The IIJA provides $335 million for utilities to support, develop and implement cybersecurity plans, train personnel and purchase equipment. This investment will help modernize our nation's critical infrastructure while protecting it from cyber threats. This also helps reduce the likelihood of disruptions to essential services.
According to President and CEO of Parsons Corporation Carey Smith, “In recent years, there have been several high-profile cyber attacks against critical infrastructure, each reminding us that utilities must prepare to defend themselves against sophisticated and well-resourced threats.” This is a vital investment in security and will help protect critical infrastructure from the ever-increasing threat from nation states, terrorists and criminal actors.
Utilities rely on operational technology (OT) to administer their facilities and systems, provide utility services to customers, collect billing information from meters, control demand response devices, and coordinate their operations with other utilities. Companies that generate, transmit or deliver electrons are in a rapidly changing environment. They face the ever-increasing demands on a grid that moves rising quantities of intermittent power sources: solar, wind and other renewable resources. Utilities are working to optimize their operations and get more performance out of existing equipment to deal with the demands of renewable resources.
Smith thinks that "utilities are starting to rethink their approach to cybersecurity. Traditionally, they’ve focused on protecting their OT from external threats. However, as the grid becomes more complex and interconnected, utilities recognize the need to take a more holistic approach to cybersecurity." All this additional optimization, performance improvement and coordination require utilities to do a much better job monitoring and controlling ever-increasing numbers of connected devices.
As part of this, they must modernize and upgrade their OT networks, which includes integrating OT with information technology networks, to create a more unified and efficient operation. However, while converging a utility's IT and OT networks under a single operational umbrella brings efficiencies, rising security threats and evolving security and privacy requirements come into play.
As such, a growing network of experts says that utilities must consider security at every stage of an OT or IT network integration project — from design and implementation to ongoing management and monitoring. One example of that method is from Parsons Corporation, a technology provider focusing on critical infrastructure and national security. Their converged approach could offer lessons for other utilities:
- Establish a clear security strategy and governance framework up front.
Define roles and responsibilities for security across the organization and ensure that security is considered in all decision-making steps related to the OT and IT network integration project. - Conduct a comprehensive risk assessment.
Identify and assess risks associated with integrating the OT and IT networks and develop mitigation plans accordingly. - Design security into the new architecture.
Build security into the system design from the start, rather than trying to bolt it on after the fact. - Implement strong authentication and authorization mechanisms.
Ensure that only authorized users have access to specific parts of the system and that all user activities are properly logged and monitored. - Adopt a defense-in-depth approach.
Implement multiple layers of security controls to protect against various threats. - Incorporate security testing and validation.
Regularly test the system's security to ensure that it is functioning properly and that all vulnerabilities are addressed. - Provide and require cybersecurity training and awareness for personnel. Personnel that question odd or unusual items are the first lines of cyber defense.
- Adopt controls for and protection of the supply chain.
Vet vendor personnel (including subcontractors) and any computers or other devices used or purchased through vendors. - Build a redundant and resilient converged OT and IT system.
To ensure high availability, it's important to build OT systems to a fault tolerance standard.
NERC regulates most electrical utilities and is responsible for ensuring the reliability of the bulk electric system (BES). To protect the security of the BES, NERC developed the CIP standards, which contain both cybersecurity and physical security requirements which are mandatory for registered entities. Failure to meet these requirements can result in significant fines and other non-monetary sanctions, underscoring their importance.
While provisions of IIJA can help those within the utility sector organizations get back on their feet following a cyber incident, it's not a long-term fix for cyber shortcomings. Companies need to prioritize and invest in organizational cybersecurity. Otherwise, they'll continue to put customers and businesses at risk — and that's something no one can afford.
Gordon Feller is co-founder of Meeting of the Minds, a global leadership network on urban sustainability.
