Recently, the security firm Symantec reported alarming developments in attacks perpetrated by a group called Dragonfly 2.0 in which hackers were able to gain hands-on access to electric grid operations. These threats are ever-increasing because of dramatic changes in the electric grid. While the wires and poles that comprise the grid may look the same as they have for decades, utilities are deploying technology that makes the grid more connected, more reliable, but more susceptible to security breaches.
This kind of connectivity has already transformed the way many industries think about security. Take banks for example. In the past, bank security was all about optimizing the vault and lock boxes to secure the bank from robbers. Then came computers and online banking. Suddenly, banks had to change the way they thought about security and develop robust cybersecurity plans.
The energy and utility industry is transforming in the same way, but the task of defending energy infrastructure is immensely difficult.
Like banks or retailers, utilities must protect large sets of sensitive customer data. Like manufacturers, they must protect physical equipment. But unlike many manufacturers who deal with highly predictable industrial activities, grid operators have no idea when someone will turn on their microwave, or when a cloud will pass over a solar panel. Therefore, they must live with significant uncertainty even under “normal” operations.
Compounding that difficulty is the sheer footprint of our energy infrastructure and limitations on control. Imagine if General Motors’ manufacturing operations spanned hundreds of thousands of miles, without walls, fences or security cameras. Then consider if anyone was allowed to plug in their own electric devices to GM’s equipment and control them how they wish. This is the scenario utilities face in integrating distributed energy resources like rooftop solar panels and behind-the-meter batteries.
American utilities understand these challenges, as do regulators who are tasked with ensuring utility investments are cost-efficient. Utilities are taking concrete steps to address vulnerabilities and build cyber resiliency. For example, we’re seeing greater collaboration within utilities between those responsible for physical equipment and those responsible for information technology.
Furthermore, utilities are beginning to embrace the culture of robust cyber hygiene that has been emphasized in finance and other critical service sectors. This includes employee trainings on “phishing” and other attack behaviors, regular conversations about security developments and best-practices, and formalized processes for always ensuring the latest upgrades and patches for software and hardware. Equally important, utilities are adapting their previously developed response plans for outages and equipment failure to scenarios in which grid control systems have been compromised by an attacker.
Utilities and their regulators must build on this progress through critical self-assessment, information-sharing and collaboration, and adoption of new technological and organizational approaches. There are three key focus areas that will help utilities continue to fend off cyberattacks.
First, it’s nearly impossible to keep all cyber intruders out, but the longer they have access, the more dangerous they can be. That’s why reducing the amount of time that cyber intruders are allowed to remain in the company’s network — before being detected and neutralized – is essential. The attack on Ukraine’s power grid in 2015, for example, could have been avoided had hackers not enjoyed so much time to map out the control system.
Second, obtain real-time visibility. In order to detect attacks quickly, utilities must have the ability to continuously monitor and assess system behavior. In other words, it’s difficult to quickly neutralize intruders when you can’t see well enough to spot them.
And lastly, utilities need a dedicated role for cyber-physical security. In the same way that the chief information security officer (or equivalent role) is responsible for securing information systems, someone must be specifically responsible for securing the physical operational technology.
Neither utilities nor their regulators need to be told about the immense challenge of securing a rapidly modernizing electric grid. Increasing attention to the issue both from elected officials and the news media reflects this as a national priority.
Progress is already being made to bolster our critical infrastructure’s defenses and resiliency, but much work still needs to be done. The complexity and importance of this task demands collaboration between and amongst utilities, regulators, government agencies, technology vendors and researchers. Only by working across these stakeholder groups to accelerate innovation, refine and share best practices, and hold each accountable, can we meet the challenge of securing our nation’s energy delivery.
Ed Hammersla is chairman and chief executive officer of Utilidata, a global software company working with major utilities like National Grid, American Electric Power and PG&E to modernize and secure the electric grid.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.