Cyber Security and Resilience Guidelines for the Smart Energy Operational Environment

Author: Frances Cleveland, Xanthus Consulting International, USA

While the energy business environment is experiencing these paradigm shifts, the energy industry has accelerated its evolution toward digitization and is becoming increasingly reliant on cyber assets (systems, controllers, intelligent devices) to manage the delivery of electrical energy. These cyber assets are crucial to the safety, efficiency, and reliability of electrical energy.
However, these cyber assets also present serious challenges: businesses must also determine how to cope with the reality of deliberate cyber-attacks, such as the successful cyber-attack against the Ukrainian SCADA system, as well as how to remain resilient to the more mundane but equally critical inadvertent cyber threats arising from personnel mistakes, the complexity of systems, the multitude of new participants in this energy market, equipment failures, and natural disasters. So, energy businesses that used to address only the system engineering process (design, deployment, integration, procedures, and maintenance) must now also include cyber security services and technologies into these engineering processes. As a result, the new systems could be significantly different in configurations, capabilities, and constraints.
In the energy operational environment, there are five critical concepts for cyber security that should be understood as these energy businesses struggle to implement the necessary cyber security policies, procedures, and technologies. These five concepts are captured below and briefly discussed in the following sections.

 Five Critical Concepts on Cyber Security and Resilience for the Smart Grid
Concept #1. Resilience should be the overall strategy for ensuring business continuity: When focusing on resilience in general, organizations must consider safety, security, and reliability of the processes and the delivery of their services. For "cyber resilience", organizations must similarly consider safety, security, and reliability for cyber assets, including resilience before security incidents (identify & prevent), during such incidents (detect & respond), and after incidents have been resolved (recover).  Cyber resilience thus involves a continuous improvement process to support business continuity: it is not just a technical issue but must involve an overall business approach that combines cyber security techniques with engineering strategies and operations to prepare for and adapt to changing conditions, and to withstand and recover rapidly from disruptions. Information sharing within and across organizations is also becoming crucial as a part of resilience.

Concept #2. Security by Design is the most cost-effective approach to security: Security is vital for all critical infrastructures and should be designed into systems and operations from the beginning, rather than being applied after the systems have been implemented, like a surface coat of paint. This means that the products, the systems, the processes and the organization should be designed or setup from the beginning with security in mind. However, recognizing that security cannot quickly be added to existing systems, particularly since power system components may have different life cycles, it is crucial that even for these existing systems, transitions to security-based configurations should be designed into system retrofits and upgrades. Security by Design is not just the addition of technologies but must combine business organizational policies with continuing risk assessments and security procedures. Organizational policies include security regulations, personnel training, and segregation of duties, while security procedures include CERT information sharing, backup and recovery plans, and secure operations. Security technologies include physical and virtual techniques, such as physical site access locks, access control, authentication and authorization for all communications, and security logs.
Concept #3. IT and OT are similar but different: Technologies in Operational environments (called OT in this document) have both similar and differing security constraints and requirements from Informational Technologies (IT) environments.  The primary reason is that power systems are cyber-physical systems and security incidents can cause physical safety and/or electrical incidents, while such physical consequences are not usually a problem in corporate environments. For IT environments, confidentiality of sensitive business and customer information is generally the most important requirement, but for OT environments, availability, authentication, authorization, and data integrity are usually the more critical requirements, since power data is typically not confidential. In both IT and OT environments, well-known and ever evolving IoT technologies are being increasingly used, leading to additional challenges on ensuring adequate security for the electric environment which used to be very isolated. This interconnection of IT/OT and increased dependence on IoT technology is leading to additional vulnerabilities and challenges on ensuring adequate security in the energy environment.

Concept #4. Risk assessment, risk mitigation, and continuous update of processes are fundamental to improving security: Based on an organization's business requirements, its security risk exposure must be determined (human safety, physical, functional, environmental, financial, societal, reputational) for all its business processes.  Risk assessment identifies the vulnerabilities of systems and procedures to deliberate or inadvertent threats, determines the potential impacts, and estimates the likelihood that the incident scenarios could actually happen. The strategy for risk mitigations must take into account operational constraints, as well as look to engineering designs and operational procedures for improving resilience, while also evaluating the costs for implementing such risk mitigation strategies and the degree to which it mitigates the risk. Risk assessment also requires that mitigation processes are reevaluated during regular security reviews or triggered by actual security incidents.

Concept #5. Cyber security standards and best practice guidelines for OT environments should be used to establish security programs and policies: Cyber security procedures should not be re-invented. Key cyber security standards and best practice guidelines have already been developed for different areas and purposes of security.  Cyber security planning should use these cyber security standards and guidelines to improve resilience and security of the OT environment, using the right standards, guidelines, and procedures for the right purposes at the right time.

BeijingSifang June 2016