Power grids are getting smarter, but can they fend off future cyber threats?

October is Cybersecurity Awareness Month for some regional and global campaigns — and ITU News will be running a series of articles related to cybersecurity.

Today’s power and utility industries are increasingly more vulnerable to cyberattacks than in the past.

Information and communications technologies (ICTs) have become widely employed to ‘smarten up’ our power grids, which has surfaced many new cybersecurity vulnerabilities. This is especially true in the case of renewable energy sources like wind and solar energy, where digital interconnectivity is key to enabling more flexible and efficient consumption of electricity and enhanced control of the systems.

“A cybersecurity breach could take the renewable energy system offline unexpectedly or damage the system,” Cyril Draffin, the Project Advisor on MIT Energy Initiative’s Utility of the Future Study, told ITU News.

Indeed, the deepening interdependencies between electricity and other critical infrastructures, such as telecommunications, Internet, and renewable energy sources, are raising the stakes on cybersecurity.

The rise of Distributed Energy Resources

As the world moves towards a low-carbon economy and energy storage prices fall, Distributed Energy Resources (DERs) are on the rise.

On the upside, DERs are widely-connected sources – demand response, energy storage, generation including from wind and solar – that can provide the power necessary to meet distribution needs. The downside is that DERs increase digital complexity and attack surfaces of utilities, which require more robust cybersecurity measures.

Unless robust and effective cybersecurity measures are taken, future utilities will become ever more vulnerable to cyber threats.

Cyber attacks – bigger, faster, stronger

Incidents are growing in number and sophistication as hackers continue to evolve their attack strategies. Cyber threats against the energy sector have been a recognized and mounting concern for years. In December 2015, CashOverride, the first malware framework designed and deployed to attack electric grids, took down three power distribution systems and almost 60 substations in Ukraine, leaving more than 230,000 people without electricity.

Draffin warns of security breaches that cause inappropriate braking and speed control, which could then damage wind machines and lead to other breaches that could open hydro floodgates or damage generators.

“Vulnerabilities include insufficiently encrypted communications channels, flaws in control-system software that could be used to introduce damaging malware, and insufficient controls on which people can assess and make changes to control systems,” says Draffin.

How can these vulnerabilities be addressed?

The grid is a cyber and physical system, and, as such, cybersecurity best practices should be required across all levels in the system – including the bulk power system (central generation and transmission facilities), distribution systems, DERs, smart meters, and electrical devices with Internet connectivity in industrial, commercial, and residential buildings, say experts.

One of the fundamental aspects of best practices is risk management. The first step is to understand the vulnerabilities – within and across critical infrastructure systems – in order to determine the proper standards and strategies to strengthen the resilience of the system and avoid prolonged power outages.

Sharing of information and best practices regarding cyber threats across government and industry is also crucial; for example, cybersecurity awareness and mitigation practices.

Building a culture that is cyber aware

According to the MIT Energy Initiative’s Utility of the Future Study Cybersecurity White Paper, “the first step to defend against cyber attacks is to develop a robust cyber risk management culture.” The industry needs to develop a risk management culture other than putting cybersecurity regulations in place, “because there is a delay in developing and implementing them, regulations lag behind evolving threats.”

Hence, building a culture that supports and sustains cybersecurity should be a top priority.

Skilled teams

Good cybersecurity requires having an active, skilled, and coordinated team that is capable of implementing layered cyber defenses and understanding baseline operations.

The team should also be capable of responding to malicious and anomalous cyber activities, reducing the “dwell time” of cyber attackers and controlling the damage. And as such, cybersecurity education and training is critical to increasing the talent pool of security experts who are equipped with necessary skills to address the complexities of electric grid systems in the evolving landscape.

Making cybersecurity a critical issue

Cyber incidents around the world have already initiated sustained efforts by some utility companies and government agencies, who are paying more attention to vulnerabilities and flaws of their utilities and power systems.

“Vendors… are aware of the problem and have technical staff available to design more cyber secure systems,” however, Draffin adds, “in a cost competition the buyer has to be willing to spec and pay for more robust cybersecurity protections.”

ITU works with Member States and regions to deploy capabilities to build capacity at national and regional level, in addition to establishing National Computer Incident Response Teams (CIRTs). Find out more about ITU-D’s work here.

By Nicole Jao (@nicole_i_jao), ITU News