Securing the Grid in the Fourth Industrial Revolution

The Fourth Industrial Revolution is underway, and the technological advances it encompasses bring exciting new capabilities to the power industry. Ubiquitous connectivity will provide data and visibility to a degree that grid operators have never before enjoyed.

Increasingly, fiber networks are being extended within the distribution grid to substations and other critical assets or to interconnect burgeoning solar and wind installations. These high capacity broadband networks enable real-time monitoring of power flows and video monitoring, improving the physical security of critical installations.

New low power wide area (LPWA) networking technologies mean that utilities can affordably build pervasive sensing and measurement applications. They also can apply analytics for asset management, predictive maintenance, and power quality monitoring, among others. Grid edge computing and the cloud further strengthen the utility operator’s ability to apply the latest technology and computing power throughout the distribution network. Increasingly, industrial concerns will lead to the deployment of advanced private 4G wireless networks across utility territories, creating a virtually seamless evolution to 5G and the new capabilities it will enable. Robotics, automated vehicles, and augmented and virtual reality applications will become integral to operating the grid of the future.

Sounds great, right?

It will be—but utilities creating strategies for this hyper-connected, intelligent grid of the future must also understand, and plan for, the potential cybersecurity risks these new technologies will enable. The anticipated rise in interconnected, interdependent systems will inevitably broaden the surface area for potential cyber attack.

And while serious hacks to the grid have been few to date, there is no doubt that bad actors will increasingly target critical systems that are foundational to modern society. This is not hyperbole, the risks are great and growing.

That said, available solutions increase in sophistication by the day. Regulatory requirements and standards are becoming more stringent—as they should. Importantly, the industry must hire and support more and more cybersecurity specialists to keep up with the black hats and secure their operations. The challenges for utilities trying to modernize their grid while keeping the lights on are many.

Understanding the Issues

Grid managers need to understand the magnitude of the financial risk. Cybersecurity must not be viewed simply as a compliance issue, a mere cost center where the boxes should be checked as cheaply as possible. Companies must have a comprehensive cybersecurity program. This begins with an understanding of their current enterprise architecture, their external connections, and their cybersecurity capabilities. Full company security integration must be planned across existing IT and OT operational silos. Companies should understand their cyber gaps as well as their ability to operate their business if a bad actor exploits those weaknesses. The problems are not static. Cybersecurity needs to evolve rapidly—the security of the grid is not a one and done problem. Companies must identify a plan to prioritize and mitigate these weaknesses.

These are significant problems and the availability of skilled cyber experts has historically been limited in the utility industry. While lessons may be learned from other industries that are further down the cybersecurity path, every sector is still struggling to protect their critical assets from cyber criminals. Some large corporations may be further along in this journey and have more mature cybersecurity programs; however, many of their business partners and interconnections are very unprotected.

The Department of Defense spends billions of dollars every year to protect its network, systems, and data. Even with robust education campaigns, control of internet access points, major efforts to remove legacy software, asset discovery technology, and a huge drive to modern, automated technology, it still suffers from significant data theft. These thefts come not from their own networks but from the hundreds of thousands of industry partners who develop technology and provide them services—the “weak link.” Cyber bad actors will go to the easiest target of opportunity. 

Guidehouse supports many federal government agencies across nearly every aspect of their cybersecurity programs, including development of C-suite level programs and plans, engineering and architecture services, solution gap analysis, implementation of identity and access architectures and programs, certification and readiness assessments, and incident prevention and response services. These areas are critical to ensuring a robust cybersecurity program.

Prioritize for Risk Management

Every board and every CEO should be worried about their protections against cyber bad actors. At the minimum, they should:

1. Develop a comprehensive cybersecurity plan. Cybersecurity threats go well beyond typical IT with all systems now interconnected and accessible.
2. Understand cyber risks to their systems and the corresponding impact to their business. Will they be shut down, will they endure huge financial fines, will their technology be destroyed, will their data be manipulated, will their proprietary data be stolen?
   
3. Identify active threats and prioritize. What is the specific threat to their sector? Could it be a simple malicious novice or a criminal/nation state threat?
4. Develop a cybersecurity architecture/roadmap. Prioritize and determine how to address current and future risk from an enterprise perspective. Many companies buy multiple security products and do a horrible job of implementing, patching, and integrating them into a cohesive security architecture.
5. Develop a resiliency plan. How can I ensure I can maintain my business under a cyber attack? Is my data backed up (beyond the cloud), do I have redundancy, am I closely monitoring in an automated way all of my critical systems?
6. Implement the plan fund. Implement and track the plan, update as necessary.
7. Monitor and develop active response. Implement automation to detect and respond.
8. Be prepared for an intrusion. Know how you will react, andrun table-top exercises so you are prepared for an actual intrusion.
9. Ensure they develop and implement an employee cyber awareness program. Run a cyber awareness program, test your workforce, see how vulnerable you are from the board room to the mail room, and educate!
   

To learn more about this topic, join Guidehouse's experts for a lively discussion on the benefits and threats brought about by Fourth Industrial Revolution advances and how utilities can prepare for the best and protect against the worst.