Thanks mainly in part to “smart grid” initiatives, utilities have deployed hundreds of millions of connected assets into the grid over the last two decades. One hundred million AMI (smart meters) join automated switchgear, distributed generation (solar panels), millions of network sensors, and all the radio equipment to help them communicate.
This concerted effort to push intelligence to the edge of the grid is an effort to reduce outage times and impact. It will improve utility asset management, make field crews more efficient, reduce generation and transmission costs, and help give consumers more information about their energy usage.
While the grid may be smarter, in many ways it’s now more fragile. The increase in connected devices the grid needs to operate dramatically drove up the attack surface for any malicious actor looking to target the grid.
The Biden administration announced a 100 day plan to address the cybersecurity risks that now face electric operators. What are the key points the administration hopes to address? And what does this mean for utilities?
What’s the focus of the 100 day plan?
According to the DOE, which announced the plan on Tuesday, they’ll work hand-in-hand with CISA and electric utilities to modernize cybersecurity defenses in the following areas:
- Encourage owners and operators to implement measures or technology that enhance their detection, mitigation, and forensic capabilities
- Identify and deploy technologies and systems that enable near real time situational awareness and response capabilities in critical industrial control system (ICS) and operational technology (OT) networks
- Reinforces and enhances the cybersecurity posture of critical infrastructure information technology (IT) networks
- Includes a voluntary industry effort to deploy technologies to increase visibility of threats in ICS and OT systems
Let’s look at these one at a time.
Encourage owners and operators to implement measures or technology that enhance their detection, mitigation, and forensic capabilities
Given CISA’s involvement, it's not surprising this is at the top of the list. CISA’s CDM (Continuous Diagnostic and Mitigation) Program gives agencies tools, services, and dashboards to help them improve their security posture. A key component of CDM that will apply for electric utilities as well is cybersecurity asset management.
Of course, the term “asset management” is nothing new for utilities. Effectively managing the assets that make up the grid is essentially the core mission of the utility. PG&E alone operates nearly $100 billion in assets.
Cybersecurity asset management, though, is a different animal. It looks at all connected assets, software, users, and the IT networks they connect to. Cybersecurity asset management tools give users credible comprehensive real-time asset inventories by connecting to all the IT and security tools that a company has in place. Then, companies are better positioned to proactively close security gaps and improve their ability to respond to incidents.
Identify and deploy technologies and systems that enable near real time situational awareness and response capabilities in critical industrial control system (ICS) and operational technology (OT) networks
Whether you call them ICS, IoT, OT, or Smart Grid, the rapid deployment of connected devices distributed in the grid represents an increase in the attack surface for utilities.
Deployments were often managed by operations rather than IT, which prioritized deployment speed and operational benefits over careful inventories and meticulously crafted security policies. This often resulted in a bevy of tools to manage these devices with limited data aggregation.
Bringing centralized aggregated view of all assets together gives security and IT teams the visibility they need to proactively secure the grid.
Reinforces and enhances the cybersecurity posture of critical infrastructure information technology (IT) networks
The last year has tested the boundaries of the NERC CIP regulations about the location and security of data about the grid. With the shift in the last year to remote work, many utility IT departments have found it necessary to adjust their access policies accordingly.
Our recent survey found that 72% of IT professionals indicated that their IT landscape was more complex than it was two years ago. The number one reason for the added complexity? Remote work.
After the year we’ve had, and with many preparing to return to the office, it's not a bad idea to revisit the state of IT policies and the security posture of the IT networks that support critical infrastructure operation.
Reviewing the state of the network involved gaining visibility into the current state of the devices, users, and data that are on the network. In addition to providing visibility, cybersecurity asset management tools can automate enforcement of policy or notify IT teams of issues that need to be resolved, enhancing the security posture of the utility.
Includes a voluntary industry effort to deploy technologies to increase visibility of threats in ICS and OT systems
This is perhaps the most interesting, though vague, point included in the 100 day plan. It’s one thing for the DOE to announce a voluntary initiative. It’s another for the utilities to choose to cooperate.
To get utility IT teams on board, especially when it comes to new technology deployment, they’ll need to better understand the ROI. Cybersecurity ROI is hard to quantify. How can you put a dollar amount on a breach that you can’t be sure will occur? Is that the only measure of ROI?
If nothing else, the DOE plan gives utility IT and security teams a roadmap of where they can focus efforts. Many utilities have seen significant internal ROI from the automation that cybersecurity asset management tools have brought.
At Axonius, we help organizations solve the challenges of cybersecurity asset management. Our agentless solution deployments last hours, not weeks or months. We simply connect to the tools your team already has and aggregate key data about assets, users, and networks. Quickly identify unmanaged and IoT devices, discover potential vulnerabilities, and automate actions to enforce security policy.