ATLANTA — Speakers at the Smart Electric Power Alliance’s Solar and Energy Storage Southeast conference on Monday praised the electric industry for finally taking cybersecurity risk seriously, but they warned that many entities may not be prepared for the needed investments of both money and time.
“I’ve been in some conversations lately where cybersecurity is a board-level discussion. That hasn’t always been the case; it [used to be], ‘well, find somewhere to put it in the IT budget … because we’re an operation shop, and as long as the control enters are working [and] operators [can] manage the grid, we’re good,’” said Stephen Brown, director of cyber and physical security for SERC Reliability.
Now “you think about the controls that have to be in place to keep the grid resilient, and you think about training; you think about hiring talent, which is another big challenge for companies here in the United States because there’s a … shortage of employees.”
Brown, along with other participants in the “Cybersecurity and Securing a Resilient Grid” panel, said that recent cyber incidents like the SolarWinds hack last year and the Colonial Pipeline ransomware attack in May had helped to demonstrate the importance of electronic security for critical infrastructure. However, the topic can still seem intimidating, even for utility leadership determined to secure their systems.
“There’s thousands upon thousands of pages of requirements. Where do I start? What do I do? Do I need to comply with NERC CIP [Critical Infrastructure Protection] [or] NIST [the National Institute of Standards and Technologies], etc.?” said John Franzino, CEO of engineering and cybersecurity firm Grid Subject Matter Experts. “I completely agree [that] in order to have a mature program that’s repeatable and measurable, you need a good policy, just like in every other aspect of our business. But don’t get stuck on figuring out the big overarching policy … before just taking some basic actions.”
Expanding on Franzino’s point, Brown acknowledged that implementing a strong security culture often involves growing pains and frustration with additional layers of protection. But he warned that this should not become an excuse for abandoning the program, which can lead to much greater inconvenience.
“It can be cumbersome at times, if you have a lot of turnover, but you avoid the big mistakes,” Brown said. “No one really wants to have a process and control in place, until one may fail [and] someone … gets that privilege to access something that could be detrimental to your environment.”
Distributed energy resources, such as rooftop solar panels and batteries, have attracted considerable attention on the cybersecurity front. Some experts warn that separating generation into many distributed units may create a much bigger attack surface for hackers to target. (See Rooftop PV’s ‘Hidden Loads’ Challenge Grid Planners.)
Karla Loeb, chief policy and development officer for solar panel manufacturer Sigora Solar, presented a different view. Comparing the decentralized nature of a DER to the now ubiquitous smartphone, Loeb suggested that spreading out generation duties created valuable redundancy, as taking down any single generation asset would affect only a small part of the load.
“How many times have your phones just shut down? Facebook [and] Instagram went down last week, but … it was just those specific applications; you were still able to use your phone, because the technology is so secure on the individual chip level … that they’re not able to infiltrate at that level,” Loeb said.
Franzino acknowledged Loeb’s point but warned that the current implementation of DERs still leaves significant points of vulnerability that utilities must address.
“The distributed nature is a great inherent benefit for resiliency and cybersecurity, but there still are these aggregation points along the way,” Franzino said. “Using your iPhone example, the doomsday scenario for probably 90% of the people in this room … is that Apple’s supply chain is compromised [or its] process of writing firmware, acquiring chips and putting together the whole system. If their supply chain is compromised, that is a huge aggregation point.”