- The New York Power Authority (NYPA) and Siemens Energy on Wednesday announced plans for an industrial cybersecurity "Center of Excellence" that will initially defend the public utility's operational technology (OT) assets and could ultimately assist other power providers in securing the grid.
- There is a growing threat to utility OT, including to the industrial control systems (ICS) which increasingly manage the electric grid, and utilities are often confused about what issues to tackle first, according to Leo Simonovich, head of industrial cybersecurity at Siemens Energy. "We're looking to create the blueprint for the next generation of security for substations, power plants, solar and wind turbines," he told Utility Dive.
- The U.S. intelligence community last week issued a warning to critical infrastructure providers regarding threats to OT and ICS. And the comment deadline on a White House executive order to secure the bulk power system has been extended until Aug. 7, after a coalition of utility groups asked for more time.
Cyberattacks pose an increasing threat to the electric grid, as more ICS is internet-connected and hackers launch increasingly-sophisticated attacks.
NYPA has been installing new sensors and monitoring equipment across its grid in a bid to become the first fully-digital utility, and says its Advanced Grid Laboratory for Energy (AGILe) will now work with Siemens to identify security gaps and establish demonstration pilots to address them.
OT assets in use today "are particularly vulnerable to cyberattacks as much of the energy industry’s critical infrastructure was engineered before the widespread digitization of industrial control systems," NYPA said in a statement.
The new security center will focus on digitization, and NYPA may be uniquely qualified to host the endeavor — it has been rolling out thousands of sensors across its transmission and distribution assets as part of its AGILe efforts. Those efforts will eventually benefit the wider utility sector, said NYPA Vice President and Chief Information Security Officer Kenneth Carnes.
"The threats continue to change," Carnes told Utility Dive, "and there are a lot of public and private utilities that may not have the workforce to support the work larger entities do. We are looking to build models, to truly enable them."
NYPA's AGILe project was initially aimed at finding new ways to leverage upstate wind and hydroelectric generation, but the COVID-19 pandemic has accelerated interest in using the growing number of digital sensors to also combat cyberthreats.
COVID has "accelerated the push towards connectivity of the existing brownfield environment and infrastructure," said Simonovich, "As workers move to remote, many are connecting to field assets and in the process crossing lots of boundaries that in the pre-COVID world would have served as gates and security checks. ... it has morphed the attack surface, made it more decentralized and harder to secure."
COVID has "put a spotlight on the need to do more monitoring and gain more visibility," Simonovich said.
Conversations about the cybersecurity partnership began before the pandemic, said Carnes, but accelerated as it became clear the virus could have long-term impacts and leave utility workers accessing systems and ICS from more remote locations.
"Being able to provide those same capabilities and functions in a more remote location, could be critical for long-term viability," Carnes said. "We want to leverage this time when there are a lot of individuals and entities in need of information."
DOE extends comment deadline on grid security order
NYPA's announcement comes as the federal government has shown an increasing interest in grid security.
The National Security Agency joined the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency on a July 23 cybersecurity alert to operators of critical infrastructure, outlining "immediate actions" that should be taken during a "time of heightened tensions" to avoid being compromised by a cyberattack.
And in May, President Donald Trump signed an executive order halting the installation of bulk-power system equipment "designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary."
Comments on the executive order are due Aug. 24. The U.S. Department of Energy extended the deadline after a coalition of utility groups warned it needed more time to respond fully, particularly to address cost issues.
"Economic and other analysis identified in several comment categories may need to be undertaken to ensure a comprehensive response to the notice and it is unlikely that such analyses can be completed by the current August 7 deadline," eight groups said in comments filed earlier this month.
The groups, including Edison Electric Institute, American Public Power Association, National Rural Electric Cooperative Association, American Petroleum Institute and Electric Power Supply Association, had asked for an extension until Sept. 7.