on areas such as preparation, prevention, response and recovery.
It’s no secret that the goal for every facility is to manage risk properly, which might include system upgrades. Still, according to the Edison Electric Institute, tens of thousands of power plants in North America cannot be protected from all threats 100% of the time.
In fact, not all producers will be able to upgrade systems and technologies to the same level or at the same pace. For producers that are building new plants or completely overhauling existing facilities — such as moving to a more modern infrastructure, control system or electrical product — this can be an ideal time to investigate and implement cybersecurity protections and processes as part of that larger design and implementation.
For many established facilities, however, it’s more complicated. They may not have the capital funds available to upgrade problematic legacy systems. We’re going to see producers running with their reliable and proven programmable logic controllers (PLCs) in many locations for the remainder of the plant’s life cycle.
That doesn’t mean these systems can’t get connected or be secured. It just means we’re going to see a rise in hybrid solutions that allow these facilities to achieve the improved production that comes with greater connectivity and the security required for customer satisfaction and regulatory compliance in a way that’s more immediately financially feasible.
Piecing together the right combination of technology and processes for a hybrid solution presents its own challenge. You have access to a plethora of rapidly evolving technologies. Sorting through everything that’s available and articulating how that will translate into the desired functionality and outcomes for an individual facility takes skill.
No plant has staff with the knowledge and resources required to assess which systems are needed, much less design, deploy or maintain more secure and connected systems. This issue can be addressed via workforce training and development, or though vendor-provided services and support.
Such systems can be successfully designed and deployed only if you look at cybersecurity in a holistic manner.
Industrial security must be holistic to be effective. It’s enterprisewide, starting at the plant level and encompassing every individual end device. It addresses risk from all sides: people, processes and technologies. And it brings together IT and OT teams, both of which are indispensable in securing network architecture.
Three key areas need consideration when taking a holistic approach. The first is moving forward with a security assessment to understand your risk areas and potential threats. The next is deploying defense-in-depth (DiD) security to establish multiple fronts of defense. The third is working with trusted vendors that follow core security principles when designing their products.
Power producers must cultivate a deep understanding of all risks and vulnerabilities that exist within their organization. A security assessment offers a fresh and unflinching look at site infrastructure nuances, software, networks, control system, policies, procedures and even employee behaviors. It’s the foundation for a successful security policy.
Key deliverables for any security assessment include:
With an assessment in hand, implementation can begin.
DiD security is based on the idea that if any one point of protection is defeated, additional layers subsequently will need to be defeated. Therefore, DiD security establishes multiple layers of protection through a combination of physical, electronic and procedural safeguards. Just as a bank uses multiple security measures — such as video cameras, a security guard and a vault — this helps make sure threats encounter more than one line of defense.
A DiD security approach consists of six main components:
Your plant’s automation system likely is a small part of capital assets or costs. However, it can have an outsized impact on helping you meet your security goals, similar to the impact it has on your production, quality and safety goals. Before selecting vendors for any system that will be connected to your network, request they disclose their security policies and practices. At Rockwell Automation, we’ve defined five core security principles for designing products used in a control system.
1. Secure Network Infrastructure. Vendors can help keep information in the automation layer secure and confidential. For example, technology can validate and authenticate devices before they are granted access to a network.
2. Authentication and Policy Management. Company policies dictate data-access levels for employees. Automation products can support these policies using access control lists to manage user access to devices and applications.
3. Content Protection. Automation solutions can help protect intellectual property by assigning passwords to routines and add-on instructions and by using digital-rights management to limit a user’s ability to view and edit device data.
4. Tamper Detection. Built-in tamper detection can detect any unauthorized system activity and alert the right personnel. It also can log key details, such as where the attempted intrusion took place, how it occurred and whether anything was modified.
5. Robust Vendor Security. A robust vendor-security approach includes providing security training to employees, using design-for-security development practices, testing products to global security standards, conducting final security reviews before products are released, verifying processes stay current with standards and technologies and having a plan in place to address vulnerabilities.
Power producers should look for a structured and tailored approach to meet physical and cybersecurity requirements. This approach can include multiple layers of protection through a combination of physical, electronic and procedural safeguards. It might include a highly integrated cybersecurity suite that consolidates solutions such as antivirus, application whitelisting, security information and event management and compliance into a unified solution.
Find out about Rockwell Automation Power Generation Industry Solutions.
Given the many regulations and standards affecting power producers, it’s hard to process everything at once. The highest priority has to be what must be implemented — namely, NERC CIP.
Plan to protect your cyber critical assets. CIP-003, -007, -008 and -009 all offer guidance on securing individual assets within a system.
Know what you have and where it is. CIP-002, -005 and -011 deal with understanding what critical assets exist within a system and what cyber critical assets are essential for the operation of the other assets.
Tend to the physical security of your assets. CIP-004, -006 and -010 describe how to create and maintain a physical security plan that complements the cyber security measures already in place.
The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Putman Media, Inc.