THE EXISTING ENVIRONMENT
Our electricity system has greatly evolved and now represents an essential contributor to our society’s well-being. Power Generationand Transmission & Distribution Operators aim to deliver dependable service to their customers since business systems, healthcare systems, home comfort systems, etc. all rely on the availability of electricity.As the demand for reliable service grows, all Operators are facedwith a challenging environment where they must deal with a greatvariety of elements:
1) The electric grid is under pressure, according to the North American Electric Reliability Council (NERC), which states that over the next 10 years while the demand for electricity is expected to rise by 19% in the United States and 13% in Canada, confirmed power capacity will increase by only 6% in the U.S. and 9% in Canada. Furthermore, total transmission miles are projected to increase by less than 7% in the U.S. and by only 3.5% in Canada.
2) The Power & Energy (P&E) industry faces billions of dollars in maintenance upgrades which have been deferred for many years.
3) Corporate governance standards and regulatory requirements, including Sarbanes-Oxley and NERC, have resulted in an environment where investments in new technologies must be made wisely, with those technologies being implemented according to specific deadlines. Furthermore, in jurisdictions such as the province of Ontario, Utilities must respond to government-mandated technological deployments, such as Smart Meters.
4) Utilities need to deliver excellent service while ensuring that costs are kept under control. They must also deliver on the cost-cutting expectations built into the recent mergers and acquisitions.
5) The P&E work force is aging rapidly and the industry needs to address this situation over the next 5 to 10 years.
6) Over the years, Operational Systems have been built around disparate technological platforms, creating “islands of technology” that cannot collaborate and cannot deliver the effectiveness and cost-efficiency required by Operators.
7) Due to ever increasing security threats from computer hackers who have chosen the Power & Energy sector as a target, Operators are having to combine their efforts to migrate to newer technologies with the essential deployment of Cyber Security measures for the legacy systems which were installed long before Cyber Security threats emerged.
To deal with this challenging environment, today’s forward-looking entities are formulating new strategies to considerably improve their Operational Systems. “The Smart Grid” has emerged as an evolution of the electric grid which allows Utilities to position themselves as proactive participants in the end-to-end generation and delivery of electricity. The replacement of the electro-mechanical grid with a digital Smart Grid creates vast opportunities for improved Operational Systems and increased overall success for Generation and Transmission & Distribution Operators. It must however be realized that the benefits of the Smart Grid are available only to those organizations who recognize that, in today’s environment, computerized resources are threatened by increasingly sophisticated Cyber Security attacks. It is therefore essential that the deployment of the Smart Grid be accompanied by the establishment of a strong Cyber Security program that is integrated into Operational systems. Operators must also be pro-active in the protection of the legacy systems which very often still represent major underpinnings of our electric grid.Organizations that combine Cyber Security with the Smart Grid and with their legacy systems are best positioned to reap the numerous benefits to be derived from improved Operational Systems and from increased service reliability to their customers.
THE SMART GRID
The Smart Grid is an environment that supports not only the flow of electricity but also the flow of Operational information through a strong and reliable communications network. This fully digital, 2-way communication environment delivers considerable asset optimization and efficiency opportunities for participating entities. The Smart Grid allows operators to be pro-active in the detection of generation, transmission, and distribution problems, to isolate the problem areas, and to prevent cascading power outages. As per the U.S. National Energy Technology Laboratory, the main characteristics of the Smart Grid are:
• The Smart Grid is self-healing. It can detect, analyze, and respond to disturbances.
• The Smart Grid supports client equipment and usage behaviour.
• The Smart Grid is tolerant of physical and Cyber Security attacks.
• The Smart Grid delivers high-quality power to customers.
• The Smart Grid supports various power generation technologies.
• The Smart Grid supports competitive power markets.
• The Smart Grid delivers capital asset optimization while minimizing Operational costs.
The Smart Grid, that is the evolution of the electric grid from being electro-mechanical to becoming a digital, automated network, can clearly deliver great flexibility to Utilities in search of improved business methods and service offerings.
PROTECTING THE SMART GRID
To enjoy the Operational benefits derived from the implementation of the Smart Grid, Utilities must ensure that appropriate measures are in place to protect the extensive information flow and control signals intrinsic to the Smart Grid. In the current transition period, when elements of the Smart Grid and legacy system components co-exist in the electric grid, Cyber Security concerns are particularly relevant for the P&E sector which has been identified as being among the top industrial security targets.The U.S. Homeland Security organization, the U.S. Department of Energy, and the Canadian Energy Infrastructure Protection Division have all issued an urgent call to action for the protection of energy control systems since increasingly sophisticated cyber attacks have been launched against system components, telecommunication systems, and common operating systems with the goal of sabotaging control systems. Furthermore, the vulnerability of energy control systems continues to augment as these systems are increasingly networked with corporate systems, business partners, and other Internet-based resources. The Smart Grid is therefore exposed to several types of risks, including the typical risks listed below.
Typical Cyber Security Risks
Associated with the P&E Sector
• Unauthorized access and breach of control systems
• Interception and manipulation of control data/signals
• Distributed/coordinated attack on system components
• Interception and manipulation of monitoring data
• Intentional and unintentional human intervention
• Impairment to application software
• Third-party intervention (interconnected partner, vendor)
Cyber Security is definitely a key component of an Operator’s Smart Grid deployment and of its Service Reliability strategy. The development of a Cyber Security program for the Smart Grid should not be an afterthought; it should be an integral part of the planning and design process involved with the deployment of Smart Grid initiatives. The Cyber Security program should also ensure that legacy systems receive the protection they require.A properly planned Cyber Security strategy will result in a highly secure environment that still delivers the operational flexibility and efficiency so crucial to the successful implementation of new Operational systems.Utilities should therefore implement a comprehensive, integrated, well monitored, and frequently updated Cyber Security program to ensure they derive the full benefits available from the Smart Grid.
RISK ASSESSMENT
It is recommended that the Cyber Security program start with a comprehensive Operational Risk Assessment. This Assessment should be specifically tailored to a P&E Operational environment as its needs vary greatly from those of a corporate Information Technology environment. The Assessment allows an Operator to identify the potential problem areas from an Operational perspective and to then formulate a strong Cyber Security strategy.
The first step in the Operational Risk Assessment is to conduct a Threat Risk Assessment (TRA) to determine the prioritization and focal areas for protection. After the TRA, the Operational Risk Assessment can include: an architecture review; an assessment of security devices, network devices, servers and workstations; a Cyber Security policy review; and a site audit, including a physical security audit. The Assessment can also be expanded to include the overall Cyber Security of an Operator, including its Information Systems, to ensure that overall productivity is protected from cyber attacks.
The Operational Risk Assessment should be based on Cyber Security Best Practices and on industry-specific security standards such as NERC CIP as well as on directives issued by the U.S. Department of Energy and by the U.S. Department of Homeland Security.
Smart Grid Risk Assessments differ from traditional Utility risk assessments in that they encompass both an internal and an external perspective, the latter being required due to control signal and monitoring interconnections. A layered “defense in depth” approach to security is therefore critical for P&E Operations as it is imperative that systems be protected at the point of interconnection as well as within the security perimeters.
EXTENSIVE CYBER SECURITY NEEDS
Cyber Security is needed for the various building blocks of the Smart Grid’s Operational systems, including Operational Control Systems, SCADA Systems, Smart Meters, and Substations. The need for Cyber Security measures applies, of course, to all participants in the Smart Grid.As illustrated below, the need for Cyber Security applies for the Generation, Transmission, and Distribution sectors and a variety of elements need to be protected in each of those sectors. A robust, integrated Cyber Security protection is attained when Cyber Security measures are implemented in each sector.
CYBER SECURITY PROGRAM
Once the appropriate Risk Assessment activities have taken place, a comprehensive Cyber Security program should be established. The selected technology solutions should be based on Open standards so that the Smart Grid is protected by effective and cost-efficient technologies that are capable of complementing each other and of collaborating in an integrated manner. The selected solutions also need to be interoperable with existing legacy Operational systems. In addition, the selection of solutions based on Open standards ensures that the Cyber Security program can expand, evolve, and adapt to new challenges as they arise.
Frequently, Managers are challenged to deploy strong solutions while, at the same time, having to deal with limited budgets and the imperative of accommodating innovative business solutions and improved competitiveness. Consequently, Managers should favour Cyber Security solutions that deliver:
• Extensive monitoring,
• Flexibility,
• Support of legacy systems,
• Migration to new devices,
• An environment rich in auditing, logging, and reporting capabilities,
• Compliance with relevant regulation,
• Reduced complexity,
• Integration with existing operations, and
• Cost-effectiveness.
When personnel resources and/or in-house Cyber Security expertise are limited, Operators may wish to seek assistance from external Cyber Security organizations. These groups can complement internal skill sets to ensure the utmost success for the Smart Grid deployment and to deliver results within expected deadlines.
As Cyber Security threats are constantly evolving, it is essential that the Cyber Security program be frequently updated. The Operator should be committed to continuous Cyber monitoring and to conducting periodic re-assessments of its environment to ensure that strong Cyber Security measures remain in place at all times.
CONCLUSION
All participants in the Power & Energy market face a most challenging environment and they therefore need to adopt new and improved operating methods to deliver highly reliable services to their customer base. The emergence of the Smart Grid represents an opportunity for forward-looking entities to bring new sources of productivity and profitability to their organization. However, the benefits offered by the Smart Grid will only be available to Operators who invest in a robust Cyber Security program as an essential element of their Operations. Such a program allows Operators to address the various threats that exist for interconnected computerized resources and to reinforce their organization’s overall security and service reliability. While the complete Smart Grid is still emerging, many entities have already implemented some of its elements and it is imperative for those organizations to evaluate their Cyber Security position.Operators must begin the implementation of Cyber Security protection not only for Smart Grid elements but also for their existing legacy systems as the P&E sector has been identified as a major target for cyber attacks.
About the Author
Doug Westlund is the co-founder of N-Dimension Solutions Inc., a leader in Cyber Security solutions for the Power & Energy market.Doug has over 20 years experience in process control, SCADA software development, network communications, and Cyber Security solutions. N-Dimension Solutions and their business partners are actively assisting North American Generation, Transmission, and Distribution Operators with Cyber Security solutions that address their portion of the Smart Grid.Doug can be contacted at: doug.westlund@n-dimension.ca, 905-707-8884 x.227.