The great Northeast blackout of 1965 that darkened New York City was a wake-up call for the electric sector. One of the calls for action was the 1972 formation of the Electric Power Research Institute (EPRI) to conduct research on behalf of the public good. EPRI’s first program focused on power quality, and since then has added new research practices based on utility needs and priorities. Back in 1972, when computing power required significant real estate and phones were wired to walls, there was no cyber to consider around security. But, as we’ve learned from publicized attacks in the past few years, cybersecurity is an essential element for reliable and resilient grid operations.
EPRI’s initial research/development/demonstration activities have evolved to include robust cybersecurity programs. One cybersecurity research program focuses on the unique requirements for operations technology (OT) security from “transmission to toaster.” The asset range is enormous and increasingly complex. It spans secure data transport and management from substations to utility control centers as well as residential devices like smart thermostats receiving signals from demand response management systems. Asset numbers are growing as more Distributed Energy Resources (DER), like solar panels, energy storage and electric vehicles are added to distribution grids. And OT assets and systems that were once protected by “security through obscurity” are now communications-enabled and capable of supporting remote access for monitoring and control.
The utility attack surface will continue to grow for the foreseeable future. The dynamic nature of today’s transmission and distribution grids drives utility security information needs such as understanding vulnerabilities, addressing the highest priority risks and improving situational awareness. EPRI’s research focuses on emerging threats through multidisciplinary, collaborative research on cybersecurity technologies, standards and business processes. Based on the guidance of EPRI’s utility members and analysis of trends, here are some of the important research activities EPRI’s Cybersecurity program will address in 2019:
Developing improved situational awareness with robust incident management
Electric utilities continue to be interested in improving their abilities to detect, respond, and recover from cyber incidents. EPRI has conducted research on Integrated Security Operations Centers (ISOCs) since 2013. An ISOC extends the capabilities of a typical security operations center by integrating and correlating security events from
- OT networks, systems, and devices.
- Information technology (IT) networks, systems, and business applications.
- Physical security systems.
The security functions of an ISOC include monitoring and detection, response and recovery, situational awareness and engineering for the technical needs of the ISOC. EPRI research consistently emphasizes what is realistic and practical to address real-world scenarios. One ISOC research deliverable is a guidebook that describes strategies and guidelines for electric utilities to design, implement and operate centers, improving security situational awareness of the expanding attack surface. The guidebook includes information compiled from five utilities that have hands-on experience to identify the best practices to plan, build and run ISOCs.
The 2019 ISOC research will examine artificial intelli-gence and machine learning tools integrated into these security operations centers. Since this is an emerging technology for cybersecurity incident management, one important research activity will survey existing solution capabilities. EPRI will also use its Cybersecurity Research Lab to test prospective solutions, leveraging use cases identified by utilities participating in this research.
Another important component of EPRI’s Incident Management research is their work in cybersecurity forensics for industrial control systems. EPRI created guidelines on forensics analysis to help utilities develop internal skills and processes last year. Plans for 2019 include hands-on forensics operations using utility-selected solutions. Investigative situations like these always deliver valuable insights that help separate hype from reality.
Reduce vulnerabilities and risks through threat management
Threat management is one of the 10 domains identified by the Electricity Subsector Cybersecurity Capability Maturity Model identified to help utilities assess, prioritize and improve capabilities. EPRI defines a cybersecurity threat as any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), resources, and other organizations through IT, OT, or communications infrastructure via unauthorized access, destruction, disclosure, modification of information and/or denial of service.
A sophisticated understanding of threats helps utilities identify vulnerabilities and reduce or eliminate those vulnerabilities. EPRI’s 2019 research program will develop guidelines for advanced threat management for utilities and examine the performance of automated threat response tools in realistic utility scenarios. EPRI’s collaborative research methodology emphasizes information sharing between utilities. For example, EPRI conducts an annual workshop that assembles threat management and incident response specialists to discuss challenges, real-world experiences and solutions. The 2019 workshop, scheduled for May 20-21, is hosted by Alliant Energy for all utilities participating in EPRI’s Cybersecurity research program.
Securely managing the mix of legacy and new assets
Utilities manage a diverse set of industrial control systems procured from multiple vendors that may remain in place for extensive time frames, even though they may lack built-in security capabilities. Techniques that identify new assets through passive mechanisms and then use that information to enact active device management measures in a secure manner can help utilities manage these legacy systems and devices.
In addition to passive device identification investigations, EPRI is also exploring the use of vendor configuration management tools to manage both new and legacy devices. These research activities may allow utilities to securely manage intelligent electronic devices (IEDs) for the duration of their asset lifecycles. EPRI’s 2019 plans include the development of guidelines for effective and secure field device management.
Utilities need information to optimize risk management
EPRI Cybersecurity research does more than focus on technologies. In response to the feedback and continuing guidance of its utility members, EPRI’s researchers also examine business processes like risk management for utility OT environments and security architectures for grid-edge devices. EPRI also offers guidance on utility compliance with the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protections (CIP) standards, such as examining opportunities to develop a compliance automation process model to improve the efficacy of compliance activities. While CIP standards improved the security posture of utilities, they have impeded adoption of specific technologies or practices due to ambiguity or compliance risk avoidance. It’s a well-known challenge that is not unique to CIP standards – technology always changes faster than the regulatory process can update or modify rules and standards. EPRI’s current research includes a focus on cloud-based applications and the security implications for utility use of them. EPRI, in collaboration with utilities, will develop a series of implementation guides and reference architectures to address realistic scenarios that incorporate cloud operations.
There’s no doubt that the deployment of DER assets – whether utility-owned or assets owned by a third party – are rapidly changing grid management models from traditional centralized controls to more distributed management models. In 2019, EPRI will continue to investigate the cybersecurity risks found in these new management models and study security architectures that address these risks. EPRI and its utility research partners will create a set of reference security architectures for the systems supporting the power grid, with the focus on the grid-edge devices. EPRI’s initial investigations lead them to suggest that multiple layers of controls are required for securing DER systems. These include security controls at the
- Data-level.
- Communications-level.
- Network-level.
- Application integration level.
EPRI’s research conclusions will be summarized later this year in reports on reference security architectures for DER integration and special considerations for energy storage.
Developing objective cybersecurity measurements
To paraphrase Lord Kelvin, we know if you can’t measure it, you can’t manage it. That’s been the frustrating reality for utilities when it comes to cybersecurity actions and investments. If a utility implements a new cybersecurity solution, how can the value of the investment be correctly quantified? If a policy is changed to enforce more complex passwords, what is the incremental security value achieved with that change? Until now, there have not been comprehensive, standardized security metrics widely adopted by the industry that help utilities calculate and understand the value of security investments in quantifiable terms.
EPRI’s Cybersecurity metrics research addresses this knowledge gap to informed decision-making with a practical set of security metrics that represents the status of a utility’s security posture. Initiated in 2015, EPRI’s research will result in a full set of metrics that can provide measures of the effectiveness of security controls. To date, EPRI and its collaborating utilities have identified approximately 120-150 data points that provide the quantitative foundation for these metrics, consisting of operational statistics collected from various points in utility operations. These data points are formulated into 47 operational level metrics, 10 tactical level metrics and three strategic level metrics, providing functionally-based information that is useful within utilities.
Cyber secure utility operations are absolutely essential to maintain the reliability and resiliency of our electric grids. At the same time, utilities are confronted with growing numbers of devices that may become adversarial if compromised, but these devices are being attached to grids at increasing rates. This is a true dilemma for utilities, but the cybersecurity research ongoing at EPRI is tailored to help deliver answers, guidance, and tools to help utilities reduce cybersecurity risks to critical operations.
Christine Hertzog is a principal technical leader focused on Cybersecurity at the Electric Power Research Institute (EPRI). In this role, she works with utilities and industry partners to define and execute strategic research initiatives. She was previously the founder of a consulting firm focused on innovative grid solutions and has an extensive background in telecommunications hardware, software, and services with startups and international corporations. Hertzog authored the Smart Grid Dictionary and co-authored Data Privacy for the Smart Grid. She also has served in an advisory capacity to startups, industry associations and publications. Hertzog has a master’s degree in telecommunications from the University of Colorado at Boulder.