Rob Hayes and Jonathan Lam of PA Consulting reveal the rise of smart grids means networks are at a critical security juncture.
A December power outage in the Ukraine that affected 225,000 customers was the result of a Russian hacking group known as Sandworm. It is understood to be the first time a cyber attack was able to take a power grid offline.
In the UK, network operators treat network resilience as a top priority. Companies are constantly mindful of cybersecurity and measures are in place to counter any potential threat now and in the future. Increasing use of communications technology and data in the development of smart grids will deliver significant benefits, but will also require security systems to adapt.
Utilities are at a critical juncture because although the smart grid is not a new idea, the industry has now started to implement these technologies in their businesses-as-usual operations. Also, a plethora of new cybersecurity standards covering the smart grid – EU Smart Grid Information Security and NIST IR 7628 – have appeared over the past two or three years.
Unfortunately, there is no single definitive source that industry participants can use to address their cybersecurity needs.
In response, PA Consulting Group partnered with the Energy Networks Association (ENA) to provide utility organisations with clear direction as they navigate the ever-changing landscape of cybersecurity standards for the electricity and smart grid sectors. There is an abundance of guidance in the public domain for utilities to follow – particularly with regard to their IT and operational technology systems – and it can be challenging to determine which ones to follow and which ones to leave by the wayside. Often, this information is overlooked altogether because organisations simply do not know it exists or even where to look for it.
Governance is another critical component in a utility’s successful security strategy because it helps facilitate interoperability among operating units. Without strong governance with clearly defined roles and responsibilities, an organisation may implement practices and procedures inconsistently, leaving systems insecure and potentially leading to a cybersecurity incident.
Governance requires the adoption of standards and guidance to address the cyber insecurities of an organisation, especially as they move in to the implementation phase.
PA believes it is beneficial for organisations to establish a suitable framework to govern and shape their cybersecurity programmes and point to relevant standards and guidance. The CPNI Security for Industrial Control Systems (SICS) framework is an example of one that provides a holistic approach to the security of operational technology.
A framework enables organisations to manage the key areas common to any cybersecurity programme and is flexible enough to incorporate sector and organisation-specific content. It also ensures that security is appropriate to business risk, identifies gaps in existing standards, and drives innovation in the industry to address shared issues without reinventing the wheel.
It is important for an organisation to adopt a framework that suits its business to manage the implementation at a high level. However, organisations have natural biases, and thus, external development will allow for current assumptions to be challenged – the key to success.
Fundamentally, a cybersecurity programme that is created through capturing the best advice in the market will ultimately position an organisation to have a favourable outcome.
For more on the cybersecurity challenge facing network operators, click here.
Rob Hayes and Jonathan Lam, industrial cyber security consultants, PA Consulting