Instrumentation & Controls How Cybersecurity Is Evolving to Protect Our Energy Grid The United States’ approach to cyber security for its critical industrial infrastructure and control systems has been a mixture of voluntary guidelines and standards, combined with regulated congressionally-mandated standards. Clarion Energy Content Directors 12.22.2016 Share By Jerome Farquharson, Principal Director, Burns & McDonnell The United States’ approach to cyber security for its critical industrial infrastructure and control systems has been a mixture of voluntary guidelines and standards, combined with regulated congressionally-mandated standards. Somewhat predictably, the outcome has been hampered by the conservative risk appetites of enterprises. Federal regulations and standards prescribed by the National Institute of Standards and Technology (NIST) and the Federal Information Security Management Act (FISMA) have also helped drive security on IT-based systems. The term Industrial Control System (ICS) encompasses several types of control systems used in industrial production, including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCSs), and other smaller control system configurations like Programmable Logic Controllers (PLCs), which are often found in natural gas-fired generation. Because of the inherently isolated design of ICS, security was assumed to be automatic. This, however, has proved far from true. PLC and SCADA systems can be comprised. Simply placing a firewall as a logical perimeter defense mechanism, leaving all internal systems with very few or no security controls, only allows for a greater compromise, since a disgruntled employee could sabotage a system from the inside. Another challenge for ICS security is slow vendor adoption of security solutions within applications and hardware solutions. A natural gas-fired generation plant has multiple interconnected systems, and each vendor utilizes its own unique solution, which is independent of other vendors’ solutions. This approach results in multiple vendors providing multiple solutions to solve the same problem of cyber security. The lack of harmonized, integrated cyber security solutions exacerbates problems inherent to the administration of cyber security within an ICS. Gas-fired plants utilize systems such as OSI PI, Emerson EDS, RTU, Historians, and other tools on their network to dispatch plants remotely, curtail power for wind assets, and manage fleet operations. Power generators can reduce the total cost of ownership and improve plant reliability by reducing forced outages using integrated cybersecurity solutions. The placement of a firewall between the ICS system and any other network that interfaces with the DCS or SCADA helps achieve a goal of separating control network into zones. Network segregation is the first step to an in-depth defense approach. Secondarily, plant owners should identify all network traffic that must leave the SCADA or DCS network by TCP and UDP port and make sure rules and access control lists (ACL) are hardened to only those ports needed to communicate in or out of the network. By hardening a firewall, engineers can eliminate significant unwanted traffic from entering or leaving a DCS system. In 2012, then-Homeland Security Secretary Janet Napolitano reported that cybercrime was the number-one threat to the United States, ahead of terrorism. This remains the case today. However, the gas-fired power industry is not sitting still. Gas industry professionals and engineers are fighting back by strengthening control center security, generation plants, storage facilities, and other critical infrastructure. The implementation of regulated standards for the gas industry, combined with a structured monitoring and enforcement mechanism, will be required for all critical infrastructure enterprises to maintain and grow a society’s standard of living. Without regulated standards, the temptation to do nothing (or the bare minimum) exists, which could result in a greater loss to the enterprise and society than the cost of implementing security measures in the first place. Critical infrastructure for gas-fired generation has moved from mechanical controls to digital technologies, computer networks, Internet-driven devices, and virtual infrastructure. Enterprises want the best for their stakeholders, and that means keeping the valves pumping gas while maximizing returns on investments. But there are many instances where executing the right thing for the enterprise or society comes into direct conflict with maintaining profitability or working within budgets. This can delay the execution of wise decisions, thereby impacting security. There’s no flawless system for eliminating cyber threats. Nation states have learned from Stuxnet that attacking critical infrastructure like natural gas-fired generation plants presents an easy method to injure organizations monetarily, or even threaten the lives of people. But by applying the right methods, gas-fired power plants can achieve a layer of defense. They can implement malware prevention, account management, intrusion detection, patch management, and security monitoring. Such building blocks are crucial to the health of infrastructure. Related Articles Trends in plant O&M with EthosEnergy’s Terry Schoenborn Why digitalization is crucial to the nuclear industry delivering on its potential Siemens Energy to list its cyber security tool with AWS Marketplace WATCH: AVEVA on data management in the power generation sector
