With more and more devices becoming connected, it is critical that the hydroelectric power industry understand the best practices and critical steps necessary to protect their ability to produce electricity.
By Max Wandera
The hydroelectric power industry is balancing the benefits that come from integrating connected technologies with the inherent cybersecurity risks associated with additional connectivity. There is an opportunity to challenge suppliers to provide substantial cybersecurity assurance against emerging cyber threats. Solidifying the framework for a robust cybersecurity approach will help reduce risk, while ensuring that all system components meet the same established standards.
Much like safety and quality, cybersecurity must be an integral consideration, with strict protocols placed on people, processes and technologies, integrating security protocols at every phase of product development.
Securing electrical devices in an increasingly connected world
By 2025, 41.6 billion connected devices will be generating 79.4 zettabytes of data that need to be maintained and processed, according to research and advisory company IDC. And analysts forecast that connected devices and the data they generate will continue to grow exponentially.
As customers deploy more intelligent and connected solutions, it is essential to trust and verify that the technologies are designed, built and tested to proven engineering practices. Eaton takes a proactive and consistent approach. Our collaboration with UL is establishing rigorous engineering practices for network-connected products and systems.
When looking at electrical infrastructure that is connected to the grid, there are two primary objectives: safety and reliability. A single breach could impact both or either of these objectives. With the increase in attacks on the grid, especially in hydroelectric systems, it is important to ensure the right people are hired and trained to secure these systems. The industry also needs the right processes in place to help safeguard the entire ecosystem alongside technology that can help identify, protect, detect, respond to and recover from potential attacks.
UL takes on cybersecurity
Global safety standards organization UL has taken the lead in establishing common criteria for assessing network-connectable devices. Advancing cybersecurity in an increasingly electrified and connected world requires industries and standards organizations to come up with unified global criteria for assessing products and systems that are connected to the grid. Eaton is partnering with UL to drive these efforts.
Electrical infrastructure is typically composed of equipment from a variety of manufacturers. Because there is no common way to assess cybersecurity compliance of these products, customers may be concerned about the safety of their installations if each manufacturer has a different way of assessing device compliance with cybersecurity requirements.
Creating the framework for a robust, consistent cybersecurity approach will help reduce risk while ensuring that all components and systems/solutions meet the same industry standards. This can be achieved via independent, third-party verification.
In 2017, UL established a Data Acceptance Program (DAP) for cybersecurity. Organizations can demonstrate that their labs adhere to aspects of the cybersecurity standards — building further proof of defense against emerging cyber threats.
By adhering to UL’s standards and processes, manufacturers are helping critical infrastructure customers build trust in network-connected technologies. This process also provides tangible proof that technologies are designed to be cyber secure.
Since 2018, Eaton has been collaborating with UL to establish measurable cybersecurity criteria for network-connected power management products and systems. Our mutual efforts are helping drive the development of common criteria for assessing products to ensure they meet industry standards and reduce cybersecurity risk. Through rigorous cybersecurity processes and having the first labs approved to participate in the UL DAP, Eaton is developing products and systems that comply with the most stringent standards and expectations for safe, secure power management.
Eaton’s cybersecurity research and testing facility in Pittsburgh is the first lab approved to participate in UL’s Data Acceptance Program for cybersecurity. (photo courtesy Eaton)
Eaton’s cybersecurity approach is designed to ensure that we have the right talent, processes and technologies to build our products leveraging “secure by design” framework. Further, we are pushing for common global cybersecurity standards, which are essential to creating trusted environments.
5 critical steps to cybersecurity
The goal for manufacturers should be to ensure that products are compliant with cybersecurity standards and are secure when deployed in the customer’s environment by addressing risk from the beginning of the product development lifecycle. Eaton’s risk approach leverages the following principles:
Eaton manages cybersecurity risks in products through a Secure Development Lifecycle program, with the use of threat modeling, requirements analysis, implementation, verification and ongoing maintenance. (photo courtesy Eaton)
- Get to know the product: Collect important background information from product teams to initially classify the product to be built, whether it is a sensor, actuator, field device or system.
- Learn how it’s built: There are a variety of products in the market, with countless components, interfaces and protocols. Review the architecture of the products in order to identify physical interfaces, protocols, data flows, deployment context and access scenarios. This can help set the stage for discovering where risks may hide.
- See where the risk may lie: Methodically examine every facet of the product and create threat models to identify conceivable cybersecurity issues that may be a concern in the customer environment. With findings in hand, you can then finalize cybersecurity requirements.
- Work to remove risk: Apply the “secure by design” principal by ensuring cybersecurity is embedded in each phase of development — such as design, code reviews and product assessments — and correctly applied. Align findings with your framework requirements to confirm you’re meeting the product’s cybersecurity goals. You should then document secure hardening and deployment guidelines according to industry best practices.
- Confirm security: Validate requirements and findings from product assessments to help developers identify and fix any bugs discovered before developing a process to address any future vulnerabilities discovered in the field.
It is essential to recognize that cybersecurity, even when designed into technology, is dependent on how technology is applied as threats continue to evolve. For example, it is my responsibility to update my smartphone with manufacturer-provided updates. If I don’t make those updates, my device may be more vulnerable to attack compared to an updated device. Similarly, the way a customer applies a technology and the updates and upgrades they decide to make in their systems and environment will impact cybersecurity in their applications.
As threats evolve, the industry should continue to identify where risk may lie, work to remove risk and offer updates to products regularly. An important part of the process is making sure that customers are aware of those upgrades and have trained resources to take advantage of the latest technologies and best practices available.
Addressing cybersecurity risk in hydroelectric facilities
From the smart grid to industrial controls, machine-to-machine networks and the “Internet of Things,” networked intelligence is gaining exciting new ground. However, the more connected the world of utilities and industrial applications becomes, the more vulnerable it is to hackers, malware and security intrusions – and the more cybersecurity matters.
Traditional industrial control systems (ICS) use serial devices connected through dedicated modems with industry proprietary protocols, which amounts to security by obscurity. Today, ICS is increasingly connected to enterprise networks – and hydroelectric facilities are integrating field devices into enterprise-wide information systems.
To enhance protection for these modern ICS networks, the first step is conducting a cybersecurity risk analysis of your operations that focuses on people, process, procedures and technology. This exercise should be conducted in conformance with established technical and regulatory frameworks to ensure compliance with industry standards for cybersecurity. Hydroelectric facilities often consist of systems and solutions from various manufacturers. Each manufacturer may have a different view of what makes a device compliant to cyber standards, leaving the asset owner/operator confused and concerned about the safety of the installation.
By working with a device manufacturer that has been vetted by an independent, third-party organization, you can gain additional “peace of mind” that systems will operate safely and reliably.
Once you identify the risks in each area, the next step is building the capability within the organization to be able to drive cybersecurity. This involves building awareness through training and best practices. You then create policies that will help drive process to institutionalize cybersecurity across the organization, followed by procedures that create a culture of secure by design. These policies and procedures should address:
- Device, system or solution qualification procedures, i.e., What requirement should a new product have to meet before it’s approved and added into the customers network?
- Process to perform ongoing vulnerability scanning and patching.
- How often should this be done, and on what products and systems?
- How often are you changing network passwords and implementing updates?
- Are you able to sustain business operations without access to certain systems? For how long? Have you tested this?
After this is completed, you can start acquiring the right tools and technology to help drive security across your operation. It is important to continue to analyze new threats and update processes and procedures to stay ahead of new vulnerabilities.
“Maintenance cycle” to help ensure protection for cybersecurity programs
Central to cybersecurity best practices is the timely and consistent maintenance of application and operating system update patches. This has been clearly demonstrated by recent ransomware attacks in which unpatched systems remained vulnerable.
Utilities, renewable and energy storage system operators are strongly encouraged to maintain a consistent process to promptly implement patching and updates once notified.
A true “defense in depth” strategy for cybersecurity should integrate technology, people and operational capabilities to establish a holistic approach.
For any cybersecurity strategy to succeed, there must be well-documented and continuously reviewed policies, procedures, standards and guidelines in each of the following areas:
Asset inventory: Having a proper inventory of all the devices connected to your network and understanding what role they each play is important when trying to mitigate organization risk.
Firewalls: Firewalls provide the capability to add stringent and multifaceted rules for communication between various network segments and zones in an ICS network.
Demilitarized zones (DMZ): Network segmentation helps establish secure control networks, grouping critical components and isolating them via firewalls from the business IT network.
Log and event management: Put systems in place to monitor and identify suspicious or malicious activities and raise awareness of new and potentially unauthorized devices that appear in the environment.
Security policies and procedures: Create practical and enforceable policies specifically designed for ICS that address access-related issues such as physical access, contractors and vendors.
ICS hardening: Reduce as many security risks as possible by securely configuring ICS networks to eliminate unnecessary services and applications that offer possible points to intruders.
To protect important assets, all organizations must take cybersecurity threats seriously and meet them proactively with a system-wide defensive approach specific to organizational needs. No protection method is completely secure. A defense mechanism that is effective today may not be effective tomorrow — the ways and means of cyber attacks constantly change. It is critical ICS administrators across the hydroelectric industry remain aware of changes in cybersecurity and continue to work to prevent any potential vulnerability in the systems they manage.
Max Wandera, CISSP, GLSC, is director of the Cybersecurity Center of Excellence at Eaton.