In this second report on S4x23 held last February, this article introduces the discussion on cyber security in the energy industry, which was one of the topics that attracted attention.
Keynote: Spencer Wilcox, NextEra Energy, Senior Director, Cybersecurity & Technology Risk
NextEra Energy, one of the world's leading clean energy companies based in Florida, operates the Florida Power & Light Company, the largest electricity company in the state. Its CISO, Wilcox, spoke about the resilience of power infrastructure at the S4 keynote.
Hurricane "Ian," which hit Florida in September 2022, caused significant damage due to catastrophic winds, unprecedented storm surges, significant flooding, and numerous tornadoes that lasted for 72 hours.
Despite such a major disaster, he claimed that, thanks to years of investment in storm resilience, it was able to restore two-thirds of the area's power in one day and restore power supply to all customers eight days later. FPL's power generation facilities did not suffer significant damage, and the transmission system did not fail.
He plans to eliminate all of its carbon emissions by 2045 by increasing its reliance on solar energy, including using it to turn water into hydrogen to power its generating plants. However, there are challenges posed by the increasing complexity of systems, including new supply chains, risk management, edge computing and cloud. Wilcox expressed his hope that the OT security explorers can overcome these challenges together.
Interview: Berkshire Hathaway Energy CEO Bill Fehrman
Fehrman is active leader in industry and public / private cybersecurity efforts. He is also the co-chair of the Electricity Subsector Coordinating Council (ESCC), a member of the National Infrastructure Advisory Council (NIAC) and serves as chair of the Electricity Information Sharing and Analysis Center (E-ISAC) Member Executive Committee.
He stated that collaboration between the public and private sectors has made significant progress in recent years. Initiatives such as the 100-day plan led by himself, information sharing through E-ISAC, implementation of phishing test programs, incident response training such as ICS4ICS, and system redesign have all contributed to increased resilience of industry through a framework of collective defense.
However, there are challenges in the supply chain. For example, regarding transformers, we selected low-cost products previously, but now we need to prioritize the option of low risk. And we should address the cascade of manufacturing.
Furthermore, climate change is a significant challenge for the energy industry above all. This simultaneously requires significant changes to systems and large-scale investments. The costs associated with these changes will be directly passed on to customers.
A reliable power grid is the foundation for driving customers' businesses and ultimately strengthening the nation's economy. It is believed that incentives for government cybersecurity investment can accelerate the industry's progress.
As many of the resources in the energy industry are privately owned and operated, the government and private sector must work closely together to swiftly address changes to the power infrastructure.
The Big Business Of Cyber Security And Its Impacts On Small Utilities
Emma Stewart, NRECA, Chief Scientist
The National Rural Electric Cooperative Association (NRECA) is a non-profit electric cooperative that covers 56% of the territory and 42% of the distribution network, while serving 12% of the population in the United States.
While public-private partnerships may have been successful for large businesses, small businesses with limited financial and human assets still face challenges.
The 100-day plan has certainly advanced cybersecurity in the energy sector by focusing on ICS security and grid security and facilitating coordination between public and private entities and agencies. However, challenges have been raised in the areas of information sharing among small utilities, solutions tailored for them, and sustainable initiatives.
Innovative threat intelligence and products designed for large utilities are too expensive for small utilities. However, the power grid is interconnected between large and small, so the ownership lays intersections. There was a need to develop sustainable and right-sized solutions for small to secure distribution grid.
The NRECA has developed the solution from three perspectives. The first was to define the requirements for sustainability, if it did not necessarily have to be advanced, but rather a community-oriented, affordable, and interoperable solution.
The second requirement was to support small utilities decision-making. It should incentivize them and support their change. The third requirement was to provide a workforce solution. IT staff is only two or fewer in 65% of the distribution cooperatives, requiring a hybrid operation of human and automation.
She said the NRECA launched Threat Analysis Center (TAC) as a solution.
TAC is a tool and community that enables co-ops to focus on the cyber threats that matter, respond quickly with the necessary expertise, and engage with the wider threat intelligence community without sacrificing privacy.
Electric cooperatives that join TAC commit to equipping their operating systems with a continuous monitoring platform that can quickly determine if anomalies occur in the system. TAC pushes "rules" or short software programs for co-ops to test their systems for new and old hacking methods.
The NRECA informs utilities of urgent and critical threat information from federal authorities and supports co-ops in testing for threats. It can also understand how much the threat has actually spread by applying information from the cooperatives.
The more co-ops that participate, the more eyes there are monitoring the power grid, minimizing overall damage.
The Road to Solar Energy Cybersecurity
Marissa Morales-Rodriguez, Contractor for DOE/SETO, Technology Manager
Solar power generation is expected to reach 40% of the total electricity supply in the United States by 2035 and 45% by 2050. The Solar Energy Technologies Office (SETO) is working to achieve high levels of cybersecurity maturity in solar power generation facilities and supply chains, including Distributed Energy Resources (DER), using a diverse range of stakeholders and numerous technologies.
Studies and reports by IEEE, NERC, DoE, and others are advancing discussions and efforts related to cybersecurity vulnerabilities in DER and potential attack scenarios. In this session, she showed their outcomes from three perspectives.
Assessment:
There are two initiatives: assessment and mitigation, which are being conducted with The Idaho National Laboratory. One is to utilize the Cyber Security Evaluation Tool (CSET), which CISA has published, to help standardize and iterate renewable energy evaluations. This will help with continuous risk management to implement IT and OT security programs for renewable energy. The second initiative is Asset Interaction Analysis, which detects OT devices and misconfigurations using packet capture appliances. The solution named Malcolm can identify potential risks by increasing asset visibility in the environment.
Monitoring:
New approaches are required for network monitoring of cyber-physical systems, including DER. Two joint research projects with Sandia National Laboratory were introduced. One is a new SOAR approach for DER, which takes data from multiple IDSs and blocks attacks. They say that the response time was demonstrated to be within 30 seconds in the testbed. The other is a Proactive Intrusion Detection and Mitigation System that specializes in photovoltaics. This cyber-physical approach detects threats using both cyber network and physical power data. Furthermore, they have developed sensors that can be installed on both OT devices and IT assets.
Standardization:
Finally, she mentioned establishing cybersecurity guidelines and certification programs for DER. While IEEE1547.3 is being revised, the California Public Utilities Commission is developing guides in a working group. I particularly paid attention to the certification system, as there is no certification for DER cybersecurity among numerous relevant certifications. UL Solutions (UL), a global safety science company and NREC are defining cybersecurity requirements for DER based on various industry practices, compiling UL 2941 "Outline of Investigation for Cybersecurity of Distributed Energy and Inverter-Based Resources," and aiming to establish security by design. The requirements will provide a single unified approach for testing and certification of DERs in advance of deployment. She called on the audience to participate as OT security experts for discussion based on consensus and effectiveness in industry.
The energy industry is not only the core of the nation's infrastructure but is also facing a major period of transformation in response to global climate change. Therefore, it is essential for the public and private sectors to work together to ensure a baseline of cybersecurity. Trend Micro has published a technical report to acquire situational awareness across IT and OT and to be one step ahead on cybersecurity posture.
In the next third post, I will report on the cybersecurity challenges of healthcare sector that were revealed during the COVID-19 pandemic response.
References:
- FPL earns top industry honors for rapid response during Hurricane Ian
- Progress Report: 100 Days of the Biden Administration’s Industrial Control Systems (ICS) Cybersecurity Initiative and Electricity Subsector Action Plan
- Incident Command System for Industrial Control Systems
- New Threat Analysis Center Will Lift the Role of Co-ops in Grid Cybersecurity
- Solar Futures Study: Solar Energy Technologies Office
- Cybersecurity Considerations for Distributed Energy Resources on the U.S. Electric Grid
- The Cyber Security Evaluation Tool (CSET®)
- Malcolm: A powerful, easily deployable network traffic analysis tool suite
- SOAR4DER: Security Orchestration, Automation, and Response for Distributed Energy Resources
- R&D 100 Winner 2022: Cyber-Physical Defense of the Electric Grid – PIDMS
- IEEE Std 1547.3-2007 (Revision in Progress)
- Smart Inverter Working Group, California Public Utilities Commission
- UL and NREL Announce Cybersecurity Testing Recommendations for Distributed Energy Resources and Inverter Based Resources