Electric utilities examine growing cybersecurity risks as number of connected devices increases
SAN DIEGO — The growing number of connected devices on the electric grid provide benefits in the form of real-time information and enhanced efficiency, but each device also creates additional cybersecurity risks.
While electric utilities and the federal government have worked to maintain a strong cybersecurity defense against attacks on the bulk electric system, the increased number of distributed energy resources (DERs), microgrid and internet-connected devices has created its own potential vulnerabilities at the local distribution level.
Better equipment standards may be one of the solutions to this dilemma, according to a panel of experts at the Edison Electric Institute’s (EEI) annual convention held this week in San Diego.
“With the retail devices and the rate at which they will be integrated into this evolving grid, I do think the industry, particularly those that are going to buy and deploy that equipment or systems, need to have a conversation about calling upon the manufacturers for equipment standards,” Richard Mroz, former president of the New Jersey Board of Public Utilities, said.
Without standards, he said, utilities don’t have an understanding of what vulnerabilities the equipment may create.
Benjamin Waldrep, senior vice president and chief security officer for Duke Energy, said that he agrees that the industry should call for standards, but that Duke uses what he called “incremental solutions,” such as penetration testing, to test vendors in the meantime.
Margaret Hopkins, senior vice president and chief information officer for Puget Sound Energy, noted that her company uses BitSight Security Ratings, a rating system similar to a credit score that helps organizations identify, quantify and mitigate cyber risk. If a third-party vendor has an unsatisfactory score, they can use BitSight’s consulting services and develop a plan for improving their practices, which they can then bring back to Puget Sound.
“So, I think there’s a little bit more emphasis on our side on helping our vendors know that it is important to us, that we’re actually going to be working with you and collaborating with you to ensure that your cyber practices and ours are in sync and that over time, it will lift all the third parties to a level of understanding that this is something that they’re just gonna have to do,” Hopkins said.
It’s also important, Hopkins added, to build cybersecurity into agreements with vendors. Tenets of those agreements may include requiring the vendor to notify the utility if an incident occurs and to indemnify the utility if damage occurs due to a vulnerability.
Indemnification, however, may come too late, Mroz said. The panelists emphasized that prevention is critical.
Standards can help with prevention, as can monitoring for signs of cyber incidents. Hopkins noted that this monitoring is growing more challenging as more devices are now located closer to the grid edge. Segregating a device if a cyber event occurs, she said, can help prevent damage from spreading to other parts of the grid.
