Contributed by Matthew Cosnek, Manager of Security Solutions, Emerson for the power and water industries
The energy landscape is rapidly transforming, fueled by aggressive decarbonization efforts as governments and businesses alike strive to achieve ambitious sustainability goals, including net zero. A December 2021 IEA (International Energy Agency) report titled “Renewables 2021: Analysis and Forecast to 2026” bears this out, predicting renewables will comprise nearly 95 per cent of the increase in global power capacity through 2026.
While the ongoing shift toward renewable energy sources offers environmental benefits, the decentralized nature of renewables is among the factors creating cybersecurity vulnerabilities that must be planned for and mitigated, according to the Royal United Services Institute for Defence and Security Studies’ January 2022 report “Security a Net-Zero Future: Cyber Risks to the Energy Transition.”
And the industry is responding, increasingly investing in cybersecurity measures: The global annual market for energy IT and cybersecurity for software and services is expected to grow from $19 billion in 2020 to more than $32 billion by 2028, according to Navigant Research.
Of course, addressing cyber threats is nothing new to the electric utility industry. Fortunately, whether assets are fossil or solar, wind or another renewable source, the basic principles of applying cybersecurity best practices remain the same. It starts with the organization’s overall philosophy.
A commitment to protecting power-generating facilities and other critical infrastructure requires an approach that ensures SCADA and control systems are truly secure, organizations are compliance-ready and generation reliability is maintained. Developing a security strategy focused on both compliance and security best practices will help to maintain a strong security posture.
Aligning with industry best practices that are tailored to the requirements of renewable energy generating assets and the owner’s organization can be a challenge. One way to approach cybersecurity that accomplishes this involves four key areas—Identify, Protect, Detect and Respond/Recover.
Cybersecurity is an organizational risk that affects strategy, compliance, operations, finances, and reputation. A risk-based approach to cybersecurity is not intended to protect against all threats to automation and controls, but to identify potential vulnerabilities and make strategic decisions based on the likelihood and impact of each vulnerability.
This begins with documenting and inventorying all cyber assets. Many utilities use databases and spreadsheets to track cyber assets, making sure to note the location, asset tag, and how each is connected to other devices and systems. Next, it is important to understand how the equipment is networked together. Generating and maintaining detailed network topology diagrams to show interconnections between devices and systems, both internal and external, helps utilities gain an understanding of what they have, how it is interconnected, and what their resulting compliance obligations may be.
Understanding how equipment and systems are connected is the first step in determining the challenges of securing operations and meeting compliance obligations. The next step is performing an initial vulnerability assessment to establish a baseline. Vulnerability assessments, which should be performed every 12 to 18 months to track improvements over time, can be conducted several different ways using a variety of manual processes and/or automated tools.
Performing a ports and services baseline and comparison is an important part of a vulnerability assessment, as it identifies and compares the current open ports and services running versus those identified by equipment vendors as needed for operation. In addition, when paired with accurate and current network diagrams, important hardening improvements can be identified to enhance the robustness of the network perimeter. Hardening of ports and services, as well as network devices, are key steps in mitigating potential vulnerabilities.
Vulnerability assessments can help expose what could be improved to enhance a system’s (or an asset’s) overall security posture. Once an organization has a good understanding of how their renewable generators are logically connected and how secure they are, the next step is to determine what can be done to harden the SCADA and control systems, to secure them and protect them.
User management, system hardening, patch management strategies, anti-virus and malware prevention programs, and human factor prevention fall into this category.
It is important to apply common sense to ensure initiatives are practical and not so restrictive that they may actually compromise the reliable operation. Take the difference between using shared accounts and unique accounts, for example. Some best practices in other industries may recommend that every person who logs onto the system has a unique user account. However, implementing a user management policy like this on a control system makes it difficult when operators are changing shifts. Logging out at the end of the shift so the next operator can log in could potentially cause the utility to lose visibility into the system until the next operator has logged on. In the power industry, it is common for operators to utilize shared accounts, while administrators, engineers, and other personnel typically have unique accounts so that activity can be tracked.
Using multiple tools or techniques to achieve additional security measures is an approach that can help ensure a good security posture. For instance, although operators may share user accounts, the use of security cameras, badging systems, and logbooks make it possible to pinpoint the identity of the operator who may have either maliciously or inadvertently caused an incident.
It is also important to consider the “Human Factor.” In most cases, the number-one threat to the system is not someone from halfway around the world hacking into a system; it is the person who just returned from vacation and wants to show everyone his or her pictures and unknowingly inserts an infected USB drive into a computer. Providing cybersecurity awareness training, establishing a secured USB program, and instituting policies to restrict what can and cannot be done on the system is a good first step in addressing the human factor.
After establishing security programs, hardening systems, and defining a defence strategy, it is important to closely monitor all operating systems. This step encompasses security incident and event management (logging), network monitoring, configuration change management, and internal policy audits.
In terms of logging, utilities should review applicable logs manually, or deploy a solution to monitor assets and alert personnel when thresholds are reached. Keep in mind that alerts may not always indicate that someone is trying to hack into the system—it could be something else entirely. For instance, if a system password was changed and a process running on a machine cannot log in, it is possible to see hundreds of thousands of failed log-in attempts. While not malicious, this indicates that something changed and should be addressed.
Another guideline is to track all system changes—even those that are purposely made. For instance, if an engineer makes changes to a control sheet, they should document the change as confirmation that the change was allowable. Any changes that have not been confirmed as allowable could be cause for concern. Change management can be addressed through a variety of manual processes and procedures as well as automated tools.
Finally, owners of renewable assets need to be prepared if, despite their best efforts, something does go wrong. This is where Respond/Recover comes into play. Whether or not a site is classified as a critical asset, it must have an Incident Response Plan with detailed actions for responding to internal and/or external malicious and non-malicious threats and attacks. Just as critical is having disaster recovery procedures at the ready.
There are many methods to implementing a disaster recovery procedure, but one element that all organizations should consider is maintaining proper backups. Whether it is secure copies of control logic or complete machine images, reliable backups can shrink the time to recover from some incidents from weeks to days, to even hours. Regardless of the specific approach, for any response plan to be effective, the activities related to this step must be established beforehand and plans should be tested annually.
It is important to remember that security is not a project or a product: it is a process that continually evolves. As such, renewable asset owners should always consider cybersecurity as part of their regular maintenance program as well as part of the overall system life-cycle care plan. To remain current, organizations should establish a plan for regular maintenance as well as a plan to upgrade their security-related products every two to three years. For example, anti-virus software can run on a computer for a long time, but without frequent updates, is it providing the same level of protection?
Cybersecurity initiatives must secure systems and ensure operational reliability. Simply meeting compliance obligations does not guarantee that systems are secured, and a strong security program does not necessarily mean an organization is compliance-ready. But by considering both compliance and best practices with a focus on Identify, Protect, Detect and Respond/Recover, utilities can achieve a strong security posture that supports compliance and ensures reliable plant operation.
Applying the cybersecurity guidelines outlined here can help ensure renewable assets continue to reliably and cost-effectively produce clean, renewable, dispatchable electricity to the grid when it is needed most.
About the author
Matthew Cosnek is the Manager of Security Solutions at Emerson for the power and water industries. He is responsible for setting the direction of Emerson’s security solutions business including establishing product and service roadmaps and providing sales support. As a leader on the Ovation Cyber Emergency Response Team, Matthew is active in the threat intelligence community, helping to ensure that Emerson provides timely notification to its user base regarding current threats and malware campaigns. He holds a BS in Computer and Electrical Engineering Concentration, a Masters of Business and several industry certifications focused on the security and defence of Industrial Control Systems.