I don’t want to be a scaremonger but whether you like it or not your networks and operations are under threat of attack. The threat is real and growing while the weaknesses, which are exploited in our systems often stay hidden.
I’m not blaming anyone, far from it. I’ve worked in the energy sector for more than 25 years and the changes I’ve witnessed in the last few far outstrip those that came before. When I started the only commercial electric vehicles I knew of were toy sized and solar power was something you found on a calculator. The grid has been transformed, and bad news for anyone who doesn’t like change, it is still evolving, rapidly.
Decarbonisation, decentralisation and digitalisation are driving this revolution and in time they will bring many benefits. According to Ofgem and BEIS a smarter, more flexible, network will save the UK anything from £17 billion to £40 billion by 2050. As Head of Technology and Innovation at the Digital Grid business of Siemens I am as excited as anyone to see how the future grid will look, however, I’m also worried. From my vantage point I see how this dramatic transformation could be leaving our transmission and distribution grids vulnerable.
I believe a big problem is our lack of awareness. Historically we’ve been very good at understanding our key assets and understandably we’ve focused on the high CAPEX primary plant investments. The industrial control and protection systems, also known as secondary systems, which have supported the grid have had a focus at a level, but only at a level enough to make sure that they are fit for purpose and set correctly.
In the past this almost fit and forget approach towards secondary systems was fine because the grid was stable and the system rarely required change. But today we can’t afford the same approach because the grid is becoming dynamic in nature and it is more difficult to predict its behaviour thanks to the proliferation of decentralised generation and new loads. In this new world, only understanding the functionality of these critical assets, which are the brains of the grid, is no longer sufficient.
I’ve seen first hand how we’ve fallen behind and there is a lot that should have been done and must be done to increase visibility of the systems we rely on for management of our electricity system. With this deeper understanding and visibility we would now be better equipped to plan for building resilience against the increasing complexity of the grid and the unseen threat of the malicious attack.
For me the key is better lifecycle management. I appreciate that’s not a phrase to get many hearts racing but trust me I believe there is under investment in ‘digital’ lifecycle management because many overlook it. Without a good lifecycle management process, which focuses on knowing the state of all your assets, you can’t truly know your grid and without that you can’t know the risks it is facing.
To build new risk management policies we will need a deep understanding of the network as a whole. That will be a challenge. There are hundreds of thousands of digital devices on the grid today and it will take deep pockets to collect the degree of data needed to manage risk effectively. For those brave enough to approach their finance director and demand in Oliver Twist style, ‘More please’, I have some advice – it doesn’t have to be done all at once, but the most important thing is to get the ball rolling.
Assuming your FD isn’t Father Christmas, where should you start? As far as I am concerned automated asset discovery tools are invaluable. At Siemens we’ve partnered with Claroty and use their award-winning platform to achieve full visibility of OT environments. It has the advantage of continuously monitoring your OT for anomalies, vulnerabilities and threats.
Looking out for threats and risks will be even more critical as the Industrial Internet of Things (IIOT) becomes a reality because the number of devices on our networks will grow massively. While this will lead to greater efficiency through more control, AI and data analysis it also means there will be more opportunities for cyber attacks.
As we saw in Ukraine in 2015 this is not a theoretical concern. In a complex cyber attack hackers managed to disrupt supplies to more than 200,000 people and switched off 30 substations after seizing control of SCADA systems. They were also able to disable or destroy modems, uninterruptible power supplies and remote terminal units (RTU). Some may argue the Ukrainian situation came about due to a unique set of circumstances during its conflict with Russia, but shortly afterwards the EU was concerned enough to introduce the Network and Information Security (NIS) Directive.
Recently, in a move to protect Critical National Infrastructure (CNI), President Trump signed an executive order banning American grid operators from buying and installing electrical equipment manufactured outside the US.
As you can probably guess, business as usual IT cyber security won’t be enough in this brave new world. ICS security must be designed with asset and operational requirements in mind to protect critical processes. For instance at Siemens we place cyber security aspects into 14 categories, which can be divided into two groups: First – Policies, Processes and Procedures and second – Security Technologies.
When we talk to grid operators about the problems they have managing their cyber risks they agree lack of visibility is the number one challenge. The second biggest challenge is patching, or to be more specific the disruption caused by patching which makes it unsustainable particularly where legacy systems are concerned.
Of course in the same way some assets are more important than others, some risks are greater than others. There’s no point lumping all risks and threats in the same basket as that would be counter productive. Risk must be categorized and measured and the best way to do that is to have as much knowledge of your system as possible. Which neatly brings us back to lifecycle management.
Increasing digitization will allow greater grid visibility and more effective use and control of grid assets. In other words we’ll know what we have before it’s gone or under attack. It’s imperative we embrace this opportunity and invest now in lifecycle management to ensure a safe and secure future network.
P.s. I’ve recently done a 30 minute webinar ‘How to optimise and protect your smart grid operations’ – listen in for insights on how to keep your grid resilient from migration of your grid assets, benefits of digitalisation and top tips on cyber security.
For more information and tools, videos, white papers on cyber security for grid you can find more on our Grid Security web page: www.siemens.co.uk/grid-security