Electric Power Grid Security: It’s Time
Over the years I’ve had hundreds of thought-provoking conversations with utility CISOs and other industry security professionals. Heck, I was a utility CISO myself at one time, so I know the territory. In these lively discussions—which can transform into good-natured debate—familiar topics are always in order. IT-OT convergence. Infrastructure threats. Vulnerability management. Threat hunting. Leading-edge technologies.
Almost inevitably, conversations steer toward the subject of physical security, which too seems to follow a familiar path. Cyber-physical coordination. Organizational siloes. Different methods. Different lexicons. Once in a while, I like to pose a slightly provocative question such as, “Do you, as the cybersecurity leader, really know what’s most critical to your utility’s operations and what’s at most risk of disruption, degradation or destruction?” “Not entirely, to be candid,” is a frequent response.
Addressing cyber-physical risks requires visibility
And therein lies a significant, but often unrecognized problem. Few would argue against the need for cyber-physical security partnership and tailored cybersecurity protections in operational technology environments. Such measures are, obviously, two among many needed steps to stay abreast of a continually shifting and steadily advancing threat landscape.
But at the heart of the issue is a real need for utility cybersecurity professionals to also have complete visibility into inherent physical risks within their organization’s infrastructure. This knowledge can lead to more effective and sustainable security measures, which can, while keeping the bad guys out, enhance grid reliability and resilience.
Key to knowing how to protect something is what to protect, and its importance. In the case of electric grid operations, there is a myriad array of equipment, devices and networks that together comprise the vast interconnected electric power grids we know today. From power generation, to transmission, to distribution, this magnificent machine is the critical engine upon which any nation’s economy and critical services are dependent. Without it, things would go downhill, and fast.
The good news is, the grid is a robust, well designed and reliable machine. It is designed to withstand any number of potential threats which range from natural hazards to equipment malfunctions to human error. The grid can withstand a lot of disruption on its own. At some point, actual physics take over and thankfully, a vast array of threats to grid stability have been accounted for in both design and operation.
Advanced technologies, methods have helped reduce cyber threats
When considering cybersecurity threats, threat actors and grid vulnerabilities, we’ve come a long way. The so-called industrial security community—of which I humbly consider myself a part—has continually learned from research and actual events to advance available technologies and the art and practice of the field. This extends into a wide array of highly technical training on control systems security methods.
There are also multiple industrial-focused security frameworks available, including those published by ISA/IEC, NIST, SANS, among others. All these new, advanced technologies and methods go a long way to help mitigate cyber risks to critical infrastructure and associated industries.
Cybersecurity frameworks normally include physical security controls, which take the form of things like physical perimeters, door and other access controls, cameras and recorders, and access monitoring or alarm systems. Physical security has become highly automated, with many physical access control and monitoring systems operating across IT networks.
Are we prepared to address the new cybersecurity risks?
Comparing and evaluating longstanding practices in physical security and cybersecurity is beyond the scope of this post. Suffice it to say, joint cyber-physical planning and methods have vastly improved over time and many organizations have taken concrete steps to harmonize and, in some cases, merge their security functions. But how far does our existing knowledge of physical risks to electric power operations extend into planning and approaches to reduce cybersecurity risks? In my estimation, not far enough. Let’s examine a few key points.