This article from Bloomberg gives some positive grades for grids in the US. We agree. Too often we take for granted the excellent work done by our energy experts. We can't push so hard, so fast to change the infrastructure we have in place in our quest to permanently change the energy mix. Our evolution of reshaping the grid must bring cleaner power and more resilience.
Note, as with all levels of sustainability, the high level of collaboration within the industry.
As if there job is not hard enough, now those same experts must be anti-terrorist strategist as well. We like seeing a lot more local power and micro-grids coming on line. We love the addition of renewables and large storage capacity. Add elements of digital smarts and our system starts to meet the needs of today and tomorrow. Our heartbeat should be strong and long-lasting.
The operator at the Prykarpattyaoblenergo control center in Western Ukraine couldn’t believe his eyes. On a quiet afternoon in December 2015, two days before Christmas, the cursor on his computer monitor began moving on its own accord, dutifully clicking on boxes to take dozens of substations offline, one by one. When he scrambled to log on to the control panel, his password had been changed.
The utility had been hacked, and more than 230,000 Ukrainians were left in the dark. The bad guys’ way in? A spear phishing attack to get the users at the power plant to steal valid credentials and use them to gain remote access to control systems.
If a similar attack hit the U.S., which boasts the most advanced electrical grid in the world, are the power industry’s defenses strong enough?
The answer may not be so simple. Three hundred million people rely on the U.S. electrical grid, a massive interconnected system that could be thrown into havoc by a major incident at any of the country’s 55,000 transmission substations. As Siemens USA President and CEO Eric Spiegel noted in remarks at a recent event in Washington, D.C., as more of the nation’s critical infrastructure is digitalized to create new efficiencies and business models, its reliance on software and the Internet of Things “provides more points of entry for people who want to harm us.”
“The Future of the Grid: Spotlight on Cybersecurity,” sponsored by Siemens, brought together leaders from the public and private sectors to discuss this topic, and revealed an energy industry that is up for the challenge.
“We have to look at the full range of threats, from the lone actor to the well-developed state threat, and everything in between,” says Elizabeth Sherwood-Randall, Deputy Secretary at the U.S. Department of Energy. “If we’re prepared to meet the most extreme threat, like a coordinated state attack that would be multifaceted, then we’re prepared to meet everything that is less extreme.”
There is reason for optimism in the comments of General Michael Hayden, former Director of the CIA and current Co-Chair of the Electric Grid Cybersecurity Initiative at the Bipartisan Policy Center.
“The grid is more resilient than we give it credit for,” Hayden says, “and the power industry has done an awful lot of work to make it so.”
Still, in an increasingly networked society where bad actors only need to be successful once to upend the grid, the entire industry must be willing to work together.
“We have the strongest grid in the world—no other country has the coordination that we do—but we always feel we can do better,” adds Sherwood-Randall. “It does require investment, but we have an opportunity when we invest to ensure that it is resilient, smart and efficient, and it will also make us more capable in resisting attacks. It has multiple benefits for the American people and the world.”
Collaborating to connect the dots
In Ukraine, signs of an imminent attack began appearing nine months before the event, but no one was able to put those puzzle pieces together. That type of situation is less of a concern in the U.S., where organizations like the Electricity Subsector Coordinating Council (ESCC) and Electricity Information Sharing and Analysis Center (E-ISAC) ensure that industry and government leaders maintain a constant dialogue.
“That is the power here—the sharing that we can do to stay what we like to call ‘left of boom,’” says Marcus H. Sachs, Chief Security Officer at the North American Electric Reliability Corporation (NERC). “Boom is when the bad event happens. You don’t ever want to be right of boom. Left of boom is a happy place.”
Willingness to collaborate is crucial. “The more deliberate we get with our information sharing, the better off we’ll be,” says Zeeshan Sheikh, Chief Information Officer at Entergy, the Louisiana-based utility. “Whether it’s a small company, a large company or the government, our preparation gets better each time we share information amongst different organizations.”
This is perhaps best exemplified by GridEx, a sector-wide grid security exercise periodically conducted by NERC that takes stock of the electricity sector’s ability to stand up to coordinated cybersecurity threats. More than 4,400 participants from 364 North American organizations took part in GridEx III last November, with the common goal of strengthening crisis-response functions.
Such simulations help make staying left of boom much more realistic. “Those exercises are really helping us identify what a cyber event even looks like,” attests Dennis P. Gilbert Jr., Director of Information and Cyber Security at Exelon, the largest regulated utility in the country. “We want someone out at a substation or a plant to become a little bit paranoid and take a second to think about, Is this a malfunction or could this be a breach?”
“That type of training is key,” adds Sheikh, who works closely with the FBI, DHS and DOE. “We actually have a live attack that we can study, analyze, recreate, replay and make sure that we’re not vulnerable. Now our operators can go back, look at our systems and make sure we’re protected.”
Through the sharing of information, Suzanne Spaulding, Under Secretary for the National Protection and Programs Directorate (NPPD) at the U.S. Department of Homeland Security, sees the sector creating a “system of systems” of near-real-time alerts that can identify the most common cyber threats, and using data analytics to stop new threats that have yet to be encountered before.
“We really want to incentivize indicator sharing so that we have as much data in one place as possible,” Spaulding explains. “If something is recognized as malicious activity, those threat indicators are immediately sent out to all nodes of this system of systems. The idea here is that the adversary might be able to get away with it once, but then everybody has been alerted. That is hugely powerful, and an important next step.”
In addition to encouraging companies to implement machine-to-machine sharing, Spaulding and the NPPD are doing the legwork to connect the government with the private sector. “I meet at least three times a year with about 40 CEOs,” she says. “One of the things they intuitively understand is that this requires a holistic perspective. This is not just an IT network problem or issue. You’ve got to bring your folks who understand physical structure, and have them be a part of the cybersecurity conversation.”
By doing so, disaster response doesn’t begin with what Exelon’s Gilbert describes as the major players hastily “exchanging business cards on the tarmac in the middle of the incident,” but instead with everyone automatically understanding their roles and responsibilities.
Even Congress borrowed a page from this collaboration book when it recently authorized the Cybersecurity Information Sharing Act, and a House panel voted in June to turn Spaulding’s NPPD into the new Cybersecurity and Infrastructure Protection Agency, which would take on an operational authority with (or via) the TSA.
To further indicate how seriously the federal government takes the threat, the DOE operates 17 national labs that assess cyber threats, and a number of CEOs in the electricity sector have been cleared to receive highly classified information. “We bring them in to talk as we see threats emerging,” explains Sherwood-Randall. “We can say, ‘Look, this is evolving, and you need to meet this.’ Our utility partners begin to take action to strengthen against those threats.”
No utility left behind
Obviously, being warned of an impending threat is a crucial first step, but not every utility has the resources to combat one. “I have 1,400 members, and all of them are electric utilities,” says Sue Kelly, CEO of the American Public Power Association. “Frankly, a lot of my members are too small to have these cybersecurity activities on staff. We’re going to have to go outside to get it.”
The Department of Energy is ready to help, announcing on the morning of “The Future of the Grid” event that it would provide up to $15 million in new funding to help APPA members strengthen their operations. And in the private sector, Siemens’ recent opening of its Cyber Security Operation Center for industrial customers in Ohio—joining a similar CSOC in Europe—shows its commitment to this fight.
The center is a key part of Siemens’ broader portfolio of industrial control systems (ICS)—cybersecurity offerings that build on the company’s experience. The company offers cybersecurity services, products and solutions to help industrial customers take an individualized, holistic approach to protecting their assets, and comply with regulatory requirements.
“At Siemens, cybersecurity is a strong part of our vision for digitalization and how we’ll help lead a transition to a digital world, and we saw that our customers needed more real-time response capability to detect and respond to threats,” explains Spiegel. “Some companies have monitoring capability, but to set up a center to do it for others, as part of a service offering really demonstrates that we’re taking this seriously. “
Siemens builds products with integrated security, but this is only part of the solution, Spiegel says. “No matter how secure products and systems are, hackers will try to break into them,” he explains. “The question is: How will you respond? The industry must be agile enough to address threats right away. Our view is that the entire industry—both utilities and vendors like Siemens—need to come together now as a unified force.”
No comments:
Post a Comment