Cooperation across teams, technology, and institutions is the key to securing the world’s critical infrastructure.
As the global industrial cybersecurity market grows toward a forecasted $41.4 billion in 2033, U.S. power generation and distribution companies have come under increased scrutiny for their cybersecurity posture. Many power companies are considered critical infrastructure, which, according to the Cybersecurity and Infrastructure Security Agency, means their “assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” Other countries around the globe are taking similar postures, designating power infrastructure as vital to their nation’s function and defense, and therefore, essential to protect.
Cybersecurity is critical because a successful cyberattack could damage equipment, cause an unanticipated outage, or create safety risks for personnel and the public. This means that cybersecurity solutions must not only be effective, but must also be as seamless, intuitive, and non-invasive as possible.
Moreover, cybersecurity is an ever-moving target. Unlike process safety concerns, which can typically be identified during project design and stay relatively, if not entirely, static over the lifecycle of an asset or plant, cybersecurity risks change nearly every day. New threats emerge constantly, and layers of defense must be updated or replaced regularly to maintain vigilance.
Securing operational technology (OT) assets has never been easy, and the power industry is no exception. Unlike information technology (IT) architectures that tend to prioritize privacy, OT infrastructures—while still concerned with privacy—tend to prioritize uptime and safety over all other metrics.
Ultimately, this means the journey to cybersecure operations is difficult—if not impossible—to walk alone. Collaboration is critical, and not just at any single level. OT teams must collaborate with their automation solutions providers to ensure they have the right layers of defense in place. Public and private institutions must collaborate to ensure everyone is better prepared to navigate the complexity of developing cybersecure operations. Power generators and distributors must collaborate with their staff to ensure that they create usable workflows. In addition, as the rise of artificial intelligence (AI) continues, everyone must better collaborate with tools that have the potential to both help, or sometimes hinder, power delivery (Figure 1).
In This Issue
Full issue
Combining Expertise
Cybersecurity protection cannot fall exclusively to OT teams, or to the automation solution providers they work with to develop security solutions. Instead, the best, most effective security posture is developed when everyone plays a critical role and works closely together to supply their counterparts with the information, support, and services they require.
For OT teams looking to improve their cybersecurity posture, a common starting point is determining how they want to manage their operations within a cybersecurity framework. Often, that means they look to their automation solutions providers for more than just a simple appliance they can drop in to monitor network traffic or manage antivirus. Instead, most highly successful OT teams know that they need holistic, fit-for-purpose cybersecurity solutions designed for real-time control environments, rather than discrete products tackling individual cybersecurity challenges. Hardware, software, managed services, vulnerability assessments, preventive maintenance, and more must all work closely together to help teams ensure their control system is intact and defended from external and internal threats (Figure 2).
Developing a holistic cybersecurity solution means collaborating closely with automation solution providers. Both the solution provider and the end user have critical skills, knowledge, and expertise that the other needs. The automation solution provider needs to understand what regulatory elements the organization is beholden to, as well as their operational requirements. OT teams will need to help their providers understand their regulatory requirements, such as if their North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) levels are low, medium, or high. In addition, the provider will also need to know their structured network segmentation, standard work processes for patching and report generation, and other critical OT factors.
In many cases, it will also be helpful for a solution provider to understand the organization’s IT/OT relationship. Whether there are requirements from the IT group, or if the OT team tends to keep everything within their own domain, it can be helpful to understand those dynamics at the very beginning of a cybersecurity journey.
Similarly, automation solution providers have much critical data they can share as part of a collaborative process. OT teams will want to know what cybersecurity frameworks—such as the National Institute of Standards and Technology guidelines—the provider uses in their holistic solutions. Ideally, the solution provider will be a one-stop-shop for that framework, including most of the needed elements under its umbrella of products and services, so organizations do not have to piece together many disparate, complex solutions that will be difficult to install, integrate, and maintain. OT teams will also want to know if the solution provider can fully integrate all their units or fleets by bringing third-party systems into their cybersecurity framework for more comprehensive protection.
The best automation solution providers should also be able to demonstrate comprehensive cybersecurity certification, such as the International Society of Automation 62443 secure development lifecycle and Homeland Security certifications, to ensure their expertise. Moreover, the providers should offer OT teams cybersecurity playbooks and a wide variety of whitepapers applicable to requirements and implementation of cybersecurity services, both to provide continual guidance and to demonstrate expertise and continual evolution.
Public Outreach
Cybersecurity is a moving target, and as a result, standards and regulations will continually need updating, and personnel will continually need to be trained to help meet those standards. Collaboration between public and private entities is critical to maintaining momentum in these areas. Regulations cannot be effective without knowledge from the right people, often those who are in the private sector. Moreover, knowledge of cybersecurity principles, protocols, and practices must be trained, which means starting where people begin their careers: in colleges and universities. However, schools can only be prepared to teach properly if they are armed with modern ideas and equipment.
One area where collaboration between public and private must occur is on regulatory boards. Typically, regulatory boards receive input from public institutions, like the Department of Energy, as well as from national labs, to help develop new cybersecurity standards. However, if those boards are made up exclusively of public entities, there can often be a disconnect between the research and real-world implementation, which causes complications. If a national lab delivers data to a board and the board then develops policies and regulations on that data alone, the regulations may not be applicable to a system at scale.
Meeting this challenge means bringing together public and private players—both by seating industry representatives on those boards, and by establishing industry advisory boards where OT representatives, technology solution providers, and public representatives come together to collaboratively develop solutions that work in practice.
Education is another critical area where private companies can assist public entities and see significant returns. As the skilled industrial workforce continues to transform, both power companies and automation solution providers must invest in the skillset of the next generation. Modern control technologies are built with layers of defense in depth, a stark contrast to the technologies of 10 or 20 years ago.
Today’s companies can help institutions of higher learning by sharing their expertise in designing new systems as automation companies provide technologies in parallel. This means not only building testing and training platforms with the most modern control systems, but also creating systems layered with power- and water-specific cybersecurity suites. When students train on the technologies they will see in their day-to-day jobs—including the cybersecurity technologies that will impact how systems are engineered and operated—they will enter the workforce better prepared, providing more value to their employers, and serving the public by better securing critical infrastructure.
Better with Buy-In
Collaboration between technology providers and OT teams and public institutions can go a long way to building secure solutions that more effectively protect critical energy infrastructure. However, cybersecurity solutions bring far less value if the organization’s users are unable or unwilling to use them.
While there is more maturity in the industrial control cybersecurity space than there was five or 10 years ago, there is also far more available technology. When implemented poorly, that technology has the potential to disrupt workflows, which can lead to users ignoring or trying to work around cybersecurity infrastructure, ultimately creating gaps in protection.
Solving this problem requires a two-pronged approach to collaborating with users. First, organizations must help their users understand the criticality of working within cybersecurity guardrails. Attacks on OT assets typically generate risk that goes beyond privacy loss because a successful cybersecurity breach can potentially cause damage to the plant, and/or create safety risks for personnel and the public. Training should help users understand these risks and help them identify their role in preventing such losses.
In parallel, management and engineers must develop workflows that consider the operational point of view. Organizations must work with their automation solution providers to deliver mature, stable platforms that flow well and are less intrusive for users. Cybersecurity solutions should be designed with as few necessary ongoing tunings as possible to limit interruption to operator tasks.
OT teams should work with their providers to implement software with intuitive patching systems. These solutions should provide the user with controls to ensure there are no operational surprises, such as machines rebooting unexpectedly during updates. They can also make sure the processes of updates—such as antivirus definition updates—are not just smooth but also validated and fully tested before deployment so there are no surprises. Creating workflows that are usable, rather than creating barriers to effective operation, can go a long way toward generating support for the user base, which is a critical metric for cybersecure operations.
Understanding AI
As OT teams and automation solution providers navigate their cybersecurity journey, they will also need to consider an additional complicating factor—the rise of AI. In coming years, AI tools will quickly provide bad actors with near limitless models and vectors for attack in only a fraction of the time it took to develop such tools manually. Teams will need to keep up with the bad actors, collaborating with their own AI tools to improve efficiencies with analytics to stay ahead of new threats. AI tools can be used to review systems, speed the process of analyzing vulnerabilities, perform penetration tests, and even speed recovery in the aftermath of a successful cyberattack.
Collaborating for Today and the Future
As the world’s dependence on electricity continues to grow, building more cybersecure solutions for the power industry will be an ever-present concern. Outpacing cybersecurity bad actors is rarely, if ever, a journey that can be taken alone. Close collaboration among all stakeholders is key to successfully navigating the cybersecurity landscape, not just for the solutions organizations put in place today, but also to support continual evolution of faster, stronger, and more effective technologies.
—Emily Affare is the director of Guardian and Cybersecurity Solutions for Emerson’s Power and Water Solutions business.
