PA Consulting’s digital trust and cybersecurity expert, Justin Lowe, discusses the biggest cybersecurity challenge facing electric and gas utilities, and what solutions have been designed to address this.
Texas-based software company SolarWinds Corp. revealed on Jan. 13 that a hack alleged to be of Russian origin occurred much earlier than initially understood, dating back to September 2019. Following its in-depth investigation, the company discovered that malicious actors had unobstructed access to customers' critical systems for nearly nine months. A growing chorus of cybersecurity specialists believe that these intruders might still, to this day, be enjoying such access.
Many utilities were among the entities that were running key assets with infected SolarWinds software. Those electric and gas companies have joined with their customers to demand better visibility into their systems, especially the most sensitive elements of their physical and digital infrastructure. Fortunately, some companies have been providing just that for years—and their wares are getting much more attention since the latest hack was discovered.
Concern about cyberthreats is rising among government executives, regulators, generators, and transmission and distribution system operators, who are working to identify and mitigate the risks of nascent "smart" energy systems.
According to Justin, "energy systems are changing with the move to sustainable renewable energy resources and more distributed resources, some of which are beyond the usual control of traditional operators." This produces a more complex energy system, which in turn "requires more active management" through the use of significantly more communications and technology, he adds. This introduces new cybersecurity risks that need to be managed to protect the resilience of the energy system.
Traditional approaches still dominate the mainstream solutions used by utilities to address cybersecurity risk. They tend to focus on defining, what Justin calls, "stringent security controls for the most critical parts of the energy system." This model is difficult to apply in a distributed energy system, which is precisely why advocates for change are arguing for a different approach.
One challenge forcing the change is that transitioning to a distributed energy model means the energy system is constantly changing – and so are the risks. Justin points out that "this does not mean the problem is insoluble, but a forward-looking and flexible view is needed to protect against the risks that will be faced in the future rather than the present."
Justin offers an example of how to solve this: PA Consulting's effort to "develop new approaches to a black start," which is a restart of an energy system after a significant blackout. He said that "while there are robust approaches to doing this in the current energy system, they don't work in a distributed energy world—new operating models, control systems and telecommunications approaches are required, together with a robust response to the changes in cybersecurity risks these introduce."
PA's Smart Energy Cyber Risk Assessment was developed "to understand the cyber risks relating to the changing energy systems and identifying mitigations to the risks posed," he adds. The company's core idea is relatively simple: that understanding the current energy system is critical, along with "how it is likely to change over the next 5-10 years."
PA's process involves understanding the changing generation mix, especially the shift to renewables, as well as the evolving nature of load, including the proliferation of electric vehicles, together with any changes to energy markets. Justin says: "PA combines this with an estimation of the cyber-vulnerabilities in the changing system to identify the key cyber risks that might impact the energy system and how they are likely to change over time.” This risk picture is then used to identify and prioritize policy, regulatory and cybersecurity controls to mitigate the risks identified and form the basis for remediation planning.