The Crusade to Cyber-Save Energy

Concerns over cyberattacks have triggered a surge of new grid regulations. This is how utility companies can get compliant.

Electricity Company Compliance

Utility-company grids can control everything from energy supply to distribution. This can impact national security, American economics, and public health. The government believes that protecting them is so critical that it has tasked the North American Electric Reliability Corporation (a.k.a. NERC) with policing grid security. NERC has wasted no time, modernizing compliance laws through several new Critical Infrastructure Protection (or CIP) regulations.

We’ve already seen a small fraction of what a cyberattack can do. In 2015, a malware attack compromised almost a fourth of the Ukraine’s power grids. A year later, the country alleges that Russia cut their power in another hack. This time, it left north Kiev in the dark.

According to the U.S. Energy Information Administration, America has “more than 7,300 power plants, nearly 160,000 miles of high-voltage power lines, and millions of low-voltage power lines and distribution transformers, which connect 145 million customers.” That’s a lot of grids, each possessing its own vulnerabilities.

Finding a security platform with sprawling visibility that also scales to growing data is a huge issue. Insider threats (such as rogue employees/contractors) and other threats that make their way inside (like malware), are of particular concern, because they are so difficult to spot. Meanwhile, warns, remotely controlled “networked grid digital devices also support mass commands, where an inadvertent issuance of a command has the potential to bring down a significant portion of the electric grid.” And recently added lack of network segmentation to its list of infrastructural vulnerabilities.

The reliance on firewalls, even those with calibrated rules, simply cannot keep up with the advancing nature of crime the way that security analytics can.

The BRIDGE Energy Group, a consultant for utility companies, makes a compelling case for the latter. The organization recently published a sobering overview about the state of grid security. (See our chart, below, for a summary of their findings.)

Click to view a larger version of this image

Among BRIDGE Energy Group’s observations:

  • “Major grid breach is imminent. Lack of integration of real-time security and operations data results…slows incident response time.”
  • “Lack of a formal standard for calculating risk will often result in over spending and insufficient safeguards.”
  • “The lack of analytical reporting and visualizations should be addressed immediately to prevent future compliance failures and ensure timely threat detection.

Much of this is can be attributed to a lack of “data in, intelligence out.” In this case, at surface level, a security solution using machine learning would accurately prioritize threats. But at its core, it would also be a holistic, analytic solution that gleans risk-management learnings from those threats.

This could include security-operations team quickly react to attacks. It can mean yielding cogent, detailed compliance and executive reports. And it can involve detailing next steps to sharpen enterprise best practices.

As the scope of NERC cyber regulation continues to grow, it’s time for utility companies to invest less in security bandages and more in their actual businesses.