Over the years, the growing interconnectedness of operational technology (OT) and information technology (IT), emergence of bidirectional power supply, deployment of smart meters and growing use of microgrid and energy storage solutions have increased the need for creating a foolproof security mechanism against cyberattacks. A cyberattack on the electric grid can cause serious damage and disrupt power supply for hours on end. Therefore, in order to ensure the robustness of the grid, it is essential to take cybersecurity measures such as blocking of USB ports, maintaining strong firewalls between IT and OT networks, and setting up a 24×7 security operations centre. In addition to adopting the right technology solution, creating awareness as well as incorporating cybersecurity measures right from the project design stage is essential.
Power utilities are currently focusing on reducing costs, implementing internet of things use cases, improving customer services, accelerating digital businesses and meeting customer requirements. This has led to a growing integration of OT and IT, the introduction of smart meters and new entry points in the grid, and increasing deployment of automated demand response systems. The growing digital upgradation of the grid requires robust cybersecurity. Another emerging trend in the power sector is the growing use of microgrids, solar rooftops and battery storage solutions. Although collectively these applications can take care of peak power requirement, the resulting introduction of microgrids in the electric grid by them poses cybersecurity challenges. These projects are controlled by SCADA, which is usually operated on a cloud, and this exposes the system to cybersecurity threats. Besides, currently, there are no standards for operating and connecting microgrids to the system. As per a Kaspersky Lab report titled “Threat Landscape for Industrial Automation Systems”, cyberattacks on the electricity sector are on the rise.
Cyberattack on SCADA
Often, the target of cyberattacks is SCADA systems. A SCADA system does not reside on a physically separate and stand-alone network, in fact, it is integrated with other systems, applications and products. The connections between SCADA systems and other corporate networks are not strongly controlled. The reasons for cyberattacks on SCADA systems could range from financial gain; theft of processes, procedures and other proprietary information; achieving economic or political goals; and gaining notoriety. A key source of threat to a SCADA network is the targeted infection of USB media in order to distribute malicious program modules and transfer information between computers, thus bridging the “air gap”. Usually, in an OT system the USB port is not blocked. Other sources of threat to the SCADA system are compromising a local resource on the intranet that can be accessed from the industrial network or compromising networking hardware; and infecting computers belonging to the contractors of industrial companies, which connect their machines to the industrial network. Cyberattacks damage company/brand reputation, and product/service quality. They also lead to loss of customer confidence and business opportunities as well as violate regulatory requirements.
In order to develop a robust cybersecurity framework, it is necessary to focus on people, processes and technologies. Aligning business processes to insulate against the threat environment helps in ensuring cybersecurity. Investing in a formal assessment of “as is” processes and identifying weak links before creating a “to be” environment, including the procurement of technology, helps in understanding the possible outcome of a new technology under consideration. Besides this, identifying the best-suited technology solution is crucial for achieving the desired level of cybersecurity. Apart from this, it is essential to improve the visibility of assets and infrastructure, and establish an inventory of assets and a process for maintaining an OT/IT asset inventory over time.
One of the crucial steps for ensuring cybersecurity is to implement an information security management system for both IT and OT networks. A strong firewall between IT and OT networks can be useful in restricting unauthorised traffic. Disabling administrator-level access to local user machines prevents the installation of any unauthorised or potentially harmful programs. Further, measures such as centralised monitoring and maintenance of antivirus solutions in local user machines, vulnerability assessment and penetration test of the network and its key applications, regular drills for business continuity/disaster recovery plan, insurance of IT assets against cyber-liability and a backup of critical data at pre-defined intervals are essential. Setting up a 24×7 security operations centre for monitoring the network, designing a SCADA network on a different subnet as compared to an enterprise network, and blocking of USB ports are other vital steps that can be taken for ensuring cybersecurity. Including cybersecurity as a dedicated section under RfPs, and displaying IT tips and screensavers to spread awareness are imperative too.
In order to operationalise a cybersecurity framework in an organisation, it is necessary to form an information security council for undertaking regular review meetings to identify new risks and device strategies to mitigate those risks. All major departments involved in the operations of IT and OT systems and other department such as human resource, administration and physical security should be a part of the planning and implementation process of the cybersecurity roadmap. It is also necessary to formulate an annual plan for reviewing the existing cybersecurity mechanism wherein all the processes are updated.
Issues and challenges
On the technical front, some of the hurdles faced by power utilities in ensuring robust cybersecurity are outdated OT systems, vulnerable software, inadequate network segregation between IT and OT, lack of system hardening, weak access control, and insufficient logging and monitoring. Currently, cybersecurity is not considered a part of the fundamental design phase. It is usually provided by vendors at later stages to fix system vulnerabilities. Meanwhile, at the governance level, one of the key issues encountered by utilities in ensuring cybersecurity is the lack of awareness about cybersecurity of IT and OT networks. There is also a lack of business continuity plan, third-party management, and incident response planning.
To conclude, the overall increase in the incidence of cyberattacks on industrial computers highlights the growing need for undertaking cybersecurity measures. In the coming years, new threats specifically targeting industrial enterprises could emerge, and isolating industrial networks alone could no longer be an effective protection. Creating awareness among utility staff and consumers, and proactively taking cybersecurity initiatives are essential steps for ensuring a safe and secure electric grid. n
Based on a presentation by Aamir Hussain Khan, Head of Group, Cybersecurity and Process Excellence, TPDDL, at a recent Power Line conference