In January this year, what was believed to be a switching mistake at a high-voltage station near Amsterdam in the Netherlands, caused a complete blackout in the capital and a few neighboring cities. This left more than 350,000 people without power for half a day. In December 2015, 230,000 Ukrainian residents experienced a power outage of up to six hours after 60 substations went offline due to a malware attack. While the former was a genuine error, the latter was a targeted cyberattack intended to cause harm to people, property and the economy at large.
As utilities and energy delivery systems begin to seek the benefits that the convergence of information technology (IT) and operational technology (OT) offers, they also face the challenge of increased vulnerability to cyberattacks. Understanding the fundamental differences between a classic industrial control systems (ICS) environment and that of an electricity network is key to implementing the right security solutions that secure the flow of power to customers, and protect employees and citizens.
Potential impact of security breaches
An electricity network is an ICS environment. While IT systems are used to manage information, an ICS environment is used to control physical processes and objects. But unlike a classic ICS environment, say a factory for instance, which is restricted to a geographical area, electricity networks are spread across an entire state or country. This means that though a security breach at a factory may have a big impact on the company, its effects are localized.
In the energy system, the potential effects of security breaches can be dangerous and have far-reaching consequences, not just on homes and businesses, but on civil society and the economy as well. For instance, if the electricity supply is interrupted or cut off to intensive care units at a hospital, or drinking water pumping stations, it could jeopardize the lives and health of people.
More points to secure
For energy transport and distribution networks, whose “factories” are spread across thousands of kilometers, ensuring operational security presents a big challenge. For distributed system operator (DSO) environments in particular, the number of customer sites can run into the tens of thousands (more in larger countries), which also represent the number of points of vulnerability. If the DSO’s ICS system is not secure, it becomes easier for malicious elements to damage the reliability of the grid, the network or the entire energy system.
Increasing avenues of risk
Digitalization is altering the way information is collected, used and processed in the energy system. For instance, meter readings traditionally involved a person physically collecting readings from an electricity meter. With smart meters, this process is now online. However, this same connection is used to switch electricity, such as turning off or changing the electricity feed in case of a failure somewhere in the electricity network.
As large scale operational systems are integrated with the Internet, it increases the vulnerability of critical infrastructures, because the same channels used for information sharing and exchange may be used by intruders to enter and manipulate the system.
Distributed generation of power
The increasing need for clean, affordable energy is driving the growth of renewable energy sources (wind, solar and hydro). Consumers and businesses are installing solar panels on their rooftops and producing energy themselves. In addition, concepts like energy islands and innovative technologies like Tesla batteries enable homes and businesses to harvest and store energy, and deliver it back to the power grid. These developments have exponentially increased the number of energy sources that are being connected to the distribution grid, and consequently the number of points that need to be controlled and secured.
Securing the future
There is a new energy ecosystem evolving—one where distributed generation, storage and consumption will become more common, and the way energy is used and generated will transform. Utilities need to be prepared for what it really means to have a distributed grid. These changes usher in more dynamic energy pricing and greater opportunities for organizations to generate their own electricity; but it also means more risk, not just on the IT side, but also on the OT side. Putting in place preventive measures against cyber threats in the energy system is paramount to ensure that the integrations that already exist within the company or those with other companies continue to work in a safe and secure manner.
In this new energy system, IT/OT integration is integral to balancing the grid. It is also vital to break down silos created by people, systems and data and enable the smoother flow of information to support automatic control of the distributed network. However, we need to achieve this in the safest and most secure way possible, so that there is no impact on businesses or on the safety of people and the economy.
CGI helps utility clients achieve a high level of preparedness to identify and mitigate both internal and external threats through an enterprise-wide, holistic approach across the dimensions of people, process, technology and governance. Find out more on how to prepare for the cyber threats associated with IT and OT convergence in my colleague Jim Menendez’s latest blog and our white paper—Convergence brings opportunity and risk.