Roger Clarke-Johnson of Emerson offers a practical guide to maintaining a strong cybersecurity posture
The adoption of digital technologies… remote working… the growth of intermittent renewable energies in production portfolios… these market drivers and others are having dramatic impacts on the energy landscape. Hydroelectric power plants, in particular, are at an inflection point. Not only does hydropower assume a greater share of load variations – and play an even more important role in grid reliability and resiliency – it continues to be an integral part of public safety by protecting waterways; provide flood control and irrigation; provide recreational opportunities; and drinking water supply.
These changing market realities only increase the need to maintain a strong cybersecurity posture. And the numbers back it up: The annual global energy computing and cybersecurity market for software and services is expected to grow from US $ 19 billion in 2020 to over US $ 32 billion by 2028, study finds by Navigant. report.
Whether the assets are fossil or renewable, the basics of applying cybersecurity best practices remain the same. And it starts with the overall philosophy of the organization.
Being truly committed to protecting power generation facilities and other critical infrastructure requires an approach that ensures control systems are truly secure, organizations are ready to comply, and production reliability is maintained. . Developing a security program focused on both compliance and security best practices will help maintain a strong security posture.
One way to view cybersecurity is through the prism of four key areas – Identify, Protect, Detect, and Respond / Recover – which are aligned with industry best practices, but tailored to the unique requirements of production facilities and organizations. electricity. Let’s take a closer look at each.
Basically, this step is about risk management – identifying the assets of a utility, understanding how they are interconnected, and making a baseline assessment of whether or not they are safe.
Organizations regularly assess the risks to their business and operations. Cyber security is an organizational risk that affects strategic, compliance, operational, financial and reputational risks. A risk-based approach to cybersecurity does not aim to protect against all threats to automation and controls, but to identify potential vulnerabilities and make a strategic decision based on the likelihood and impact of each. vulnerability.
The first step in this phase is to document and inventory all cyber assets. Many utilities use databases and spreadsheets to track cyber assets, making sure to note the location, asset tag, and how each is connected to other devices and systems. Once all the assets have been identified, it is important to understand how the equipment is interconnected. Generating a detailed network topology diagram to show the interconnections between devices and systems, both internal and external, helps utilities understand what they have, how they are interconnected and what may be their resulting compliance obligations.
Understanding how equipment and systems are connected is the first step in determining the challenges of securing operations and meeting compliance obligations. The next step is to perform an initial vulnerability assessment to establish a baseline. Vulnerability assessments, which should be performed every 12-18 months to track improvements over time, can be conducted in several different ways using a variety of manual processes and / or automated tools.
As a security and compliance best practice, performing a baseline and comparison of ports and services is an important part of a vulnerability assessment because it identifies and compares ports and services currently open running against those identified by equipment vendors based on operational requirements. . Hardening ports and services to those identified as required for operation is a key step in eliminating potential vulnerabilities.
A vulnerability assessment should help expose what could be improved to improve the overall security of the facility. Once an organization has a good understanding of its assets, how they are logically connected, and how secure they are, the next step is to determine what can be done to harden systems, secure them, and keep them secure. protect.
There are several best practices that fall under the Protect category, including user management, system hardening, patch management policies, antivirus and malware prevention programs, and human factors prevention.
While Protect is where the rubber meets the road, it is important to use common sense to ensure that the initiatives are practical and not so restrictive as to actually compromise reliable operation. Differentiate between using shared accounts and single accounts, for example. Some best practices in other industries may recommend that each person who logs into the system have a unique user account. However, the implementation of such a user management policy on a control system makes the task difficult when operators change shifts. Logging out at the end of the shift so that the next operator can log on could potentially cause the utility to lose visibility of the system until the next operator logs on. In the electricity industry, it is common for operators to use shared accounts, while administrators, engineers, and other staff typically have unique accounts so that activity can be tracked.
Cyber security best practices promote a “defense in depth” strategy, using multiple tools or techniques to achieve additional security measures that help ensure a good security posture. For example, although operators can share user accounts, the use of security cameras, badge systems and logbooks helps identify the identity of the operator who may have caused an incident by malicious or inadvertently.
One area that is sometimes overlooked in cybersecurity is the “human factor”. In most cases, the number one threat to the system is not someone halfway around the world hacking into a system; this is the person who has just returned from vacation and who wants to show everyone their photos and unknowingly inserts an infected USB stick into a computer. The fact that the intention was not malicious is debatable; the damage is the same. Providing cybersecurity awareness training, establishing a secure USB program, and putting policies in place to restrict what can and cannot be done on the system is a good first step in tackling the human factor.
After establishing security programs, hardening systems, and defining a defense strategy, it is important to closely monitor all systems. This step encompasses security incident and event management (logging), network intrusion detection, configuration change management, and internal policy audits.
In terms of logging, utilities need to manually review applicable logs or deploy a solution to monitor assets and alert staff when thresholds are reached. Keep in mind that alerts don’t always indicate that someone is trying to hack the system – it could be something else entirely. For example, if a system password has been changed and a process running on a machine cannot log in, it is possible to see hundreds of thousands of failed login attempts. Although not malicious, this indicates that something has changed and needs to be fixed.
Another good practice that focuses on both security and compliance is tracking all system changes, even those that are done on purpose. For example, if an engineer makes changes to a control sheet, he should document the change as confirmation that the change was authorized. Any changes that have not been confirmed as eligible could be of concern. Change management can be approached through a variety of manual processes and procedures as well as automated tools.
Reply / Recover
Finally, public services must be prepared if, despite their best efforts, something goes wrong. This is where the response / recovery comes in. Whether or not a site is classified as a critical asset, it is imperative that it has an incident response plan with detailed actions to respond to malicious and non-malicious internal and / or external threats and attacks. . Equally essential is having disaster recovery procedures ready for use. To be effective, the activities related to this step must be established in advance and the plans must be tested annually.
It is important to remember that security is not a project or a product: it is a process that is constantly evolving. As such, utilities should always consider cybersecurity as part of their regular maintenance schedule as well as part of the overall system lifecycle maintenance plan. To stay current, organizations should establish a regular maintenance plan as well as a plan to upgrade their security-related products every two to three years. For example, antivirus software can run on a computer for a long time, but without frequent updates, does it provide the same level of protection?
Hydroelectric power stations generate electricity and generate income. They also serve and protect the public and preserve habitat for a variety of aquatic species. For these reasons, it is imperative that cybersecurity initiatives must secure systems and ensure operational reliability. The bottom line is that just meeting compliance obligations doesn’t guarantee that systems are secure, and a strong security program doesn’t necessarily mean an organization is ready to comply. But by considering both compliance and best practices with an emphasis on identification, protection, detection, and response / recovery, utilities can achieve a strong security posture that supports security. compliance and ensures reliable operation of the plant.
Hydroelectric plants have long life cycles: some are over 100 years old. Digital transformation is starting to affect these older plants in addition to the hundreds of younger hydropower plants that have already been fitted with digital controls and automation. Applying the cybersecurity best practices described here can help ensure that all hydropower plants can continue to be used to quickly and cost-effectively generate clean, renewable and distributable electricity to the grid when it is most needed, while maintaining public safety for this generation and generations to come.