Shockwaves sent through the world from recent breaches of the US government IT systems continue to reverberate as we enter the new year! And whilst the extent of the damage caused by the SolarWinds cyber-hack cannot be underestimated, the lessons that are being learnt, new technologies being developed, and new strategies being implemented as a result, have the potential to propel our collective cyber-awareness and upgrade our cyber-resilience to a whole new level in the year ahead.
In the course of my work as a smart grid market monitor, I speak with grid planners and engineers tasked with new technology design and implementation on a daily basis. These conversations reveal the ambitious, innovative, and societally enriching infrastructure development plans of smart utilities worldwide, as well as the anxieties surrounding the hyper-connected grid with its ever-increasing attack-surface and rapidly morphing threat-landscape.
There are things that smart utilities can and are doing to maximise their cyber-resilience. They are demanding more security-by-design from their system suppliers, they are tightening up their cyber and physical security integration, they are leveraging industry standards such as IEC 62443 and IEC 62531, and they are keeping on top of the security upgrades in a more rigorous way. However, more often than not these days, it is the human-factors that undermine what would be an otherwise robust technical strategy, opening doorways for hackers to do unimaginable damage.
As we progress through the new year, smart utility cybersecurity specialists must step up their attention to the human-factors if they are to truly slam the door shut on hackers once and for all. To do this effectively, here are the areas for immediate attention:
- Workforce cyber-awareness
It is almost universally accepted that one of the most significant impediments to an organisation’s cybersecurity effectiveness is its own workforce! But while the ‘threat within’ is often spoken of as a fait accomplice, there are new and improved ways in which workforce cyber-awareness and compliance can be fortified. Ensuring that every member of your workforce is effectively cyber-informed and compliant both technically and behaviourally is not straightforward, but it is essential. As technology suppliers strengthen their end-user cyber-education and certification programmes, there is a great deal more that smart utilities can be doing for themselves to ensure compliance across their workforce.
Indrek Kunnapuu, CISO at Elektrilevi in Estonia, who recently spoke at the Smart Grid Cybersecurity 2020 virtual conference, revealed details of Elektrilevi’s ambassador-led programme, intensively training those with a genuine interest in cybersecurity and IT and allowing them to train the end-users in their departments. This ambassador-led approach has exponentially improved workforce cyber-compliance whilst simultaneously reducing associated costs. To learn more about this ambassador programme and consider how you can apply similar strategies and frameworks to your own environment, contact Indrek via LinkedIn at: https://www.linkedin.com/in/kunnapuu/
- Utility cyber-intrusion information sharing
One of the greatest barriers to cyber-advancement to date has been organisations’ reluctance to speak out about their cyber-intrusions for fear of alarming their stakeholder communities. But with over 80% of organisations having experienced a cyber-attack, as well as the vulnerabilities that home working is introducing to corporate systems post Covid-19, and revelations of recent attacks on one of the most robust IT systems in the world, the US government system, it is high time that more organisations speak out about their cyber-breaches and join forces with peers worldwide to collectively slam the door shut on cyber-criminals.
To assist smart utilities in joining forces and building an impenetrable wall against cyber-criminals, EE-ISAC is here to help. This is as an industry-driven, information sharing network of trust, with private utilities, solution providers and public institutions such as academia, governmental and non-profit organizations coming together regularly to share valuable information on cyber security & cyber resilience. EE-ISAC enables a joint effort for the analysis of threats, vulnerabilities, incidents, solutions and opportunities. EE-ISAC offers a community of communities to facilitate this proactive information sharing and analysis, allowing its members to take their own effective measures. For more information on EE-ISAC and how you can join forces with other smart utilities in the fight against cyber-crime, visit the EE-ISAC website here.
- Supply chain cyber-assurance
Working hard to secure your own systems, update your own processes, and educate your own people is all well and good! But how can smart utilities seriously guard against threats that can be introduced by the systems, processes and people inside their partner organisations? Just how much control do you have, and should you have, over the cyber-resilience of your entire ecosystem?
Marthe Kassouf, Research Engineer at Hydro-Quebec IREQ, and Deepa Kundur, Professor & Chair at University of Toronto both in Canada, recently spoke at the IEC 61850 Global 2020 virtual conference about the research they are carrying out to help utilities guard against supply chain attacks. Their recommended approach leverages IT/OT convergence through the integration and correlation of data generated by different IT and OT sources and the implementation of enhanced IT/OT system monitoring. Their roadmap for developing this method includes further enhancement of their cosimulation, data analytics and IT/OT monitoring capabilities as well as further collaborations with industrial and other academic/government entities. To learn more about this unique approach to combatting supply chain attack, and consider how you could participate in this programme, download the presentation here.
In recognition of the urgent need for more cyber-awareness across the smart utility organisation, Smart Grid Forums is planning a series of monthly 30-minute CyberAware webinars, in interview format, with key smart utility cybersecurity thought leaders, starting March 2021.
For more information and to register for these complimentary webinars, visit www.smartgrid-forums.com from March 2021.