Posted by Christopher Kelly
Earlier this year, President Trump held a meeting with leaders from electric utilities and various federal agencies to discuss risks to the US power grid from cyber attacks. This meeting came on the heels of a report that hackers deployed malware onto grid-connected networks in Ukraine last year that caused signifcant outages in the country’s electric supply. The report concluded that a similar attack on the US could be carried out with only minor tweaks to the malicious code.
For anyone familiar with Stuxnet, the ability of digital “viruses” to infect and alter the operation of physical infrastructure such as the electric grid is not news. And given the tangible dangers of cyber attacks, not to mention the political and public relations disasters that would ensue, it should be no surprise to industry observers that Cyber Security was top of mind among utility CEOs at the annual EEI conference. To underscore the importance of this issue, CEOs from across the country mentioned cyber security in the same breath as other existential issues facing our industry, such as the role of ‘carbonless’ generation in the baseload and how distributed energy resources may fundamentally change the entire utility business model.
We can be sure that this cyber threat is real and that it’s not going away. The upshot for many of us working in daily utility operations, such as vegetation management or routine safety inspections, is that efforts to tighten security in the digital realm are cascading into the world of tree branches and loose guy wires, where mobile-enabled, contractor-facing work management software systems are becoming indispensable to the efficient and compliant execution of these maintenance programs.
With all the sincere respect owed to the professionals performing these operations and maintenance roles in our industry, there’s a wide space between managing a customer tree trim request and operating the SCADA system controlling switch gear in a large substation. With that distinction in mind, it’s reasonable to separate IT systems into categories that reflect their potential impact on the utility (and their customers) and on the grid (and therefore the economy and society as a whole). At the risk of over-simplifying, let’s call these high-risk and low-risk systems.
Granted, there are valid concerns over data security in low-risk systems, such as the GPS location of electrical assets (sometimes classified as NERC CIP or CEII) or customer-confidential information (sometimes classifieds as PII, etc). Yet, there are viable strategies to isolate and protect these data sets within low-risk systems while still providing utility staff and the contractors they manage with the information they need to effectively execute their work.
So if the sensitive data needed in parts of these information systems can be secured, then the remaining data is inherently low-risk. So there’s a strong argument that utilities can INCREASE security of their most highly sensitive systems, like SCADA and physical access control systems, by placing low-risk systems OUTSIDE the corporate IT Network.
In emergency response situations, such as large-scale damage from a hurricane or ice storm, this dynamic is amplified. These events can bring hundreds of additional contractors and other temporary personnel into a utility, and providing them with digital data about the nature and location of damage to the electrical infrastructure can dramitcally improve outcomes in restoration time. Utilities with a cloud-based, contractor-facing maintenance management software already in place for their daily operations will be well positioned to dispatch work locations to outside crews electronically without opening their firewalls to new users and devices during the chaos of a large-scale event.
We’d love to get your perspective on this. Please leave a comment or drop us an email at (firstname.lastname@example.org).