December 17, 2024

Security Sessions | It's time to take a serious look at substation cybersecurity

by Eric Deschenes

Cybersecurity is well understood by information technology (IT) professionals. Many IT security experts have years of experience in securing their computers and networks from hackers and other threats. They know what hardware, software and processes they should have in place to protect their companies’ information.

Unfortunately, cybersecurity isn’t as well understood in the utility industry. The operational technology used in substations – the automation and control systems that monitor critical infrastructure – tends to use proprietary techniques for handling device security. This makes it difficult for utilities to get a holistic view of their substation cybersecurity.

Getting a more complete view of substation cybersecurity should be a top priority for utilities. According to the U.S. Department of Homeland Security, 53 per cent of the cybersecurity incidents reported to the agency in the first half of 2013 involved the energy industry. And next April, the North American Electricity Reliability Corp.’s Critical Infrastructure Protection (NERC CIP) standards Version 5 will go into effect. At its core, the NERC CIP standards are designed to protect the cyber assets utilities rely on to operate their electrical networks. Unlike past NERC CIP standards, Version 5 will encompass all cyber assets that could affect the bulk electric system, which means operators must significantly expand their cybersecurity coverage.

This means Canadian utilities need to upgrade their cybersecurity frameworks. This encompasses not only products, but processes and people as well. Ensuring every employee involved in substation operations follows security rules and procedures is as important as having the correct technology in place.

Products
Over the last several years, power networks have become simpler to manage as a result of better connectivity in devices connected to the networks. Employees can monitor, manage and troubleshoot more devices remotely, saving utilities time and money. However, any device connected to a network is inherently more vulnerable to cyberattacks, even if that device isn’t connected directly to the Internet. All it takes is for one device on a network to have an Internet connection to put the whole network at risk.

Unlike IT security products, operational technologies used by power operators often do not have security monitoring or standards built into them. Some security vendors have tried to solve this issue with built-on solutions, keeping the security layer separate from the devices. But this is not ideal because if the security layer is breached, every non-secure device behind that layer becomes vulnerable.

Instead, utilities should be implementing products with security built in. Products based on international security standards – such as IEC 62351 and IEEE 1686 – are ideal, a proven certification is a recognition of such implementation.

Some of the features products should have include:

  • Support for unique user names – many devices used in substations today feature accounts that are shared among multiple users. This makes it much more difficult to trace a security issue back to a particular user or account if a problem arises.
  • Security logging – devices should be able to identify the people who are authorized to perform particular actions. They should also be able to record “security events”, such as the creation or modification of a password.
  • Support for security monitoring – operational technology needs to be monitored centrally to ensure devices remain secure. Staff should be able to monitor devices through the Simple Network Management Protocol (SNMP) used extensively by IT departments to manage IT networks. SNMP alerts will let security administrators know in real time when an abnormal event has occurred.
  • Third-party product support – ideally utilities should not be locked into purchasing products from any particular operational technology vendor. This ensures utility staff will always be able to implement the best technology for a particular job and still be able to manage and control it in their existing environment.

Utilities will need to monitor their networks with centralized management and monitoring tools that can receive alerts from any device in the extended substation network. For example, a security administration solution enables staff to manage the configuration and security policy deployment across all substation automation systems from one location. It also allows staff to collect security information and perform audits for all networked devices.

Processes
While having the right technology in place is an important part of any security strategy, creating processes and putting them into practice is just as critical. Every employee needs to be well trained in security procedures and understand the key role security plays in substation operations.

A good first step in creating an effective substation cybersecurity plan is to define policies and make everyone involved in operations – employees, partners, contractors and other users – aware of their obligations to protect the substation’s infrastructure. The policies should describe which devices must be protected, define who can access those devices (and how) and give examples of unauthorized actions and the consequences for violating security procedures.

Some examples of what a security policy should include are:

  • Lists of control system hardware and software
  • Rules for sensitive information and defining who can access it
  • Classify devices and what security rules should apply to each classification
  • Procedures for what should happen if a cybersecurity incident occurs – for example, who should be notified and what actions should be taken
  • A response team that will resolve any cybersecurity incidents that may occur

Once a policy is in place, utilities should review their processes regularly to guarantee they remain effective, because cyberattacks and vulnerabilities evolve over time. Personnel should conduct a security review at least once per year and ensure all systems are patched regularly.

Ideally, staff should establish a patch management system that inventories all hardware and software. As part of the system, administrators should also look for news on vulnerabilities and patches, test patches in a non-production environment to ensure they won’t interfere with operations and schedule the deployment of patches to the production hardware and software.

People
Implementing an effective substation cybersecurity system that will meet the new NERC CIP standards requires utilities to train or hire cybersecurity specialists. One option is to train employees who will be capable of working in the field. Another is to manage security from one central location with a pool of security experts capable of working through complex, cross-disciplinary events.

Because substation systems are so complex, cross-disciplinary coordination is important. Engineers, IT administrators and security staff need to communicate well and work together to identify potential risks and attacks. Utilities should put systems in place that encourage cross-disciplinary cooperation and planning to improve their security preparedness.

Utilities should also ensure they work closely with third-party partners who understand the evolving security landscape and can help keep substation security policies and technology up-to-date. Security partners should have a solid understanding of all the systems involved in substation operations, how they interact with one another and how they can be secured with an in-depth defence. They should also be knowledgeable about cybersecurity regulations and security standards. And finally, they should be capable of creating customized solutions for their customers that work with equipment from multiple security vendors.

Unfortunately, there is no one-size-fits-all solution to substation security. Every substation network is unique and will have different equipment and requirements. But by upgrading hardware and software technologies, carefully crafting comprehensive security policies and procedures and putting in place well-trained security staff, utilities can minimize their risk of cyberattack while ensuring they meet the new NERC CIP security standards.
 

About the Author

Eric Deschenes is Vice-President of the Energy Business for Schneider Electric Canada. He has more than 24 years of experience in the Canadian electrical power industry and earned his bachelor’s degree in engineering from Ecole Polytechnique University in Montreal.