Recognizing that the electric utility industry needs an industry-specific response to its cybersecurity challenges, the New York Power Authority (NYPA) and Siemens Energy plan to develop a Cybersecurity Center of Excellence that will focus on building practical security tools for small- and mid-sized utilities.
Kenneth Carnes, vice president and CISO at NYPA, said many of the smaller utilities across the U.S. don’t have the resources or can’t find the skilled cybersecurity pros they need to help defend and protect their operational networks. NYPA and Siemens aim to focus on visibility into OT systems, a longstanding problem for utilities, staff development that’s specific to the utility industry and innovating new products that are based on the special needs of the industry.
“There are a lot of courses people can take to run forensics on a PC or wipe data,” Carnes said. “But how do you do that on OT equipment that has embedded computer systems and runs over industry-specific protocols?”
The issue of locking down OT systems for the electric grid in the U.S. hit home in the summer of 2018 when it came out that the Russian DragonFly APT group accessed utility networks in the United States. A year later, there were extensive reports that the North American Electric Reliability Corp. found that a cyberattack hit a grid control center and several small power generation sites in the Western United States, causing low-impact outages that lasted roughly five minutes.
Leo Simonovich, head of industrial cybersecurity at Siemens Energy, added that it’s clear that small and midsized utilities need help with modernizing cybersecurity for OT – they have become very vulnerable targets. He pointed to research Siemens Energy did in tandem with the Ponemon Institute that found only 18 percent of 1,726 respondents used AI and big data analysis to monitor operations and recognize threats. The Ponemon study also found that 54 percent expect an attack on critical infrastructure in the next 12 months, while 56 percent also report at least one attack involving a loss of private information or an outage in the OT environment in the past 12 months.
“The number of attacks has increased exponentially and the gap between the threats and our capacity to respond has widened,” said Simonovich. “The blend of skills needed are very hard to acquire. We need to develop people who understand mechanical control systems, the electric grid, networks and network security, plus have the hands-on experience in the industry, they are tough to find.”
Carnes said while the ISACs in the financial, defense and medical sectors are focused on threat intelligence, he envisions the new Center of Excellence as a test-bed, implementer and solution provider. On the education front, he said he did not think the new center would offer courses, but would look to partner with other industry education organizations.
The new center will leverage NYPA’s Advanced Grid Innovation Laboratory for Energy, which will function as the launch hub and contain some virtual opportunities with physical integration and testing at NYPA. In tandem with Siemens, they will run pilots and testbeds using Siemens’ detection and monitoring technology. The product solutions will focus on operational technology because much of the industry’s critical infrastructure was engineered before the widespread digitization of industrial control systems.
Larry Ponemon, chairman and founder of the Ponemon Institute, said a more targeted focus on the utility industry makes sense because there’s a treasure-trove of data that attackers can steal from utilities.
“The center gives the utility industry a chance to learn from the experts without tearing apart their networks,” Ponemon said. “It’s also something NYPA can use to promote its image and develop a set of best practices around cybersecurity that can be applied across the industry. And the fact that it’s mostly virtual will let them draws from experts around the country and around the world.”