Erich Gunther, IEEE Smart Grid Expert
Chairman, CTO, and Co-Founder, Enernex,
Slade Griffin, Director of Energy Systems Security, Enernex
As the electric grid is modernized through interconnections and the ability to interact remotely, the risk of cyber attack increases. Fortunately, the growing availability of cyber security training options to combat these attacks is also on the rise. Training now ranges from regulatory compliance and cyber security program development to hands-on hacking. Another favorable trend is the coming together of utilities, vendors, government and private contractors for the purpose of collaboration in organized user group and projects. These are proactive trends to take on cyber security risks, however, there are ongoing challenges that must be overcome. Although the proper authority and funding of security programs is starting to improve, necessary levels of staffing, funding and training are not yet being met.
Over the past several years control systems networks, or operations technology, which are critical for the correct functioning of power generation, transmission, and delivery, are being modernized and labeled “smart grid.” Most often this term refers to a technological overlay or interconnection that provides remote access, control, visualization or communication to a system that may not have previously had this type of capability. As interconnections and the ability to interact remotely are added there is a potential to increase the risk level of that system. Additionally, many systems are now using public channels, such as the cellularnetwork and the Internet to communicate and that also contributes to the level of risk applied to that system.
As a result, cyber security training has been become a priority and is steadily gaining attention. There are now several training options for personnel or companies needing to improve their understanding of the various layers of security that must be applied to any interconnected system.
Cyber Security Training Options
NERC-CIP – North American Electric Reliability Corporation - Critical Infrastructure Protection
This is compliance-based training to deepen understanding of regulatory guidelines that have been established. Courses are offered that provide both general overviews on designing and implementing a Critical Infrastructure Protection (CIP) compliance program, as well as deeper dives that focus on one or two specific CIP regulations and deal with the technical details needed to improve and maintain compliance.
Cyber Security Program Development
These courses are designed to implement an overarching program to establish a secure foundation to build out smart grid systems and programs in a secure manner. The National Rural Electrical Cooperative Association (NRECA) developed a comprehensive set of documents two years ago to address the need for secure programs. As a follow-on offering the NRECA regularly offers one-day classes that discuss how and why to build these programs into daily operations. Most importantly it drives home the idea that security should be built in to a system or product and that it is a continual process, as shown in the figure above.
More offerings are beginning to pop up allowing the most technical staff to learn how to attack and defend both the Information Technology (IT) portions of a control system, as well as purpose-built devices like programmable logic controllers and smart meters. These courses teach professionals how to find and exploit vulnerabilities within systems and devices, which ultimately provides a greater understanding of how to defend them. This type of training offers a hands-on look at how to understand security from the bottom up within an organization.
Protocol and Architecture Training
The emergence of new standards and guidelines like IEC 61850, OpenADE, OpenADR, ZigBee SEP2.0 and DNP3 have created the need for specific training in these areas. Utilities and vendors wishing to have deeper understanding of how to implement these architectures and protocols can attend and have questions answered without having to volunteer staff in the various working groups.
With respect to training, there has also been an increase in management attendance in the classes. Having managers present in these classes indicates a greater level of interest in the subject matter. Many of the mangers also seem to be working towards establishing budgets and more robust security programs within their organizations. This type of effort is sorely needed to reverse a trend of underfunding, understaffing and undertraining that has remained fairly steady over the past several years.
Reassessing Cyber Security’s Role, Funding and Training
There has been a consistent lack of establishing a dedicated staff for security in both traditional IT and in smart grid. Some organizations are actually moving their technical teams into more administrative roles, and relying solely on compliance for their security programs. There are few cases where organizations adequately fund and pursue solid security programs. More often individuals or organizations are experiencing some or all of the following issues:
• Understaffing – It is worth it to look closely at the security team and seek input from the “boots on the ground” about staffing levels. Too frequently large organizations dedicate only a single person to cyber security. This can be a symptom of underfunding.
• Underfunding – It is said that IT should be 15 to 20 percent of an overall organization’s budget and cyber security should be 15 to 20 percent of that amount. This would mean for every one million dollars of budget, $200,000 would be allocated to IT, and $40,000 would be allocated to cyber security. While power systems and IT are not the same thing, this metric may still work to plan out future projects.
• Undertraining – This is perhaps the toughest issue to overcome. How does someone who isn’t a cyber security expert identify someone to lead a team? The National Board of Information Security Examiners (NBISE ) is attempting to solve this by putting forth a set of metrics to help identify competent practitioners at different levels and applications. The ability to recruit, develop, and retain competent individuals in the security workforce is not a simple task and this group has decided to work through this complex issue.
There are also utilities and vendors both large and small that are beginning to develop cyber security programs or enhance existing programs as they proliferate toward grid modernization projects. Product vendors are also investing in security, with some beginning in the design phase of hardware and software. Although processes are getting better, the primary hurdle remains the ability to understand the issue and apply relevant solutions to the environment. Workforce education, training, and the proper authority and funding of security programs are starting to mature, but remain behind the curve.
Programs, Products and Collaborations
Collaborative cyber security work is currently progressing as utilities, vendors, government, and private contractors continue to work together to better understand the complex needs of this industry. Some examples of this include the National Electric Sector Cybersecurity Organization Resource (NESCOR ), ES-C2M2 and programs like the Lemnos effort, which is now moving towards becoming an IEEE set of standards. The Utility Communication Architecture International User Group (UCAIug) and Advanced Security Acceleration Project for Smart Grid (ASAP-SG) have also developed several security guidelines for smart grid applications. These collaborative efforts are successful examples of multiple groups of experts working together to achieve a common goal of providing security in critical infrastructure. These efforts have been underway for several years in some cases and continue to be quite active.
Cyber security is coming of age. Effectively navigating risk starts with a firm awareness of the lay of the cyber security landscape. It is now more important than ever to stay well informed on the trends, new technologies, new standards and new ways to mitigate that risk.
Erich Gunther is an IEEE Smart Grid technical expert and Chairman of the IEEE Power and Energy Society (PES) Intelligent Grid Coordinating Committee. He is also Chairman of the Department of Energy’s (DOE) GridWise Architecture Council, Chairman of the Board of the Utility Communication Architecture International Users Group, and Chairman & Chief Technology Officer of EnerNex.
Slade Griffin is the Director of the Energy Systems Security division at EnerNex where he leads the utility industry cyber/physical security business practice. He has been with the firm since 2010; first as a Senior Consultant on the smart grid engineering team and now as the Director of Energy Systems Security.
For more information visit www.enernex.com