Cybersecurity — the word inspires fear and has become an urgent topic of discussion in the energy world. The U.S. Department of Energy released a report this week that aims to help public and private sectors figure out ways to protect the electric grid against cybersecurity breaches.
Concerns about cybersecurity have actually grown with the deployment of smart grid technologies, which typically means using digital communication devices with common technical standards and getting rid of some analog systems so that data can flow in large volumes and quickly. This could lead to a hodgepodge of legacy and modern equipment in the transmission and distribution networks that don’t work well together. That also makes it difficult to implement rules and security technologies that have to perform effectively across the networks.
The report updates a previous, 2006 version and includes a broader array of technologies and scenarios, such as smart meters and the need to protect consumer data collected by the meters. It also aims to encourage utilities to invest in cybersecurity measures, from employee training to development better monitoring software. Some of the changes might require utilities to suspend part of their operations for a period of time, and that costs them money.
Key challenges and strategies:
- Fast and furious. Cyber threats are difficult to foresee and could change too quickly for security experts to come up with fixes.
- Protecting the old. Security threats as we know it typically involve attacks via digital broadband networks and over computers and mobile devices. But many systems at power plants and the grid are older and run on software designed exclusively to that a particular piece of equipment, and these systems still have years left in service. It could take more time and money to come up with proper security upgrades for these machines.
- Costing money. Testing a new communication network or control systems before turning it live is a big part of deployment. But doing so could interrupt energy delivery services.
- Let’s talk. Government and private sectors don’t do a good job trading information about security threats and solutions to minimize them.
- Setting priorities. Utilities don’t always see a need or want to invest a lot of money on cybersecurity when they could use that money for equipment and services that will increase profits.
- Regulatory uncertainty. Utilities spend a big chunk of their budgets on regulatory compliance. Yet because cybersecurity is a fairly new problem, regulations governing what utilities need to do are evolving. That makes it hard for utilities to draft and deploy a good plan.
- Risk management. It’s common sense that a utility should develop best practices or rules about collecting and handling sensitive data. But coming up with a fail-proof plan is easier said than done, and it often means modifying employees’ behavior and adding to the number of tasks they have to perform.
- Stay vigilant. Givem that cybersecurity breaches are unpredictable and could lead to disastrous consequences, utilities have to evaluate and tweak their security policies regularly.
- Find good tools. After reviewing and tweaking policies, utilities need to figure out what new measures they need to take to beef up security (this could be something like changing passwords or placing sensors to send alerts when a communication network is compromised).
- What happens after an attack? Yes, there are more policies and even step-by-step chichi that need to be drawn up to deal with security breaches. Those policies should spell out, among other things, the types of analysis are necessary to figure out what went wrong and how to prevent it.