Str n th nin th C b rs curit of ELECTRICITY GRIDS Cont xt nd Good Pr ctic s for Tr nsmission nd Distribution S st m Op r tors Strengthening the Cybersecurity of Electricity Grids 1 Report No: AUS0002791 World Global Cybersecurity Capacity Program II Strengthening the Cybersecurity of Electricity Grids: Context and Good Practices for Transmission and Distribution System Operators 2022 DDT © 2022 The World Bank 1818 H Street NW, Washington DC 20433 Telephone: 202-473-1000; Internet: www.worldbank.org Some rights reserved This work is a product of the staff of The World Bank. The findings, interpretations, and conclusions expressed in this work do not necessarily reflect the views of the Executive Directors of The World Bank or the governments they represent. The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, co- lors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. Rights and Permissions The material in this work is subject to copyright. Because The World Bank encourages dissemination of its know- ledge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this work is given. Attribution—Please cite the work as follows: “World Bank. 2022. Strengthening the Cybersecurity of Electri- city Grids: Context and Good Practices for Transmission and Distribution System Operators. © World Bank.” All queries on rights and licenses, including subsidiary rights, should be addressed to World Bank Publica- tions, The World Bank Group, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2625; e-mail: pubrights@worldbank.org. Preparation of this report was generously supported by the Korea-World Bank Partnership Facility. The Korea-World Bank Partnership Facility (KWPF), established in May 2013, is an initiative to strengthen ties between Korea’s Ministry of Economy and Finance (MoEF) and the World Bank. The facility’s overall objective is to assist developing member countries of the World Bank in achieving inclusive and sustainable economic growth and to foster broader dialogue on economic development issues. Through this facility, the Government of Korea has provided US$90 million during FY14–FY16 (Phase I), US$90 million during FY17–FY19 (Phase II), and a replenishment of US$150 million from FY20 through FY23 (Phase III). The KWPF is a Trust Fund managed by the World Bank on behalf of the Government of Korea. Strengthening the Cybersecurity of Electricity Grids 2 Str n th nin th C b rs curit of ELECTRICITY GRIDS Cont xt nd Good Pr ctic s for Tr nsmission nd Distribution S st m Op r tors Strengthening the Cybersecurity of Electricity Grids 3 Table of Contents List of Acronyms�������������������������������������������������������������������������������������������������������������� 6 Acknowledgements����������������������������������������������������������������������������������������������������������7 Executive Summary�������������������������������������������������������������������������������������������������������� 8 1. Introduction������������������������������������������������������������������������������������������������������������������ 9 2. Cybersecurity in Power Grids�����������������������������������������������������������������������������������12 2.1 Importance���������������������������������������������������������������������������������������������������������������������������������������������13 2.2. Increasing Complexity and Interdependence of the System����������������������������������������������������14 3. Overview of IT and OT Architectures����������������������������������������������������������������������18 3.1 Defining Operational Technologies�������������������������������������������������������������������������������������������������� 19 3.2.1 Supervisory Control and Data Acquisition System��������������������������������������������������������������21 3.2.2 Distributed Control Systems���������������������������������������������������������������������������������������������������23 3.2.3 Industrial Communications������������������������������������������������������������������������������������������������������ 24 Overview of the Cyber Threat Landscape�������������������������������������������������������������� 26 4.. Cybersecurity Management System���������������������������������������������������������������������� 30 5.. 5.2.1 Identity and Access Management�������������������������������������������������������������������������������������������35 5.2.2 Asset Management�������������������������������������������������������������������������������������������������������������������� 37 5.2.3 Change and Configuration Management������������������������������������������������������������������������������38 5.2.4 Vulnerability Management�������������������������������������������������������������������������������������������������������38 5.2.5 Third-Party Risk Management�����������������������������������������������������������������������������������������������38 5.2.6 Network Security Management����������������������������������������������������������������������������������������������39 Strengthening the Cybersecurity of Electricity Grids 4 Table of Contents 5.2.7 Personnel Security Management���������������������������������������������������������������������������������������������41 5.2.8 Awareness and Training�������������������������������������������������������������������������������������������������������������41 5.2.9 Monitoring and Situational Awareness��������������������������������������������������������������������������������� 42 5.2.10 Incident Management ������������������������������������������������������������������������������������������������������������� 42 5.3 CSMS Improvement����������������������������������������������������������������������������������������������������������������������46 5.4 CSMS within an Organization����������������������������������������������������������������������������������������������������� 47 6. Conclusions���������������������������������������������������������������������������������������������������������������� 48 Annex 1. Summary of IT and OT System Differences������������������������������������������������51 Annex 2. Cybersecurity of Energy Infrastructure in the European Union, United States, and Australia: Relevant Policy and Legislation Overview������������ 54 Annex 3. A Comparative Summary of Relevant Standards������������������������������������60 Strengthening the Cybersecurity of Electricity Grids 5 List of Acronyms CSF Cybersecurity Framework CSIRT Cybersecurity Incidents Response Team CSMS Cybersecurity Management System DCS Distributed Control System DSO Distribution System Operator HMI Human-Machine Interface I/O Input/Output ICS Industrial Control System ICT Information and Communications Technology IDMZ Industrial Demilitarized Zone IED Intelligent Electronic Device IEC International Electrotechnical Commission IIOT Industrial Internet of Things IOT Internet of Things IP Internet Protocol ISO International Organization for Standardization IT Information Technology NIS Network and Information System (EU) NIST National Institute of Standards and Technology (U.S.) OT Operational Technology PLC Programmable Logic Controller RTU Remote Terminal Unit SAS Substation Automation System SCADA Supervisory Control and Data Acquisition SIEM Security Information and Event Management TSO Transmission System Operator VPN Virtual Private Network Strengthening the Cybersecurity of Electricity Grids 6 Acknowledgements The preparation of this report was led by Natalija Inputs and suggestions were received from many Gelvanovska-Garcia, under the guidance of Nicole stakeholders working as and with transmission Klingen (Practice Manager for Europe and Central system operators and distribution system ope- Asia and acting Global Practice Director, Digital De- rators in the Western Balkans, including MEPSO velopment Global Practice), Linda Van Gelder (Coun- (North Macedonia), OST (Albania), KOSTT (Kosovo), try Director, Western Balkans), and Simon David and CGES (Montenegro). The report was edited by Ellis (Program Leader for Infrastructure, Western Patricia Carley. Balkans). Contributors to and co-authors of the re- port were Vaiva Maciule and Liudas Alisauskas. We would like to acknowledge the collaboration of the Regional Cooperation Council (RCC), in parti- The peer reviewers for the report were Anthony cular Tanja Maras, Pranvera Kastrati, and Milena Granville (Senior Power Engineer, Energy & Ex- Jocic-Tanaskovic. tractives Global Practice), Hagai Mei Zahav (Ex- tended Term Consultant on Cybersecurity, Digital Administrative support from Hadiza Nyelong Development Global Practice), and Rajendra Singh Eneche, Shagun Ahuja, and Samia Benbouzid is (Senior Digital Development Specialist, Digital De- gratefully acknowledged. velopment Global Practice). The print version of the report was designed by The following current and former World Bank co- Maria Jimena Vazquez. lleagues provided their support during the prepa- ration of this report: Koji Nishida (Senior Energy The team acknowledges the generous support of Specialist, Energy & Extractives Global Practice), the Korea-World Bank Partnership Facility. Rhedon Begolli (Senior Energy Specialist, Energy & Extractives Global Practice), Valeria Dessolis (Ex- tended Term Consultant, Digital Development Glo- bal Practice), and Zhenia Viatchaninova Dalphond. Strengthening the Cybersecurity of Electricity Grids 7 Executive Summary Cyberattacks against industrial control systems given risk criteria to determine its significance. A (ICS) are on the rise. Roughly one-third of ICS were risk assessment should be conducted at least once targeted by malicious activity in the first half of a year, as well as before and after any significant 2021, with hackers often tied to nation-states and change to an organization’s structure and proce- organized crime. Electric utilities around the world sses, after any OT changes, and after any signifi- have been undergoing a transformative digitaliza- cant cybersecurity incidents. For DSOs and TSOs, tion process, promoting efficiency but also expos- the asset-based methodology for risk assessment ing the sector to cyberattacks that can have seri- is recommended, which requires organizations to ous negative effects on other critical infrastructure provide an up-to-date and comprehensive OT asset (transport, water supply, etc.). Given the increased inventory with an estimate of each asset’s criticali- connectivity and digitalization of power networks, ty. The risk analysis also includes an exhaustive list and the convergence of operational technology (OT) of potential cybersecurity risks. with information technology (IT), cybersecurity and proactive cyber risk management in the electricity Risk mitigation is specific to an organization and sector have become a necessity. combines organizational and technological mea- sures from 10 different domains. These are (i) iden- ICS is a general term that describes systems of tity and access management to ensure that the components that act together to manage large right people have access to the right resources at and complex industrial processes. In the electri- the right time; (ii) asset management to create an city sector sophisticated ICS to manage large-scale up-to-date and comprehensive inventory of assets infrastructure are normally based on complex solu- that are important to the delivery of services; (iii) tions, such as supervisory control and data acqui- change and configuration management to mini- sition (SCADA) systems, or distributed control sys- mize the negative impact of any modifications on tems (DCS). The different systems and electricity the organization’s services; (iv) vulnerability ma- grid modernization methods across countries mean nagement to address the risks arising from poten- that most of today’s real-life systems are hybrid tial weaknesses; (v) third-party risk management structures, so SCADA systems and DCS are often to mitigate the risks arising from outside parties; networked together with different combinations of (vi) network security management to ensure that modern and legacy ICS assets. In the current elec- ICS networks are secure by design; (vii) personnel tric utility environment, multiple variations of ICS security management to mitigate or eliminate in- are used to connect the generation, transmission, sider threats, which are among the most dangerous and distribution functions into an increasingly more and most likely; (viii) awareness and training to cre- intelligent grid, meaning that cybersecurity ma- ate and uphold an overall culture of cybersecurity; nagement must take a variety of threats and vul- (ix) monitoring and situational awareness to co- nerabilities into account. llect, analyze, and utilize threat information through a security information and event management To ensure cybersecurity, transmission and distri- (SIEM) system; and (x) incident management to de- bution system operators (TSOs and DSOs) in the tect events early, respond swiftly and effectively, electricity sector should establish a cybersecurity and avoid/mitigate severe consequences. A cyber- management system (CSMS). A CSMS helps orga- security incident response team (CSIRT) should be nizations to identify and assess cybersecurity risks established and properly staffed and equipped, and and reduce them effectively. An essential element an incident reporting structure put in place. It is of a CSMS is a risk assessment, which consists of also essential to document the incident properly for (i) identification—finding and characterizing risks— advanced incident analysis and problem manage- and (ii) estimation, or comparing a risk against ment purposes. Strengthening the Cybersecurity of Electricity Grids 8 Str n th nin th C b rs curit of 1. Introduction Strengthening the Cybersecurity of Electricity Grids 9 1. Introduction As industrial organizations and their ICS are increasingly attractive to both financially and politically motivated cybercriminals, holistic and In the past decade, there has been a substantial proactive cyber risk management has become a increase in the number of cyberattacks and other necessity. Owners and operators of ICS in critical illicit cyber activity aimed at the industrial control infrastructure and industrial facilities, especially systems (ICS) used to operate and/or automate electric utilities, must understand the risks associ- industrial processes.1 Previously, attackers main- ated with cyberattacks aimed at their enterprises ly targeted information technology (IT) systems to and the potential impact those risks carry for them steal data or launch ransomware for financial gain. and others. They must therefore prepare themselves However, with the increasing digitalization and for this imminent threat and significantly reduce modernization of ICS, the situation has changed, or eliminate any potential damage. A proper re- and cyberattacks have rapidly increased in volume sponse to cyber threats is achieved only by unders- and in the variety of objectives involved. Around tanding and mapping the relevant vulnerabilities one-third of ICS were targeted by malicious acti- and their associated attack vectors. In this way, de- vity in the first half of 2021, according to new data.2 fenders are able to take appropriate actions and set Even more alarming, reports indicate that hack- up suitable countermeasures to prevent or reduce ers are often tied to nation-states3 and organized the effects of a cyberattack on their operations and crime, attempting to tunnel their way into vital ICS business as a whole. and potentially disrupt or destroy them. Because ICS control, operate, and manipulate kinetic sys- This is relevant to both transmission and distri- tems and equipment that affect physical mecha- bution system operators (TSOs and DSOs) in de- nical elements, cyberattacks on these systems veloping countries as they struggle with the mo- may lead to far more serious damage than attacks dernization and protection of the energy grid with- on standard IT infrastructure, potentially harming in constrained environments. Although each case is human lives and the environment. This is particu- unique, it is important to acknowledge that finan- larly the case with regard to the electricity sector, cial constraints often prevent operators from up- as it is a critical framework that supports all other grading the state of their cybersecurity, not least infrastructure. Harm to the electricity sector can because of the significant number of assets owned therefore immediately lead to potentially severe by operators and the regulated nature of their busi- negative effects on other sectors and on society at ness. First, TSOs and DSOs own operational tech- large. nology (OT) and IT assets, and as both types are vulnerable to cyber threats, both require significant Of potentially greater concern is that in the past few financial resources to implement modern cyber- years, many attack tools have been leaked from the security protection. Furthermore, on the OT side, arsenal of nation-state actors and are now avai- operators own a significant variety of OT assets of lable on the open market. For example, the Dark different ages, vendors, and/or protocols, making Web domain offers ready-made attack tools it difficult to implement uniform measures at the (attack as a service) that put the power and expertise same time to all OT assets and thus increasing the of highly sophisticated attackers into the hands of cost of such implementation.4 A transition to higher anyone with enough motivation—corporate espio- levels of cybersecurity often requires that vulne- nage, monetary gain, criminal intent—or money. rable assets—among other infrastructure—be 1 An industrial tool used to manage, command, direct, and regulate the behavior of a group of industrial devices or systems and to ensure a consistent and reliable process. An ICS consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective (e.g., manufacturing, transportation of matter or energy). See ICS, “Glo- ssary,” Computer Security Resource Center, National Institute of Standards and Technology. 2 Kaspersky ICS CERT, “Threat Landscape for Industrial Automation Systems. Statistics for H1 2021,” Kaspersky ICS CERT. 3 Nation-state attacks are malicious cyberattacks that originate from a particular country and are an attempt to further that country’s interests. See V. Jakkal, “How Nation-State Attackers Like NOBELIUM are Changing Cybersecurity,” Microsoft Security Blog, September 28, 2021. 4 Costs required for cybersecurity, which are roughly proportional to the amount of assets owned, are higher for these companies. Strengthening the Cybersecurity of Electricity Grids 10 retired. Given the regulated environment of TSO and That said, it should be noted that the document DSO operations, the retirement of assets ahead of focuses on the electricity grid in particular and does full depreciation for the purpose of implementing not cover the entire chain from electricity produc- cybersecurity measures needs to be defended and tion to consumer. The paper also provides informa- may be considered unjustified by sector regulators. tion on what needs to be addressed during the pro- Knowing that the legal and policy context in deve- cess of modernizing and digitalizing the electricity loping countries is often complex, fragmented, and grid to prevent any disruption to the system and to lacking clear legislative provisions on the matter5 promote its restoration, if needed. The benefits that creates additional uncertainty and oftentimes, in- digital technologies bring to all stakeholders should sufficient motivation among operators to invest in not be compromised by damage from cyberattacks cybersecurity measures. It would appear thus that due to the increased vulnerability of the network. a phased approach to cybersecurity strengthen- As cybersecurity management is a concern across ing is the best available path, which implies that the world, this document also aims to address the TSOs and DSOs need to develop a cybersecurity growing need for a greater exchange of knowledge strengthening plan that takes the existing vulnera- and information on this important topic and for bilities within their systems fully into account. the development of enhanced cybersecurity skills. Although primarily targeted to address the cyber- This document was initially conceived with to the security challenges faced by TSOs and DSOs in de- goal of providing targeted cybersecurity advice to veloping countries, the document could also serve TSOs in the Western Balkans region under the aus- as a background paper for other industries that rely pices of the Global Cybersecurity Capacity Program heavily on OTs in their activities (such as transport, II,6 part of the Balkans Digital Highway initiative.7 water, gas) and in this way be relevant to countries However, as the work evolved, it became clear that at a variety of income levels. cybersecurity challenges faced by operators in that region are not unique and that a broader audience Section 2 of this paper provides a brief outline of the of electricity operators across the developing world importance of cybersecurity in power grids. Section could benefit from the strategic and practical in- 3 reviews and defines the main components of an sights presented. electric grid that often are or may be exposed to cyber threats, while section 4 aims to identify the This document thus provides guidance to stake- main lessons learned from cyberattacks in the en- holders in developing countries on the cybersecurity ergy sector over the past decade. Section 5 focus- challenges that arise from the modernization and es on the cybersecurity management system, with digitalization of the electricity sector. More specifi- some examples from real-life situations. Finally, the cally, it aims to inform TSOs and DSOs in the elec- conclusion offers some insights into how to move tricity sector of the cyber risks associated with their forward on the complicated road toward controlling systems and working environments to help them to and containing the risks that the new technologies prepare for and mitigate cyber threats to their ICS. can create for the vital electricity sector. 5 Blueprint Energy Solutions, “Study on Cybersecurity in the Energy Sector of the Energy Community” (Vienna: Blueprint Energy Solu- tions GmBH, 2019). 6 World Bank, “Global Cyber Security Capacity Program Phase I and II: Strengthening National Cyber Security Environment of Selected Developing Countries,” https://www.worldbank.org/en/news/feature/2020/06/01/kwpfgscp. 7 World Bank, “Balkans Digital Highway Initiative,” https://www.worldbank.org/en/country/kosovo/brief/balkans-digital-highway- initiative. Strengthening the Cybersecurity of Electricity Grids 11 2. Cybersecurity in Power Grids Strengthening the Cybersecurity of Electricity Grids 12 2. Cybersecurity means of robust mitigation and recovery plans.10 Today, however, with the growing digitalization of in Power Grids electricity networks, ensuring cybersecurity and cyber resilience has become a vital component of reliable electricity delivery, as the increased con- 2.1 Importance nectivity of power networks, the digitalization of business operations, and the convergence of indus- trial operations and ITs are expanding the area and The electricity grid is classified as critical infra- attractiveness of the sector to potential cyberat- structure in most countries across the world. This tacks. means that it is essential to maintaining vital soci- etal functions (see box 1). Damage to or destruction As a result, the energy industry has become one of of critical infrastructure, whether from a natural the most targeted sectors in recent years11 in part disaster or some kind of criminal activity, may have because the attackers’ motivation has changed. negative consequences for a country’s entire econ- Previously, they primarily targeted IT systems to omy, its national security, and the well-being of its steal data or launch ransomware for financial gain, citizens. but today, motives such as cyber warfare and the spread of disruption are on the increase.12 Cyber- It is well known that infrastructure is crucial to any attacks have the potential to damage a country’s country’s development. From transport systems to power grid with widespread infrastructure failures power generation facilities and water and sanita- or outright damage, as happened in Ukraine in De- tion networks, infrastructure provides the services cember 2015. Criminals attacked three power dis- that enable society to function and economies to tribution companies in the country and temporarily thrive.8 Developing secure and reliable infrastruc- disrupted the electricity supply. This was followed ture, particularly critical infrastructure such as by another cyberattack in the capital Kyiv in De- the electricity grid, is also needed to meet the UN’s cember 2016 that caused a two-day power out- Sustainable Development Goals (SDGs),9 another age.13 Additional examples of recent cyberattacks increasingly important objective. Strengthening the linked to the energy sector are discussed in section reliability of electricity utilities directly contributes 4. to SDG 7 and 9, both of which are dedicated to sus- tainable and resilient infrastructure. As the threats continue to evolve, concerns about cybersecurity are and will continue to be at the top In the past, managing the risk of a major outage of the agenda of utility companies, requiring even in the energy industry meant dealing with such is- greater efforts to manage the growing risks.14 sues as component failure or inclement weather by 8 EIU, “The Critical Role of Infrastructure for the Sustainable Development Goals” (London: Economist Intelligence Unit, 2019). 9 The SDGs are outlined at https://sdgs.un.org/goals. 10 R. Kariger and G. De Moura, “A Cyber-Resilient Electricity Sector is a Key Priority for the Post-COVID Era” (Geneva: World Economic Forum, 2020). 11 L. Kessem, “Threat Actors’ Most Targeted Industries in 2020: Finance, Manufacturing, and Energy,” Security Intelligence, March 31, 2021. 12 S. K. Venkatachary, A. Alagappan, and L. J. B. Andrews, “Cybersecurity Challenges In Energy Sector (Virtual Power Plants) - Can Edge Computing Principles Be Applied to Enhance Security?” Energy Informatics 4, no. 5 (2021). 13 GlobalData Thematic Research, “Cybersecurity in Power: Trends in Utilities,” Power Technology, September 24, 2020. 14 S. Livingston and others, “Managing-Cyber-Risk in the Electric Power Sector. Emerging Threats to Supply Chain and Industrial Control Systems,” Deloitte Insights, 2018. Strengthening the Cybersecurity of Electricity Grids 13 BOX 1. Definition of Critical Infrastructure Critical infrastructure is defined as assets, sys- are widely classified as critical: energy, trans- tems, and networks that provide essential ser- port, water, information and communications vices for the security of a nation, its economic technologies (ICT), health, and finance. Some prosperity, and the health and safety of its ci- countries further include education and critical tizens. These services constitute the backbone economic and manufacturing sectors in their of modern interconnected societies. Six sectors definition. Source: APEC and the World Bank, “Financial Protection of Critical Infrastructure Services” (Washington, DC: World Bank, 2021). 2.2. Increasing Complexity Internet of Things (IoT), and the Industrial Internet and Interdependence of the System of Things (IIoT)15 have become key enablers in the modernization of critical utility infrastructure, but at the same time have also exposed power utilities The leading players in legacy power grids are power to new threats and vulnerabilities. In fact, accord- generation, transmission, distribution, the control ing to some authors, the IoT devices of a smart grid center or main dispatch center, and the customer. are identified as one of the weakest links in the net- In legacy power networks, relations among these work, since they can be compromised by the adver- players were simple and primarily unidirectional: sary in order to gain system access and carry out from generation to the customer (see figure 1). In attacks.16 The IIoT is also creating new challenges advanced power grids, the movement of energy, op- and anticipated changes to traditional ICS. Orig- erations, and billing data became bi-directional as inally, ICS were isolated systems that ran propri- private power stations synchronized with nation- etary control protocols using specialized hardware al suppliers, power storage, and smart measuring and software, and ICS assets were in physically and billing systems. The number of stakeholders secured areas that were not connected to IT net- has increased and created a need for a much more works or systems. The situation has changed with complex data network to support business among the increasing availability of low-cost internet pro- all players and to ensure a reliable and continuous tocol (IP) devices, currently replacing the original power supply. Existing systems are now becoming proprietary solutions. As ICS are adopting IT solu- increasingly interconnected and, due to their dis- tions and being designed and implemented using persed nature, increasingly difficult to control. industry standard computers, operating systems, and network protocols, they are starting to resem- Over the past decade or more, the electricity sector ble IT systems and inheriting all the attendant cy- has also been undergoing a rapid and transforma- bersecurity vulnerabilities.17 Digital technologies in tive digitalization. This process not only introduced general have amplified the level of interconnectivity smart meters, electric vehicles, and distributed gen- and stimulated the convergence of OT and IT, re- eration into the system, but also required substan- sulting in an expanded cyberattack surface for ma- tial changes to the central management systems of licious actors to exploit.18 the grid itself. Many argue that digitalization, the 15 IoT works to make consumers’ lives more convenient and easier, where IIoT works to increase safety and efficiency in production fa- cilities. IoT technologies are often deployed in commercial or consumer environments, but when applied to industrial applications, they are referred to as the IIoT. 16 R. Borgaonkar and others, “Improving Smart Grid Security through 5G Enabled IoT and Edge Computing,” Concurrency and Compu- tation: Practice and Experience 33, no. 18 (2021). 17 K. Stouffer and others, “Guide to Industrial Control Systems (ICS) Security,” NIST Special Publication 800-82 (Washington, DC: Na- tional Institute of Standards and Technology, 2015). 18 Kariger and De Moura, “A Cyber-Resilient Electricity Sector.” Strengthening the Cybersecurity of Electricity Grids 14 FIGURE 1. Transition from a Traditional to Modern Electrical Grid with Two-Way Power and Communication Flow T Tr nsform r st ps N i hborhood up volt for Tr nsform r st ps tr nsmission down volt Pow r Pl nt Tr nsmission Lin s Hous s ( n r t s l ctricit ) (lon dist nc ) Control C nt r S f t critic l infr structur Pow r St tion with own n r tion Hous s En r stor R n w bl En r Industr El ctric C r Ap rtm nt buildin s Sm rt Buildin (with own n r tion) Source: Siozios, “Mastering the Challenges of Changing Energy Systems.”19 Additionally, the global trends of decarbonization voltage direct current (HVDC) transmission technol- and accelerated integration of renewable energy ogy or flexible AC transmission systems (FACTS), are create further challenges for the industry. Scaling being increasingly introduced to enhance the stabil- up generation requires grid upgrades so that the ity of the system. This means that first, these new power system can access renewable resources, assets should be secured with up-to-date cyber- which are often remote from existing transmis- security measures, and second, that the whole ap- sion networks, and can efficiently cope with grid proach of system planning should be revised, that stability and reliability issues. In particular, volt- is, cybersecurity management measures should be age stability becomes the dominant problem to be applied in the system planning phase from the out- addressed when the penetration level of renewable set. This is because the risk assessment is expect- energy systems increases significantly.20 Therefore, ed to start prior to the technical specification and specific facilities (i.e., specific OT), such as high- design phases of a system, since N-1 contingencies 19 K. Siozios, “Mastering the Challenges of Changing Energy Systems: The Smart-Grid Concept,” in IoT for Smart Grids. Power Systems, ed. K. Siozios et al. (Cham, Switzerland: Springer, 2019). 20 L. Chen, Y. Min, Y. Dai, M. Wang, “Stability mechanism and emergency control of power system with wind power integration”, IET Renewable Power Generation, 11 (1), 2017. Strengthening the Cybersecurity of Electricity Grids 15 are usually established as a key requirement in sys- In addition, as it is critical, electricity infrastructure tem stability and operation.21 This also elevates has tight links with transport, finance, water sup- HVDC/FACTS to higher-risk-level cyber assets that ply, data and telecom, and gas and oil provision in- have the potential to impact capacity and the N-1 frastructure, which is also considered critical. Dis- contingency of the grid directly or indirectly. There- ruptions in any of these assets can cause outages in fore, the planning scenarios should be periodically other systems and amplify the impacts,24 making it reviewed to capture the system changes. even more attractive to any motivated actors. While the sector undergoes changes, the DSO and Clearly, cybersecurity is and will remain a critical TSO22 need to operate within the various con- concern for utility providers. As electricity systems straints related to their industry, business models, become more interconnected, smart, and decen- and systems, as well as the relevant geopolitical tralized, they become increasingly vulnerable to factors. Often, there are conflicting requirements cybersecurity attacks. Energy companies face cy- to be addressed, such as (figure 2): ber risks from vulnerabilities related to their IT sys- tems, OT infrastructure, and supply chain partners. 1. The need to supply services to a wide geographi- The need to connect a growing range of market cal area and to accept energy from a wide range participants to core utility systems, and the growth of power generation sources sometimes collides of private consumer data coming into utility sys- with the need to support a dynamic consump- tems through smart metering and smart home ini- tion without disturbing the power sources. tiatives, generates additional risks and regulatory responsibilities.25 2. Utility companies need to be profitable and ef- ficient while supplying reliable, continuous ser- The ongoing COVID-19 crisis creates further chal- vices and complying with regulations and stan- lenges. Most of the world’s power utilities moved dards that require gradually lower expenditures. to remote functioning, increasing their exposure 3. For complex and geographically disperse sys- to cyberattacks. At the same time, the reliable and tems that enable remote monitoring, control, continued supply of electricity became even more and billing, the resulting attack surface is dan- critical with this global compulsory shift to remote gerously broad. The use of the remote access work. According to the World Economic Forum, interface is therefore among the top cyber risks building a cyber-resilient electricity sector is a key to OT systems. In other words, technologies priority for the post-COVID era,26 as the modern that connect to or rely on the internet enable electrical power system is unique in terms of its remote monitoring and can improve cost and scale and importance to human life. energy savings, but they also create more ac- cess points for hackers.23 4. A difference in rules and regulations between countries might lead to different cyber protec- tion levels. The connection and transfer of pow- er from those different countries may create a weak link that can affect all of the intercon- nected TSOs. 21 The principle of an N-1 contingency in network planning is that if any component fails or shuts down, network security will still be guaranteed. 22 A. B. M. Shawkat Ali, ed., Smart Grids: Opportunities, Developments, and Trends (Cham, Switzerland: Springer, 2013); and J. Ekanay- ake and others, Smart Grid: Technology and Applications (New York: Wiley, 2012). 23 Senate RPC, “Infrastructure Cybersecurity: The U.S. Electric Grid,” Senate Republican Policy Committee, July 16, 2021. 24 S. Hallegate, J. Rentschler, and J. Rozenberg, Lifelines: the Resilient Infrastructure Opportunity (Washington, DC: World Bank, 2019). 25 GlobalData, “Cybersecurity in Power.” 26 Kariger and De Moura, “A Cyber-Resilient Electricity Sector.” Strengthening the Cybersecurity of Electricity Grids 16 FIGURE 2. Grid Requirements and Constraints Distribut d Production D n mic Consumption D m nd for Profit bilit R quir d R li bilit , Continuit , nd Qu lit Prot ction inst C b r tt cks R mot Acc ss for Monitorin nd Control Diff r nc s in St nd rds nd R ul tions Conn ction nd Tr nsf r of Pow r Source: Authors. Strengthening the Cybersecurity of Electricity Grids 17 Str n th nin th C b rs curit of 3. Overview of IT and OT Architectures Strengthening the Cybersecurity of Electricity Grids 18 3. Overview of IT various systems, devices, and peripherals dedicated to the control and automation of industrial produc- and OT Architectures tion. OT is a generic term, referring to ICS or more particularly, to supervisory control and data acqui- sition (SCADA) systems, distributed control sys- As discussed in the previous section, one of the tems (DCS), programmable logic controllers (PLCs), main challenges for cybersecurity in the electricity and others that are used to manage, monitor, and sector stems from the convergence of the OT and control industrial operations. Though OT has exist- IT systems (detailed comparison of these systems ed for some time (since machinery and equipment is provided in Annex 1). The purpose of this section started to be used in different industries), the term is to define the OT as a component of an electricity itself is more recent. More specifically, OT is con- grid’s industrial architecture and briefly describe its sidered to be a collection of hardware and software functions, ways of enabling business, and intercep- that detects or causes a physical change by direct- tions with other systems. As the focus of this paper ly monitoring and/or controlling industrial equip- is cybersecurity risks and vulnerabilities specific to ment, assets, processes, and events.27 It ensures electricity grid operators, this section will lay the rapid measurement of the physical environment, groundwork for understanding cybersecurity man- decision making, and management of the various agement related to OT described later in this docu- energy production, transmission, and distribution ment. processes. 3.1 Defining Operational Technologies For the systematic and unified understanding of OT, this document will refer to the generic electric utility architecture (figure 3), which is based on the OTs, in conjunction with ITs, are the backbone of Purdue model28 and further elaborated on by the today’s electricity utilities, as they encompass International Electrotechnical Commission (IEC) in FIGURE 3. Generic Electric Utility Architecture IT L v l4 Busin ss Pl nnin / Ent rpris S st ms Industri l DMZ / Inform tion Exch n / S cur Conn ctions L v l3 En r Suppl Pl nnin L v l2 Sup rvisor Control / Sup rvisor Control S st ms OT L v l1 B sic Control / B sic Control D vic s L v l0 Ph sic l Proc ss s / Fi ld D vic s Source: Authors. 27 Gartner, “Gartner Glossary. Operational Technology (OT),” https://www.gartner.com/en/information-technology/glossary/operation- al-technology-ot. 28 The framework to define generic enterprise reference architecture and methodology was developed by Peter Bernus and Laszlo Nemes. The Purdue Reference Model was adopted from the Purdue Enterprise Reference Architecture (PERA) model by ISA-99 and used as a concept model for ICS network segmentation. Strengthening the Cybersecurity of Electricity Grids 19 its series of standards related to cybersecurity for The industrial architecture is also divided into lev- the electricity sector.29 This architecture can often els by purpose and function. In this document, the be found as a reference model with minimal devia- model with three zones and five levels will be used. tions to describe an industry’s IT and OT structures The levels, according to their place in the system in topic-related information resources. Overall, it is topology hierarchy, are briefly described in table 1 an industry-adopted reference model that shows (starting from the lowest). the interconnections and interdependencies of all the main components of a typical industrial archi- Although not developed as a security model, by tecture. mapping the interconnections and interdependen- cies of the high-level components of typical indus- This architecture is divided into three zones. The trial architecture, the Purdue model provides im- two major zones are the enterprise and industrial portant guidance on how to secure and protect OT zones (or energy supply in the case of an electric systems.30 Generally speaking, when moving down utility, which is also described as manufacturing the hierarchy (from Level 4 to Level 0), devices have in more general contexts), also referred to as the IT more access to critical processes but fewer intrin- and OT networks, respectively. They are separated sic security capabilities. Devices at lower levels are by a third zone, the Industrial Demilitarized Zone therefore more reliant on network and architectur- (IDMZ), which is intended to prevent direct commu- al defenses, which are found in the upper levels, to nication between assets from the IT and OT zones protect them.31 and thus provide the necessary security layer. TABLE 1. Description of the Levels of Generic Electric Utility Architecture Level Function Example/ICS Assets Level 0 Actual physical process to be Two types of field devices: sensors and actuators. Sensors measured and/or manipulated (for example, voltmeter) measure the physical process (volta- Physical Processes/ (such as electric power, ge) and send measurement signals to control devices at Level Field Devices temperature, etc.) 1. Actuators (for example, circuit breakers) manipulate the physical process following the signals received from control devices. Level 1 Sensing, measuring, and Basic control devices such as PLCs, remote terminal units manipulating the physical (RTUs), and DCS controllers, receive data from sensors (Level Basic Control/Basic process 0) and forward it to supervisory control devices (Level 2). or Local Control Likewise, they forward control signals from Level 2 to Level 0. Devices PLCs also can act as local control devices, i.e., to receive me- asurement signals, to apply programmed logic, and to send calculated control signals to actuators. Level 2 Monitoring and controlling Supervisory control systems receive signals from basic the physical process control devices (Level 1) or directly from field devices (Level Supervisory Control/ 0), analyze data, display status information to operators for Supervisory Control decision making, or apply automatic control logic. They also Systems issue or forward operator-initiated control signals to Levels 1 or 0. 29 Notably the ISO/IEG 27019 and IEC 62443 series of standards. 30 Mission Secure, “Is the Purdue Model Relevant in a World of Industrial Internet of Things (IIoT) and Cloud Services?” Mission Secure, January 27, 2021. 31 S. Mathezer, “Introduction to ICS Security Part 2: the Purdue Model and Best Practices for Secure ICS Architectures,” SANS Institute, July 16, 2021. Strengthening the Cybersecurity of Electricity Grids 20 TABLE 1. Description of the Levels of Generic Electric Utility Architecture (Cont.) Level Function Example/ICS Assets Level 3 Dispatching energy supply, Energy supply is managed at the control center or main detailed supply scheduling, dispatch center using dedicated energy supply management Energy Supply reliability assurance, and supply systems. Planning optimization Industrial DMZ Ensures secure information ex- Various security systems, such as firewalls, jump servers, changes between IT and OT zones remote access terminals, ICS update upstream servers Level 4 Business-related activities nee- Standard business management IT systems, such as enter- ded to manage energy supply prise resource planning, data analysis, accounting systems, Business Manage- etc. ment/IT Systems Source: Authors. 3.2 Industrial Control Systems 3.2.1 Supervisory Control and Data Acquisition System After defining the OT and describing the typical ar- SCADA is often used as a generic name for a com- chitecture, this section will look more closely at the puterized system that is capable of gathering and ICS used most often in the electricity sector. It will processing data and applying operational controls then review the most common industrial communi- over long distances.33 What is important here is cation protocols used to connect all the parts, sys- that in this document, the SCADA system will refer tems, and devices in an ICS. not only to the software but to the whole SCADA network, which usually consists of the following An ICS should be understood as a general term components (figure 4): that describes systems made of components that act together to manage large and complex indus- » A central command center, which consists of all try processes. A simple ICS could be built on a sin- the servers running SCADA software gle PLC32 (small site with a manageable number of input-output [I/O] signals), though more sophisti- » A communication system connecting the serv- ers at the central command center to the re- cated ICS will normally be based on more complex mote locations (e.g., radio, telephone line, cable, solutions, such as SCADA, DCS, or hybrid systems, or satellite) to manage large-scale infrastructures (hundreds of thousands of I/O signals and sites that are geo- » Multiple, remotely located local control sys- graphically dispersed). tems that directly control and automate pro- cess equipment (i.e., geographically distributed field sites consisting of remote terminal units (RTUs) and/or PLCs that control actuators and/ or monitor sensors) 32 A programmable logic controller (PLC) is a small industrial-grade computer originally designed to perform the logic functions of electrical hardware (relays, switches, and mechanical timer/counters). PLCs have evolved into controllers capable of controlling complex processes, and they are used substantially in SCADA systems and DCS. 33 “Supervisory Control and Data Acquisition (SCADA),” Computer Security Resource Center, National Institute of Standards and Tech- nology, https://csrc.nist.gov/glossary/term/supervisory_control_and_data_acquisition. Strengthening the Cybersecurity of Electricity Grids 21 FIGURE 4. SCADA System General Layout Control c nt r Communic tions R mot subst tions Subst tion 1 S nsor Wir l ss communic tions: r dio, Actu tor RTU/PLC microw v S nsor SCADA Wir d communic tions: Subst tion 2 MASTER/HMI fib r optic, l s d lin s, IED pow r lin communic tion SAS IED IED Wir d communic tions: di l-up, twist d p ir Source: Authors. Note: HMI: human-machine interface; RTU: remote terminal unit; PLC: programmable logic controller; SAS: substation automation system; IED: intelligent electronic device. The control server stores and processes the infor- links. This is because traditional electronic devic- mation from RTU inputs and outputs, while the es at substations have been upgraded to IEDs and RTU or PLC controls the local process. The commu- have made the whole protection and control pro- nications hardware allows the transfer of informa- cess more intelligent. Microprocessor-based IEDs tion and data back and forth between the control with two-way communications capabilities provide server and the RTUs or PLCs.34 Finally, the data are much greater functionality. IEDs can collect and re- communicated to operators by means of a hu- cord information on many different parameters of man-machine interface (HMI) or other kinds of dis- a system and can also hold information in their in- plays for analysis and interaction. ternal storage for a certain period and transfer it to third-party applications. IEDs can send information It is worth mentioning that modern transmission to a local or remote user via different types of com- and distribution substations tend to rely on sub- munication.35 Therefore traditional RTUs are being station automation systems (SAS) to process and replaced by data concentrators that are designed manage data from various intelligent electronic de- to support both operational and nonoperational vices (IEDs) in a substation and to send that data data from IEDs.36 to the control center via various communication 34 V. S. Kharchenko, ed., “Secure and Resilient Computing for Industry and Human Domains. Volume 2. Secure and Resilient Systems and Infrastructures” (Lviv: Ministry of Education and Science of Ukraine, 2017). 35 Eaton, “Substation Automation: Fundamentals of Substation Automation.” 36 M. S. Thomas and J. D. McDonald, “Power System SCADA and Smart Grids” (Boca Raton, FL: CRC Press, 2015). Strengthening the Cybersecurity of Electricity Grids 22 In general, a SAS is a collection of hardware and process level are used to measure the status of the software components that are used to monitor substation and actuate if required. Devices locat- and control an electrical system, both locally and ed at the bay level are used to control, monitor, and remotely.37 Today’s SAS are mainly IEC61850 stan- protect the substation. The station level provides dard-based. IEC 61850 is an international standard remote access to the substation to allow remote defining communication protocols for IEDs at elec- configuration and supervision. trical substations. 3.2.2 Distributed Control Systems IEC 61850-based substations are divided into three levels: station, bay, and process (see figure 5). The A DCS is a computerized control system for a pro- process bus interconnects IEDs at the primary cess or plant based on a central processing com- equipment level, and the station bus interconnects puter that usually has a large number of geograph- IEDs at the bay and station levels. Devices at the ically distributed control loops. Unlike a centralized FIGURE 5. IEC 61850-Based Substations Control C nt r Corpor t WAN SCADA/HMI St tion L v l St tion Bus B Eth rn t Switch L v l IED IED IED IED IED IED St tion Bus Eth rn t Switch Proc ss L v l MU Br k r Br k r MU Br k r MU IED IED IED Switch rd Equipm nt Source: “A Survey on Vulnerabilities and Countermeasures in the Communications of the Smart Grid.”38 37 Eaton, “Substation Automation.” 38 J. Lázaro and others, “A Survey of Vulnerabilities and Countermeasures in the Communications of the Smart Grid,” Electronics 10, no. 16 (2021). Strengthening the Cybersecurity of Electricity Grids 23 control system that operates all machines, a DCS » SCADA technology can support many different allows each section of a machine to have its own communication protocols, most of which are dedicated controller that runs the operation. A DCS open protocols. Although the DCS has evolved has several local controllers located throughout the throughout the years, it still works mainly with area that are connected by a high-speed commu- proprietary protocols. nication network. Although each controller works autonomously, there is a central supervisory con- The differences in systems and in electricity grid trol center run by an operator. A DCS includes both modernization methods across countries and re- software and hardware elements.39 gions have led to the fact that most of today’s re- al-life systems are hybrid structures—a mix of the Often a DCS is built on its proprietary vendor’s two. SCADA systems and DCS are often networked hardware and software components, offering the together. For example, although the electric power “all-in-one” or “turnkey” solutions. Concepts like generation facility operation is controlled by a DCS, “all-in-one” or “turnkey” enable customers to get all the DCS must communicate with the SCADA sys- the required ICS functionalities and solutions from tem to coordinate production output with trans- one vendor for easier integration and programming. mission and distribution demands.42 In the current Despite that, some DCS support open communica- electric utility environment, multiple variations of tion standards that enable DCS extension by inte- ICS are used to connect the generation, transmis- grating ICS assets from other vendors. sion, and distribution functions into an increasingly more intelligent grid, meaning that cybersecurity Although a DCS is functionally similar to current management must take the threats and vulnerabil- SCADA systems, it is usually built with security ities from both systems into account. and redundancy in mind. Other resources40 identify additional differences between the two systems, such as: 3.2.3 Industrial Communications Industrial communication networks are used to in- » A DCS is process oriented, whereas SCADA is terconnect and transmit data between ICS devices. oriented toward data gathering. These networks can be implemented via physical » A DCS is a state-driven process, whereas the media—wireline (copper, fiber cables) or wireless— SCADA system is event driven.41 to interconnect distant facilities. Network redun- » DCS systems are more integrated, whereas dancy on the physical media level should be ensured SCADA systems are more adaptable. in the event that a failure significantly affects mul- tiple dependent subsystems or ICS assets. » A DCS comprises one or more controllers that are utilized to apply advanced process control ICS assets communicate with each other through techniques, whereas SCADA systems are un- several industrial communication protocols. Pro- able to do so. tocols are the rules defining the structure of trans- » A DCS is a process control technology that links mitted data packets and mandatory additional in- sensors, processors, operator interfaces, and formation, such as the device’s unique address, an actuators via a network. A DCS usually has one indication of message from beginning to end, and or more processors for control and communica- an algorithm to verify a received message for errors. tion using proprietary linkages and protocols, whereas SCADA stands for HMI. 39 Tech Target Contributor, “Distributed Control System (DCS),” WhatIs.com. 40 “Difference Between DCS and SCADA (With Table),” Ask Any Difference. 41 A DCS does all its tasks in a sequential manner, and an event is not recorded until it is scanned by the station. In contrast, SCADA is event driven. It does not call scans on a regular basis but waits for an event or for a change in value in one component to trigger certain actions. See “Difference between DCS and SCADA,” DifferenceBetween.net, http://www.differencebetween.net/technology/dif- ference-between-dcs-and-scada/#ixzz7AVAjO6kC. 42 “SP 800-82 Rev. 2, Guide to Industrial Control Systems (ICS) Security,” Computer Security Resource Center, National Institute of Standards and Technology. Strengthening the Cybersecurity of Electricity Grids 24 It is worth mentioning that protocols used in ICS The most common industrial communication pro- may be both proprietary and open. For example, tocols used in the energy sector are outlined (table vendors develop proprietary protocols for use with 2). their developed systems and for which application information is not made publicly available. These The following chapter will focus on cybersecurity protocols work only if both protocols and equipment threats to ICS through a retrospective review of come from the same vendor. On the other hand, some of the major incidents that have occurred in open protocols are developed to ensure interopera- the electricity sector, as well as its ongoing vulnera- bility between different vendor devices. bilities and the means of protection that could have helped to avoid the attack. TABLE 2. Common Industrial Communication Protocols in the Energy Sector Name Description Distributed Network Open protocol with three layers operating at the data link, application, and transport layers. This Protocol (DNP3.0)43 protocol is widely used in electricity ICS. Process Field Bus PROFIBUS is a variety of protocols built on the same field-bus technology bundle and is open field (PROFIBUS)44 and supplier-independent. Users can combine varieties of PROFIBUS protocols with their own sof- tware and other requirements, resulting in a unique application profile. With many profiles available, PROFIBUS can suit specific needs. Ethernet for Control An open communication protocol used to incorporate the Ethernet into industrial environments. Automation Techno- logy (EtherCAT)45 Modbus46 Modbus is one of the most commonly used communication protocols in industrial applications. This protocol was published in 1979 by Modicon, currently administrated by the Modbus Organiza- tion. There are several variants of Modbus protocols, with two being most common - Modbus RTU and Modbus TCP/IP. It is an open protocol, except Modbus Plus, which is proprietary to Schneider Electric. IEC 6185047 IEC 61850 is an international standard defining communication protocols to provide communication between different equipment located in a substation, such as protection, control, and measurement equipment, other intelligent electronic devices at electrical substations. IEC 61850 standard is applied in many products and is widely used. Source: Authors. 43 See “Overview of DNP3 Protocol.” 44 “An Introduction to “PROFIBUS Comprehensive Protocol Overview,” Real Time Automation, Inc. 45 “EtherCAT – The Ethernet Fieldbus,” EtherCAT Technology Group. 46 Modbus FAQ 47 IEC 61850 Power Industry Communications Standard (automation.com) Strengthening the Cybersecurity of Electricity Grids 25 4. Overview of the Cyber Threat Landscape Strengthening the Cybersecurity of Electricity Grids 26 4. Overview of the Cyber » Broad attack surface: The energy sector’s ICS are extensive and complex, presenting a broad Threat Landscape attack surface. » Difficult to locate the attack: The high complex- This section provides a brief overview of a number ity and uniqueness of ICS introduce a challenge of publicly reported cyberattacks on an energy sec- in detecting and remediating cyberattacks. tor’s infrastructure to shed light on the nature of the growing cyber threats. It is important to note From the cyber events the sector has experienced, it that this list is not inclusive but is limited to events is obvious that over the years the technical capabil- that highlight the existing threats and demonstrate ities of attackers have evolved significantly, as has the general trends in cybercrime. their willingness to inflict damage. Many say that Stuxnet was a proverbial game changer in under- In the past decade, the ICS has become one of the standing the importance and scope of cybersecu- main targets of sophisticated cyberattacks. The rity in this sector. That attack demonstrated that year 2010 represented a change in ICS cybersecu- the physical world can be compromised through cy- rity history, when the first publicly known malware, ber means, as it targeted a specific ICS. The ensu- “Stuxnet,” was found at the uranium enrichment ing attacks demonstrated that the attackers’ skill plant in Natanz, Iran. Since then, many other, more level continued to increase (although examples of sophisticated malware and tools have been revealed simple, unsophisticated attacks with severe results around the world, some of which were allegedly de- also exist), as well as the frequency and scope of the veloped by nation-states as weapons of war. strikes. The motivation is also evolving, from finan- cial to political. This means that the cyber threat The following list (table 3) presents the advance- landscape is very dynamic and unpredictable, and ment of cyberattacks targeted at ICS, describing developing the ability to detect and recover from a their transformation from simple malware to com- cyberattack is probably the most important lesson plex attack structures. In addition, the table out- to be learned. The following sections will focus on lines the possible mitigation measures (see section cybersecurity management to enable defenders 5.2 for more details) that could possibly have pre- (TSOs and DSOs, in this case, but applicable to oth- vented these cyberattacks. er market players as well) to take the appropriate actions and develop suitable measures to prevent As the history above shows, the energy sector is or reduce cyber threats and their potential effects. targeted due to some unique properties: » Impact: The energy sector is the backbone of all other industries. Disruption of this sector direct- ly causes disruptions in other critical sectors. Strengthening the Cybersecurity of Electricity Grids 27 TABLE 3. Evolution of Cyberattacks Against ICS Date/Malicious Description Mitigation Measures that Could Have Code Name Helped to Prevent the Attack 2010 Iranian facilities were attacked with the Stuxnet • Identity and Access Management STUXNET48 malware. It is believed that the attack was ini- • Network Security Management tiated from an employee’s USB drive. The attack • Personnel Security Management used worm-type malware to target specific SCA- • Monitoring and Situational Awareness DA devices and to modify PLCs while remaining • Incident Management hidden for years by evading cyber protection tools. The malware used many zero-day exploits and was designed to recognize its targets automatica- lly before attacking them. The malware manipulated the SCADA system’s functionality, specifically targeting PLCs that allow the automation of the electromechani- cal processes used in Natanz’s plant to control machinery and industrial processes, and caused physical damage to the gas centrifuges used to separate nuclear material. 2011 Attacks were directed at energy companies as • Monitoring and Situational Awareness NIGHT DRAGON49 well as individuals to acquire proprietary and hi- • Identity and Access Management ghly confidential information. Attackers collected • Vulnerability Management information from computer systems, including • Network Security Management ICS. • Incident Management The Night Dragon attacks were not technically sophisticated, but they instead demonstrated that primitive techniques, applied by a skillful and persistent adversary, are sufficient to break into energy sector companies. More importantly, the attacks demonstrated that it is possible to compromise an ICS. 2015–16 In Ukraine, a group hackers, reportedly sponso- • Identity and Access Management BLACKENERGY red by several nation-states, injected malware • Network Security Management 1&250 into one of the Ukrainian Electric Substation’s • Awareness and Training company networks. The attack succeeded in • Monitoring and Situational Awareness overtaking and operating the high-voltage control • Incident Management system, thus cutting a sizable region’s power over a substantial period. The attack was executed by moving from the IT network to the OT network via a remote virtual private network (VPN) connection. 48 M. Holloway, “Stuxnet Worm Attack on Iranian Nuclear Facilities,” Stanford University, July 16, 2015. 49 McAfee, “Global Energy Cyberattacks: ‘Night Dragon,’” White paper, McAfee, February 10, 2011. 50 “Analysis of the Cyber Attack on the Ukrainian Power Grid. Defense Use Case,” Electricity Information Sharing and Analysis Center, March 18, 2016, E-ISAC_SANS_Ukraine_DUC_5.pdf. Strengthening the Cybersecurity of Electricity Grids 28 TABLE 3. Evolution of Cyberattacks Against ICS (Cont.) Date/Malicious Description Mitigation Measures that Could Have Code Name Helped to Prevent the Attack 2017 The Triton malware was designed to target a • Network Security Management TRITON/TRISIS 51 specific ICS controller used in some critical infras- • Identity and Access Management tructure facilities to initiate immediate shutdown • Monitoring and Situational Awareness procedures in the event of an emergency. The • Incident Management malware was initially deployed through phishing that targeted the petrochemical facility. 2017 This was a global attack that affected at least • Identity and Access Management WANNACRY52 100,000 organizations in 150 countries, including • Change and Configuration Management energy companies, telecoms, banks, and govern- • Vulnerability Management ment entities. The attack targeted ICS computers • Network Security Management running the Microsoft Windows Operating System • Monitoring and Situational Awareness by encrypting data and demanding ransom pay- • Incident Management ments in Bitcoin cryptocurrency. In the industrial field, the attack was on the OT system’s IT side and affected the control server (with the histo- rian), the operator station, and the engineering stations. The outcome was a partial shutdown of the infected facilities due to a lack of access to process data, but it did not affect the assets of Levels 1 and 0 (PLCs and actuators). 2021 The attack took place on the U.S. Colonial Pipe- • Identity and Access Management Colonial Pipeline53 line, one of the biggest oil pipelines in the United • Network Security Management States. The pipeline suffered a ransomware attack • Monitoring and Situational Awareness that forced the energy company to shut down its • Incident Management entire fuel distribution pipeline for 6 days. This ransomware attack was linked to the Dar- kSide group. DarkSide operators targeted the business side instead of the operational systems, which implies the intent was motivated by money rather than a desire to shut the pipeline down. Source: Authors, based on publicly available information. 51 “Treasury Sanctions Russian Government Research Institution Connected to the Triton Malware,” U.S. Department of the Treasury, October 23, 2020. 52 “WannaCry Ransomware Attack Summary,” Data Protection Report, May 17, 2017. 53 S. Kelly and J. Resnick-ault, “One Password Allowed Hackers to Disrupt Colonial Pipeline, CEO Tells Senators,” Reuters, June 8, 2021. Strengthening the Cybersecurity of Electricity Grids 29 Str n th nin th C b rs curit of 5. Cybersecurity Management System Strengthening the Cybersecurity of Electricity Grids 30 5. Cybersecurity electric utilities cannot afford to neglect disaster recovery, which means that companies must also Management System establish strong business continuity and disaster recovery plans and practices. There are no one-size- fits-all templates for physical security and disaster There is a broad consensus among experts, indus- recovery, but some recognized international guide- try regulators, and policy makers that TSOs and lines are available (see box 3). DSOs should establish and maintain an enterprise cybersecurity management system (CSMS). A As mentioned in section 2.2, the approach to sys- CSMS provides governance, strategic planning, and tem planning should be revised, meaning that cy- support for an organization’s cybersecurity activi- bersecurity management measures should be ap- ties in a manner that aligns its security objectives plied to the system planning phase from the start. with both its strategic goals and the risks to critical Increasing the integration of renewable energy in infrastructure. the power system requires the appropriate evalu- ation of a system’s capacities and the introduction Though general organizational cybersecurity man- of additional facilities. Since N-1 contingencies are agement should be all inclusive (i.e., covering OT and usually established as a key requirement in system IT), this document focuses on a cybersecurity pro- stability and operation, a risk assessment for new gram for an ICS, as this is the main area of concern. assets is expected to start prior to the technical Operators may find it useful to integrate certain specification and design phases. The planning sce- aspects of a business network (IT; Level 4) cyberse- narios should be periodically reviewed to capture curity program with an ICS network cybersecurity the system changes. program, as this may support overall corporate risk reduction, cost-effectiveness, and secure opera- This document, however, focuses mainly on tailor- tions. This integration, however, is out of the scope ing cybersecurity measure specifically to existing of this paper. OT systems. Furthermore, OT/ICS cybersecurity needs to be a CSMS design, scope, and implementation usually component of a broader risk management program depend on the scale and complexity of an organi- that also includes traditional physical security and zation and most importantly, the infrastructure it disaster recovery. TSOs and DSOs in developing operates. Therefore, an excellent starting point for countries in particular need to prioritize physical developing an organization’s CSMS would be to an- security measures. The majority of cybersecurity alyze and follow recognized relevant international actions may be compromised if physical access to standards (see box 4), frameworks, and models (see a significant number of a grid’s components is pos- box 5) to gain a comprehensive understanding of sible (see box 2). Similarly, given their importance, what needs to be addressed. BOX 2. Examples of Physical Deficiencies in Electric Grid Broken fence Poor video surveillance Source: World Bank. Strengthening the Cybersecurity of Electricity Grids 31 BOX 3. Some Physical Security and Disaster Recovery Standards and Guidelines » NERC CIP-014-2 Standard for Physical Se- and can mitigate the impact of extreme curity54 events. This provides guidance to utilities in ad- dressing the protection of key physical as- » ISO 2230156 sets. CIP-014-2 requires entities to identify This covers the continuity of business as a and protect the transmission stations and whole, considering any type of incident as a transmission substations (and their asso- potential disruption source (e.g., pandemics, ciated primary control centers) that, if ren- economic crises, natural disasters, etc.) and dered inoperable or damaged as a result of using plans, policies, and procedures to pre- a physical attack, could result in instability, vent, respond to, and recover from the dis- uncontrolled separation, or cascading with- ruptions they cause. in an interconnection. » ISO/IEC 2703157 » NERC Physical Security Guideline for the This provides detailed guidance on how to Electricity Sector55 deal with ICT elements to ensure business Physical security risks and the effects of continuity. It describes the concept and those risks should be assessed and planned principles of ICT readiness for business con- for in any vulnerability assessment. This tinuity and provides a framework of meth- guideline focuses on the development of ods and processes to improve an organiza- physical security vulnerability assessment tion’s ICT readiness. practices that come from effective planning These sources share similar information yet intro- duce different approaches that do not contradict but actually complement each other on the subject of building a CSMS. Additionally, mappings58 of the relevant standards, frameworks, or models for eas- ier comparison are widely available. 54 CIP-014-2 (nerc.com). 55 NERC, “Physical Security Guideline for the Electricity Sector: Assessments and Resiliency Measures for Extreme Events” (Atlanta, GA: North American Electric Reliability Corporation, 2019), https://www.nerc.com/comm/CIPC_Security_Guidelines_DL/Physical_Secu- rity_Guideline_%20Assessments_and_Resiliency_Measures_for_Extreme_Events_June_2019.pdf. 56 ISO - ISO 22301:2019 - Security and Resilience — Business Continuity Management Systems — Requirements. 57 ISO - ISO/IEC 27031:2011 - Information technology — Security techniques — Guidelines for information and communication tech- nology readiness for business continuity. 58 See “Alternative View: Appendix A - Framework Core Informative References,” National Institute of Standards and Technology. Strengthening the Cybersecurity of Electricity Grids 32 BOX 4. Main Cybersecurity Standards and Guidelines Developed for the Electricity Sector » NIEC 6244359 series of standards » NIST Cybersecurity Framework62 The IEC 62443 series was developed to se- The National Institute of Standards and cure industrial automation and control sys- Technology Cybersecurity Framework (NIST tems throughout their lifecycle. It contains CSF) is voluntary guidance based on exist- guiding frameworks to improve an organiza- ing standards, guidelines, and practices for tion’s ICS defensive posture effectively. organizations to better manage and reduce cybersecurity risks. » ISO/IEC 27001 and ISO/IEC 27019 standards60 International Organization for Standardiza- tion (ISO)/IEC 27001 is a widely known stan- dard that provides the requirements for an information security management system. In addition, ISO/IEC 27019 offers guidance based on ISO/IEC 2700261 applied to process control systems used by the energy utility industry for controlling and monitoring pro- duction. BOX 5. Example of a Cybersecurity Assessment Tool » Cybersecurity Capability Maturity Model63 of all sectors, types, and sizes assess and improve their cybersecurity programs and The Cybersecurity Capability Maturity Mod- strengthen their operational resilience. el (C2M2) is a tool for evaluating and improv- ing cybersecurity. C2M2 helps organizations A CSMS represents the collation of all the interre- 1. Risk Analysis lated/interacting cybersecurity elements of an or- 2. Addressing Risk ganization to ensure that policies, procedures, and objectives can be created, implemented, commu- 3. CSMS Monitoring and Improvement nicated, and evaluated to guarantee an organiza- tion’s overall cybersecurity. A CSMS helps organiza- The following sections will elaborate on each CSMS tions to identify and assess cybersecurity risks and implementation step while focusing on practical to reduce them most effectively. A CSMS should be and widely acknowledged practices and experienc- a continuously evolving iterative process (figure 6) es from the field. with at least three fundamental steps reflecting the overall logic: 59 “Understanding IEC 62443,” International Electrotechnical Commission, February 26, 2021. 60 ISO, “ISO/IEC 27001 — Information Security Management,” and “ISO/IEC 27019:2017 - Information Technology — Security Techniques — Information Security Controls for the Energy Utility Industry,” Popular Standards, International Organization for Standardization. 61 ISO, “ISO/IEC 27002:2013 - Information Technology — Security Techniques — Code of Practice for Information Security Controls,” Popular Standards, International Organization for Standardization. 62 “Cybersecurity Framework,” National Institute of Standards and Technology. 63 “Cybersecurity Capability Maturity Model (C2M2),” Office of Cybersecurity, Energy Security, and Emergency Response, U.S. Depart- ment of Energy. Strengthening the Cybersecurity of Electricity Grids 33 FIGURE 6. Life Cycle of an OT Cybersecurity Management System Risk An l sis Addr ssin th Risk CSMS Improv m nt • Risk Id ntific tion • Id ntit nd Acc ss M n m nt • M sur Eff ctiv n ss • Risks Ass ssm nt • OT Ass ts M n m nt • Conduct Audits • Ch n nd Confi ur tion M n m nt • Adjust CSMS • Vuln r bilit M n m nt • Third-P rt Risk M n m nt • N twork S curit M n m nt • P rsonn l S curit M n m nt • Aw r n ss nd Tr inin • Monitorin nd Situ tion l Aw r n ss • Incid nt M n m nt Source: Authors. 5.1 Risk Analysis As there are several methodologies of risk assess- ment, for DSOs and TSOs, the asset-based meth- odology is recommended, as the OT and its assets Cyber risks (possibility of harm or loss due to unau- play a significant role in the energy sector and di- thorized access, use, disclosure, disruption, modifi- rectly impact it. However, it is evident that some OT cation, or destruction of IT, OT, or information as- assets are more critical than others. For example, sets) should be identified and analyzed to address an electrical substation providing electricity to a them correctly and with the required scope. It is population of 100,000 would have a higher critical- commonly recommended that a risk assessment ity and impact if it fails than a substation distrib- be conducted periodically (at least once a year) be- uting electricity to 5,000. Likewise, a disrupted ICS fore and after any significant change to an orga- network connecting hundreds of devices will have a nization’s structure and processes, after any OT higher impact than the same scenario in a network changes, and after any significant cybersecurity connecting only 10. incidents during post-incident action (see section 5.2.10.4 for details). Considering the above situation, a risk assessment should apply an asset-based methodology so that A cybersecurity risk assessment could be conducted the OT assets’ criticality would influence the final according to an organization’s already implement- risk score. An asset-based risk assessment requires ed framework and methodology. However, if an or- organizations to provide an up-to-date and com- ganization does not have these, it is recommended prehensive OT asset inventory (see section 5.2.2 for that internationally recognized risk management details) with at the very least an estimate of each standards be followed (see box 6) to implement the asset’s criticality. During the risk assessment, fo- risk management framework. cus should be paid to the OT’s availability, integrity, and confidentiality by order of priority, as risks that Generally, a risk assessment consists of two parts: impact availability should be scored higher than identification and qualitative or quantitative esti- those that impact integrity. mation. Risk identification mainly means a process of finding and characterizing risks, where risk es- The risk analysis step is completed by having an timation is a process of comparing a risk against exhaustive list of potential cybersecurity risks. given risk criteria to determine its significance. Risk Skillful risk analysis provides an organization with assessment consists of calculating a risk’s inherit- a high-level view of its most vulnerable areas. Ad- ed score based on its likelihood, impact, and residu- ditional mitigation measures should be planned if al score, with an estimation of how current mitiga- the final risk scores do not fit the organization’s risk tion measures reduce the risk. Strengthening the Cybersecurity of Electricity Grids 34 BOX 6. International Standards for Risk Management » ISO 3100064 standard » ISO/IEC 2700565 standard ISO 31000, Risk management – Guidelines: ISO/IEC 27005, Information technology – Provides principles, a framework, and a pro- Security techniques – Information securi- cess for managing risk. It can help organi- ty risk management: Supports the general zations increase the likelihood of achieving concepts specified in ISO/IEC 27001 and is their objectives, improve the identification designed to assist the implementation of in- of opportunities and threats, and effec- formation security based on a risk manage- tively allocate and use resources for risk ment approach. treatment. appetite.66 Conversely, organizations can avoid im- 5.2.1 Identity and Access Management plementing heavy (expensive) mitigation measures against risks that are not particularly significant. In Identity and access management is a fundamental the case of significant financial constraints, results and critical cybersecurity capability. To put it sim- of risk analysis shall also be used for the prioritiza- ply (if a bit redundantly), identity and access man- tion of investments. agement ensures that the right people and the right instruments have the right access to the right re- 5.2 Addressing the Risk sources at the right time.67 It is considered good practice for an organization to The organization should address identified and as- develop and implement a formal identity manage- sessed risks to achieve the required defensive pos- ment (creation, modification, and deletion) process. ture, with costs and risk reduction in mind. This Additional attention should be paid to privileged CSMS step provides a set of well-known and widely and shared identities as these introduce additional used operational and technological cyber risk mit- risks. It is recommended that privileged identities igation measures divided into 10 domains. A short be created only after formal acknowledgment/ap- description is provided of the risks, along with the proval by a senior and independent person. Privi- potential impacts in each domain if the mitigation leged identities for ICS administrative tasks should measures are missing or incomplete, as well as not be used to perform routine functions. It is also generalized recommendations that organizations recommended that the use of shared identities be should follow. avoided unless it is impossible to do so, and these identities may require compensatory measures to There is no one correct solution to mitigating risks. ensure an appropriate level of security. All identities Thus, risk mitigation is specific to an organiza- should be registered in a dedicated registry and pe- tion and combines organizational and technologi- riodically reviewed. cal measures from different domains. A number of technical mitigation measures are becoming widely The organization should also implement an access adopted practices and will be discussed in the sub- management (granting, modification, and revoca- sections that follow. tion) process to ensure access to ICS assets con- trol. Access rights to ICS assets should be granted 64 ISO, “ISO 31000 – Risk Management,” Popular Standards, International Organization for Standardization. 65 ISO, “ISO/IEC 27005:2011 – Information Technology – Security Techniques – Information Security Risk Management,” International Organization for Standardization. 66 Risk appetite is the level of risk that an organization is willing to accept while pursuing its objectives and before any action is deter- mined to be necessary in order to reduce the risk. See J. Manoukian, “Risk Appetite and Risk Tolerance: What’s the Difference?” Wolters Kluwer, September 29, 2016. 67 R. Zadeh, “Identity and Access Management (IAM),” Udemy. Strengthening the Cybersecurity of Electricity Grids 35 following the “need-to-know” and “least-privilege” The organization should implement a secure re- principles. In the case of a job position change, all mote access solution for the remote operation and previously granted access rights should be prompt- support of ICS assets, including SCADA system el- ly withdrawn and a new set of required access rights ements. This became even more critical during the granted. In the event of termination of employment, COVID pandemic, which increased the usage of re- a contract, or an agreement, access rights should mote work. For the safe implementation of remote be immediately removed. All granted access rights access, the communication channel should be en- should be reviewed at least once a year to ensure crypted according to best practices and resilient that users do not possess excessive privileges and encryption methods. Remote administrative access that access rights are withdrawn when no longer re- should be granted only when defined and strong quired. An organization’s employees who are grant- authentication and secure connection solutions are ed privileged access rights should be introduced to applied. It is recommended that connection to ICS their responsibilities and the increased risks and networks be allowed only via jump servers,68 which trained accordingly. should be turned off if not in use (figure 7). FIGURE 7. Example of a Secure Remote Access Solution Int rn t R mot T chnici n L v l4 Ent rpris N twork T chnici n from Offic Industri l DMZ Jump S rv r L v l2 Control s st ms Loc l En in rin / Op r tor Workst tion VPN Conn ction R mot to JUMP host RDP s ssion Jump S rv r to Loc l Workst tion RDP s ssion Source: Authors. 68 “Implementing Secure Administrative Hosts,” Microsoft Docs, July 29, 2021. Strengthening the Cybersecurity of Electricity Grids 36 Equally important are well-defined and widely com- comprehensive, containing important information, municated physical access procedures.69 It is high- such as software or protocol version, vendor name, ly desirable that organizations deploy a physical model, physical location, asset owner, criticality, access control solution with centralized identities and defined configuration baseline to enable cyber- and access rights management and the ability to security management activities. The configuration revoke access rights remotely. An organization’s of assets should be controlled according to the con- critical and sensitive areas should be under video figuration baseline when it is deployed for the oper- surveillance. In addition, logs from the physical ac- ation. cess management solution should be forwarded to the security monitoring solution (see section 5.2.9). It is widely agreed that an asset inventory helps organizations to maintain ICS infrastructure and 5.2.2 Asset Management supports other cybersecurity-related processes. It is also essential to conducting risk assessment The organization should develop and maintain an (section 5.1) and ICS change and configuration up-to-date inventory of assets that are important management (section 5.2.3) and to supporting the to the delivery of services. This inventory should be incident management process (section 5.2.10). FIGURE 8. Example of an Automated Asset Discovery Solution Int rn t L v l4 Ent rpris N twork D t W r hous DNS S rv r Industri l DMZ L v l3 En in rin / Op r tions n twork Op r tor Histori n Discov r Solution Workst tion L v l2 Sup rvisor n twork HMI L v l1 Control n twork PLC RTU L v l0 Fi ld n twork Source: Authors. 69 These include but are not limited to badges, policies on who can enter the facilities and how, video surveillance of critical areas, and physical intuition systems. Strengthening the Cybersecurity of Electricity Grids 37 Although developing and maintaining an OT asset Vulnerability discovery should be done periodically inventory is challenging, there are specialized solu- and in the event of significant change to the OT en- tions that, through monitoring ICS network traffic, vironment or processes or after important security can produce this list. Additionally, these solutions incidents.71 have an additional functionality to generate alerts if new, unauthorized devices appear in ICS net- Discovered vulnerabilities should be assessed in works. terms of criticality, and relevant mitigation mea- sures should be implemented. Vulnerabilities with 5.2.3 Change and Configuration Management high impact scores should be mitigated as soon as possible. Vulnerability fixing is commonly achieved The organization should apply an OT change and by applying patches72 to vulnerable systems or im- configuration management process to implement plementing compensation measures if patching is ICS changes in the most efficient manner and to not applicable or available. In either case, vendors minimize the negative impact on the organization’s should be required to address discovered vulnera- services and customers when modifications are im- bilities in supplied equipment or software. Patching plemented. should be conducted as quickly as possible yet also follow the OT change and configuration manage- All OT changes should be recorded, tested, assessed, ment process (see section 5.2.3). approved, implemented, and verified in a controlled manner. OT change requests should be analyzed to 5.2.5 Third-Party Risk Management avoid introducing unacceptable vulnerabilities into the operating environment and to identify unau- Third-party risk management, also often described thorized changes. Change control should include as supply chain management, refers to manage- the entire asset life cycle, including requirements ment of OT acquisition, development, and main- definition, testing, deployment, and maintenance, tenance processes aimed at mitigating the risks as well as retirement from operation. OT changes arising from third parties. Besides functional and during emergencies must be handled as swiftly as non-functional OT requirements, security require- possible yet also follow procedures that provide ad- ments and baselines should be clearly defined, and equate safeguards. vendor responsibilities for meeting these require- ments are usually included in contracts (or should 5.2.4 Vulnerability Management70 be). Each and every such contract should be re- viewed and approved by the organization’s security As part of its CSMS, the organization should im- personnel (or department) before signing. plement a vulnerability management process to address the risks arising from any potential weak- During contract negotiations, it is recommended nesses. The process should include vulnerability dis- that independent testing, a code review, and scans covery/identification, assessment, and mitigation. for vulnerabilities be requested from a vendor to Vulnerability discovery should be performed using demonstrate that the vendor has followed a se- dedicated tools capable of detecting OT-specific li- cure software development process before deploy- abilities. In addition, ICS penetration testing should ment.73 Organizations may find it useful to receive be carried out by preferred independent testers such evidence periodically throughout the con- with sufficient knowledge, skills, and expertise. tract’s duration. 70 Vulnerability management is generally defined as the process of identifying, categorizing, prioritizing, and resolving vulnerabilities in operating systems, enterprise applications (whether in the cloud or on-premises), browsers, and end-user applications. An ongo- ing process, vulnerability management seeks to continually identify vulnerabilities that can be remediated through the patching and configuration of security settings. See N. Cavalancia, “What is Vulnerability Management: Vulnerability Management Explained,” AT&T Cybersecurity, July 2, 2020. 71 See “Vulnerability – Glossary” and “Penetration Testing – Glossary,” Computer Security Resource Center, National Institute of Stan- dards and Technology. 72 “Patch – Glossary,” Computer Security Resource Center, National Institute of Standards and Technology. 73 “Test – Glossary” and “Security-Oriented Code Review – Glossary,” Computer Security Resource Center, National Institute of Stan- dards and Technology. Strengthening the Cybersecurity of Electricity Grids 38 FIGURE 9. Example of an Activity Monitoring and Registration Solution Support T chnici n L v l4 Ent rpris N twork Activit Monitorin Solution Industri l DMZ Jump S rv r L v l2 Control s st ms Loc l En in rin / Op r tor Workst tion VPN Conn ction R mot to JUMP host RDP s ssion JUMP host to Loc l Workst tion RDP s ssion Activit d t Source: Authors. It is a good practice to apply preventive measures 5.2.6 Network Security Management to mitigate the risks of unintentional alteration or intentional manipulation of the ICS during its or its The cornerstone of an organization’s network se- elements’ development and deployment. curity management is building and maintaining ICS networks that are secure by design. Secure by de- To further mitigate the risks from the vendor during sign implies that OT networks should be segregat- the provision of remote support, it is recommend- ed into meaningful zones and segments defined by ed that a solution be deployed for monitoring and network purpose and function (figure 10). recording remote support activity (see figure 9). Be- sides the capability to record keyboard strikes and In OT networks of high criticality, physical segre- record video sessions, some solutions have built- gation is highly recommended or should at least be in anomaly detection algorithms. These solutions considered, though logical segregation should be would also be useful in monitoring activities in the ensured by firewalls in all instances (figure 11). network during the usual remote work sessions. Strengthening the Cybersecurity of Electricity Grids 39 FIGURE 10. Reference Architecture Alignment with an Example Segmented Architecture G n ric El ctric N twork S r tion Utilit Archit ctur Archit ctur Ent rpris Zon (EZ) EZ Fir w ll Ent rpris Offic D t Upd t /P tch L v l4 Rout r Workst tions W r hous M n m nt Industri l D milit ri d Zon (DMZ) DMZ Fir w ll Upd t /P tch D t M n m nt Jump S rv r Exch n DMZ S rv r D t b s Rout r En r Suppl Zon (ESZ) ESZ L v l3 Fir w ll Dom in SCADA En in rin / Histori n Op r tor Controll r S rv r Workst tion L v l2 G t w L v l1 PLC RTU Controll r Fi ld G t w L v l0 Fi ld I/O D vic s Source: Authors based on IEC 62443-2-1. FIGURE 11. Reference SCADA Architecture Alignment G n ric El ctric Utilit Archit ctur SCADA N twork S r tion Archit ctur Ent rpris Zon (EZ) L v l4 Industri l D milit ri d Zon (DMZ) DMZ Prim r Control C nt r S cond r Control C nt r L v l3 SCADA Wid Ar N twork (Fibr / C bl / LTE / S t llit ) L v l2 L v l1 L v l0 Fi ld I/O D vic s Fi ld I/O D vic s Fi ld I/O D vic s Fi ld I/O D vic s St tion A Zon St tion B Zon St tion C Zon St tion D Zon Source: Authors based on IEC 62443-2-1. Strengthening the Cybersecurity of Electricity Grids 40 Any change in the configuration of the firewall 5.2.8 Awareness and Training should strictly follow the organization’s OT config- uration and change management process (5.2.3), Organizations should establish and maintain poli- and its security personnel (or department) should cies and procedures to create and uphold a culture approve all changes. In addition, it is recommended of cybersecurity overall through an organization’s that the firewall configuration be periodically audit- awareness program and specifically for the spe- ed. It is also good practice to set up a firewall by cialized staff dealing with the CSMS. A well-devel- initially blocking all traffic in the firewall and after- oped cybersecurity culture enables organizations to ward whitelisting only allowed traffic per each port prevent a substantial number of incidents, as very and IP address. often well-trained employees are able to recognize and alert the relevant departments of any signifi- An organization should apply strict network ac- cant incidents at a very early stage. cess control74 to OT networks. Workstations and other devices should be checked for security com- Awareness programs for a broader audience should pliance first, and permission to join the ICS should cover topics related to phishing attacks, incident be granted only if compliance testing has been reporting, remote working, secure decision making carried out and passed. Direct connection to ICS in daily work, and other relevant topics connected networks should be strictly forbidden and allowed to the cyber threat landscape. This awareness pro- only through routing the connections via the IDMZ, gram should be periodically updated to include the which should host dedicated support or remote latest relevant information on emerging cyberse- management. curity threats, an attacks analysis, and reports on how these could be detected and mitigated. 5.2.7 Personnel Security Management As a matter of routine, an organization should edu- To mitigate risks related to insider threats, organi- cate and train certain CSMS stakeholders, such as zations should establish a personnel security man- its cybersecurity incident response team (CSIRT)76 agement process. Insider threats are considered (see section 5.2.10.1) and ICS owners, on their du- among the most dangerous and the most likely, as ties, responsibilities, and actions in the perfor- the worst damage is often caused by people who mance of cybersecurity-related tasks. have been granted appropriate rights by the orga- nization (intentionally or not). Last but not least, cybersecurity simulation train- ings (specific to OT assets) may periodically be per- It is recommended that background screening be formed. This is a way to accurately replicate the ex- conducted of candidates for staff positions before isting environment and to test how an organization employment to the extent allowed by relevant na- responds to simulated cyberattacks. Training ef- tional legislation. Additionally, it is advised that fectively helps to prepare against potential attacks background screening of the people who occupy the in realistic scenarios. Simulation exercises make it organization’s most critical posts (in operation and possible to practice cybersecurity skills, test per- management of the ICS), such as ICS administra- sonnel abilities, and identify gaps to improve readi- tors, engineers who are granted privileged75 access ness to defend against threats. rights, or senior managers, be routinely carried out. 74 “Network Access Control (NAC) – Glossary,” Computer Security Resource Center, National Institute of Standards and Technology. 75 “Privileged User – Glossary,” Computer Security Resource Center, National Institute of Standards and Technology. 76 ENISA, “How to Set up CSIRT and SOC,” European Union Agency for Cybersecurity, December 2020. Strengthening the Cybersecurity of Electricity Grids 41 5.2.9 Monitoring and Situational Awareness national CSIRT). Monitoring forums and news web- sites for possible incident reports or threats may The process of monitoring and situational aware- also prove useful. International cooperation, along ness within organizations refers to establishing and with collaboration with other TSOs, DSOs, and in- maintaining activities and technologies to collect, dustry associations, is yet another valuable channel analyze, report, and use operational, security, and for national, regional, and global situational aware- threat information through a security information ness. and event management (SIEM) system. This kind of system allows an organization to set up monitoring, Even though the above list of activities may seem correlation, detection, and incident alert capability. long, by maintaining an up-to-date and high-qual- To be effective, the SIEM system should be provid- ity OT asset inventory (see section 5.2.2) the scope ed with various data from within the organization, of such awareness capabilities could be limited to such as (figure 12): the OT assets in operation as opposed to the mon- itoring of the entire universe of ICS-related events. » Logs from ICS networking devices, ICS workstations, and servers 5.2.10 Incident Management » Logs from ICS applications (if available) Regardless of the thorough preparation and the » Logs with meaningful data on activities per- well-designed and implemented cybersecurity op- formed by identities and all activities performed erational and technological measures, cyber inci- by privileged identities dents will still likely occur (though to much lesser » Logs from physical security systems extent) for a variety of reasons. For instance, secu- rity controls and solutions can be overwhelmed or » Logs from ICS performance and capacity passed through by advanced hacking techniques or monitoring data human errors. However, there is a almost certainly » Raw ICS network traffic77 from meaningful a guarantee that cybersecurity incidents will occur network points with potentially devastating effects in an organiza- tion that does not take cybersecurity seriously. The above list is not exhaustive, yet the more data Incident response is yet another process that needs provided, the more the monitoring and threat de- to be implemented as part of the CSMS. The objec- tection capability system (and through it the orga- tive of the incident management process is to de- nization) achieves. A recommended SIEM solution tect events as early as possible, to respond swiftly should include OT-related threat detection and ICS and effectively, and to avoid/mitigate severe con- communication protocol analysis capabilities (see sequences and especially such events as business table 2). service disruptions. The incident response process should also include a post-incident phase when the Aside from SIEM, organizations should seek to de- organization tries to understand why it occurred velop global situational awareness capabilities and and seeks to identify if any corrections to existing establish a monitoring process for global threats. It processes are required, including the implementa- is recommended that OT-specific cyber threat in- tion of new measures to prevent similar incidents in telligence sources be followed, such as ICS-CERT,78 the future. SHODAN.IO,79 ICS-ISAC,80 and other leading cyber- security research companies. Equally important, it The design and implementation of the organiza- is recommended that national-level resources be tion’s cybersecurity incident management process used for information sharing on and handling of on- will depend on such parameters as the scale and going cyberattacks, if available (usually from the 77 “Network Traffic – Glossary,” Computer Security Resource Center, National Institute of Standards and Technology. 78 The Industrial Control Systems Cyber Emergency Response Team. 79 Shodan.io, “Search Engine for Internet-Connected Devices,” https://duion.com/links/shodanio-search-engine-internet-connected-de- vices. 80 Industrial Control System Information Sharing and Analysis Center, https://icsisac.wordpress.com/. Strengthening the Cybersecurity of Electricity Grids 42 FIGURE 12. Example of SIEM Data Feed Architecture L v l4 D t DNS Id ntit Ent rpris N twork W r hous SIEM S rv r nd Acc ss M n m nt Industri l DMZ N twork Sc nn r L v l3 En in rin / Op r tions n twork Op r tor Workst tion Histori n N twork Sc nn r L v l2 Sup rvisor n twork HMI L v l1 Control n twork PLC RTU L v l0 Fi ld n twork N twork Conn ction Mirror d N twork Tr ffic Lo s Source: Authors. complexity of the ICS in use, the size and skills of The incident management process should be cy- the cybersecurity team, and others. However, it is clic. The output of the post-incident stage should widely recommended that recognized internation- be considered, as well as corrective actions that al standards, best practices, and guidelines be fol- should help to avoid a similar incident in the future. lowed that set up those processes (see box 7). Based The following section will briefly review the main el- on these sources, effective incident management ements of appropriate incident management. (figure 13) should include at least the following stages: 1. Prevention and preparation 2. Detection and reporting 3. Response, mitigation, and recovery 4. Post-incident activity Strengthening the Cybersecurity of Electricity Grids 43 FIGURE 13. Generic Cybersecurity Incident Management Process R spons , Pr p r tion Monitorin Post-incid nt Miti tion, & Pr v ntion & D t ction Activit & R cov r L ssons L rn d Source: Authors. BOX 7. Standards, Best Practices, and Guidelines for Incident Management » ISO/IEC 27035-181 standard for managing network and information se- curity incidents, with an emphasis on inci- ISO/IEC 27035-1 standard presents basic dent handling. concepts and phases of information securi- ty incident management. It combines these concepts with principles in a structured ap- » NIST Computer Security Incident Handling Guide83 proach to detecting, reporting, assessing, and responding to incidents and applying lessons learned. The NIST Computer Security Incident Han- dling Guide assists organizations in estab- » European Union Agency for Cybersecurity lishing incident response capabilities and in (ENISA) Good Practice Guide for Incident handling incidents efficiently and effective- Management82 ly. It provides guidelines for managing se- curity breaches, particularly for analyzing The Good Practice Guide for Incident Man- incident-related data and determining the agement describes good practices and pro- appropriate response to each event. vides practical information and guidelines 5.2.10.1 Prevention and Preparation However, an organization’s cyber defense capability should continuously be improved (figure 14) through The primary objective of incident management is these essential elements: to avoid incidents or significantly reduce their like- lihood. To achieve this, identified organizational and » People. Establish a CSIRT84 by bringing together technological measures, such as those outlined in skilled personnel or recruiting, training, and cer- section 5.2, should be implemented. tifying staff as needed. The skills of CSIRT staff should be continuously improved. 81 ISO, “ISO/IEC 27035-1:2016 - Information Technology — Security Techniques — Information Security Incident Management — Part 1: Principles of Incident Management,” International Organization for Standardization. 82 ENISA, “Good Practice Guide for Incident Management,” European Union Agency for Cybersecurity, December 2010. 83 “SP 800-61 Rev. 2, Computer Security Incident Handling Guide,” Computer Security Resource Center, National Institute of Standards and Technology. 84 ENISA, “How to Set up CSIRT and SOC.” Strengthening the Cybersecurity of Electricity Grids 44 FIGURE 14. Cyber Defense Capability Skill d p opl R sourc s C b r D f ns C p bilit Tools Proc dur s Source: Authors. » Tools. Provide the CSIRT with the required tools 5.2.10.2 Detection and Reporting to ensure the continuous monitoring and detec- tion of cyber incidents. Additionally, the CSIRT The incident should be detected and reported as should be provided with tools capable of detect- early as possible. Incidents are usually reported by ing OT-specific threats. the organization’s employees and dedicated securi- ty solutions (figure 14). » Procedures. Define sound and effective incident management procedures for the CSIRT to act In particular, an organization’s employees should quickly from incident detection to resolution. be capable of recognizing incidents and aware of These procedures should include clear criteria how to promptly raise warnings of suspicious ac- for incident evaluation, prioritization, and esca- tivity or a data breach. Through awareness train- lation. Procedures and workflows should be pe- ing employees can learn how to detect and report riodically reviewed, tested, and improved. security concerns. It is vital to grow and maintain » Resources. A CSIRT should be supplied with awareness and responsible reporting as part of the all possible useful information for incident organizational culture. management. A complete ICS assets inven- tory (5.2.2), ICS network topology diagrams, At the same time, all other incident reporting chan- ICS stakeholder contact lists, and emergency nels, such as email, phone calls, or walk-in reports, contacts of external parties available for inci- should be acceptable to avoid the loss of vital noti- dent-management support should always be fication that can prevent a timely response to the available and periodically updated. incident. The organization should define and pro- mote a “one window” channel for incident reporting Some or all cyber defense capability elements can to simplify the process. be also acquired and covered by external service providers. It is highly recommended that an incident manage- ment solution be deployed and used that is capa- The exchange of cybersecurity incident information ble of receiving incident reports from all possible throughout the organization is a successful way to sources. mitigate similar incidents in the future. Organiza- tions should also seek the means for cooperation within the industry nationally, regionally, and glob- ally through mutual knowledge exchange that in- cludes case studies, forums, and regular meetings. Strengthening the Cybersecurity of Electricity Grids 45 FIGURE 15. Incident Reporters Emplo s Incid nt r port d S curit s st m Source: Authors. 5.2.10.3 Response, Mitigation, and Recovery lem management purposes. At this stage, ICS ven- dors should be notified if any new ICS vulnerabilities This stage is essential to setting up an organiza- have been revealed. tion’s response to the incident and organizing the recovery. It is important to verify, evaluate, and It is highly recommended that incident reports and classify all received incident reports in order to de- indications of compromise be shared with other or- termine whether they contain credible information ganizations within the industry and the cybersecu- about an actual incident and to prioritize an inci- rity community more widely to contribute to glob- dent for further management. ally shared cybersecurity resilience. Some reported incidents could be classified as “not 5.3 CSMS Improvement incidents” if reported by mistake. Some suspicious activities, for example, probing by an ICS publicly The improvement step focuses on the need for the connected network device, could be ignored under CSMS to effectively address internal and external certain conditions, as allocating resources to each threats, the latest vulnerabilities, changes in risk and every reported event is nearly impossible and tolerance, and legal requirements. During this step, not required. Considering that ICS-targeted cyber- the organization should examine whether identi- attacks are often highly sophisticated, organiza- fied cybersecurity risks are adequately managed tions may not have the capacity to address them and risk mitigation measures are sufficient. In the and may wish to seek external incident manage- case of discrepancies, the CSMS should be adjusted ment support from national cyber defense authori- to meet the organization’s cybersecurity strategic ties or commercial companies that specialize in OT goals and expectations. In addition, the organiza- cyber defense (as was done in the majority of the tion should consider conducting an external audit of cases described in section 4). the CSMS to guarantee that its design and imple- mentation follow international standards and best 5.2.10.4 Post-Incident Activity practices and guidelines. Organizations should re- view and improve their CSMS on an annual basis or Post-incident activity is the final stage before the in the event of significant organizational changes. incident management process can be closed. It is In sum, the CSMS implements a holistic approach critical to understand the incident’s root cause and to cybersecurity, helping to protect the OT and the how well the organization responded to and recov- entire organization from OT-specific risks and oth- ered from it. In addition, this exercise provides a er more common threats, such as poorly informed vital opportunity to identify any deficits in current staff or ineffective procedures. Constantly adapt- organizational and technological security policies, ing to changes inside and outside an organization, the short-term corrective and compensating ac- a CSMS reduces the threat of continually evolving tions taken, and the long-term measures planned. risks. Therefore, implementing and maintaining a Therefore, it is essential to document the incident CSMS could significantly increase an organization’s properly for advanced incident analysis and prob- resilience to cyberattacks. Strengthening the Cybersecurity of Electricity Grids 46 5.4 CSMS within an Organization also recommended that there be an organizational structure in which the CISO reports directly to an As has already been mentioned, a positive cyberse- organization’s board to reflect the importance of curity culture, appropriate investment, and effec- cybersecurity, especially in critical infrastructure.85 tive cybersecurity management could lead to the optimal situation. It should be clearly understood Additionally, it must be noted that the importance that the role of cybersecurity is to promote an or- of cybersecurity should be well acknowledged in ganization’s objectives and guarantee the conti- the whole ecosystem, which should include both nuity of its functions, rather than just be another internal (CEO, board, CISO, other employees) and cost center. Therefore, the importance of cyber- external partners (vendors, other TSOs and DSOs, security should be reflected in the organizational regulators). Partnerships and partnership mecha- structure. TSOs and DSOs should consider having nisms, such us reporting, sharing information, and a Chief Information Security Officer (CISO) and a so forth, to leverage skills and experience within the supporting team or department to ensure success- ecosystem may play a crucial role in ensuring the ful implementation of CSMS in an organization. It is stability of the electric power system. 85 FTSE 350 boards don’t understand cyber security, says government - Transform Finance. Strengthening the Cybersecurity of Electricity Grids 47 6. Conclusions Strengthening the Cybersecurity of Electricity Grids 48 6. Conclusions case of TSOs and DSOs makes sense, as ICS are increasingly becoming a target for cyberattacks. As cybersecurity management is still an evolving Cybersecurity in ICS has become a critical factor in concept, energy and other utility organizations can the successful continuity of many industrial com- apply several reasonably simple, cost-effective, and panies. Understanding, evaluating, and preparing easy-to-understand best practices. Following rec- for cyber incidents enables uninterrupted business ognized international standards and tools, leading flow, increases safety, and supports reliability. This to a comprehensive understanding of what needs is extremely relevant to TSO and DSO activities. to be addressed and how, may be a good starting A secure and reliable electric grid system is at the point. Furthermore, taking into account the finan- very heart of every economy. In addition, there is cial, regulatory, and legal constraints involved, a often significant interconnectivity with and inter- phased approach to cybersecurity strengthening dependence among TSOs and DSOs from neigh- for TSOs and DSOs in developing countries may be boring countries. The connection of grids between the only way to proceed. countries adds even more complexity due to the dif- ferent approaches, standards, and regulations. In In addition, a few other points are important: view of the vast potential damage, the ICS of TSOs and DSOs are very attractive to cyber attackers. » The prioritization of cybersecurity at different levels (internally, nationally, and internation- The speed with which digital technologies are en- ally) and communication with all stakehold- tering the world of the energy sector is impressive. ers. It is important to understand the problem- Equally impressive are the benefits that come with atic and critical significance of cybersecurity these new technologies, ranging from economic ad- not only for infrastructure owners, but also for vantages and reduced service costs to the environ- policy makers and governments. The effective mental good of introducing more green energy into prevention of potential threats to the electric- the system. However, the benefits of this techno- ity system or any other critical infrastructure logical breakthrough make the network vulnerable should be a priority. Cybersecurity issues must to cyberattacks that can potentially compromise thus be seen as one of the most important po- the entire system. This means that TSOs and DSOs litical and technological topics on any govern- must prepare the systems, personnel, and proce- ment’s agenda. Governments need to increase dures to protect their organizations from such at- their awareness of risk prevention and response tacks. and adopt innovative policies. They also need to build effective partnerships with infrastructure Power grids are critical infrastructure that require owners and operators to define a shared secu- not a random but rather a holistic approach to cy- rity vision and establish mutually agreed pro- bersecurity management to ensure the maximum tection and recovery measures. Cyber risks and security and availability of electricity. Adequate threats, along with the ways to defend against protection of the electricity sector requires a sys- them, also need to be broadly communicated tematic, continuous process of cybersecurity man- and discussed with all the relevant stakehold- agement. The fundamental activities of the process ers. This level of awareness, together with the involve the establishment of a cybersecurity pro- dynamic exchange of cybersecurity information gram, the assessment and treatment of risks, and and continuous education on the topic, may be the regular evaluation, monitoring, and improve- critical factors in this fierce cyber war. ment of cybersecurity within an organization. These » Legal frameworks in developing countries are activities should progress cyclically. Although ide- often fragmented and lacking clear provisions ally, general organizational cybersecurity manage- related to the security requirements (including ment should be all inclusive (i.e., covering OT and IT) cybersecurity) of critical infrastructure and es- component of a general risk management program sential services. Countries may consider com- (that also includes traditional physical security, paring and aligning their national legislation business continuity and disaster recovery), running with international best practices (see Annex a dedicated cybersecurity program for an ICS in the 2), as legislative certainty is not only a key to Strengthening the Cybersecurity of Electricity Grids 49 better national and international cooperation » In the context of the current growth of cyber against cybercrime, it also enables stakehold- activities across the globe, there is still a grow- ers to contribute to enhancing the cyber resil- ing need for i) strong cyber capacity building, ience of a given sector or economy as a whole. ii) a better grasp of how to implement cyber capacities in practice (for all involved, including » As TSOs and DSOs represent very intercon- market players, regulators, and policy makers), nected structures, the different cybersecurity and iii) a better understanding that cybersecu- standards applied by different entities may rity measures, especially for critical infrastruc- put in danger the whole system nationally and/ ture owners, are a necessity, an understanding or internationally. Grid and distribution codes86 that should be reflected in regulatory measures and their revision may be used as a primary that allow for some flexibility in cost account- instrument to capture cybersecurity require- ing, depreciation terms, and other important ments for grid connectivity and operations. elements. They may also be used to unify the cybersecu- rity standards applied by operators. An exam- » International cooperation. TSOs and DSOs from ple is the Network Code on Cybersecurity. In different countries should exchange knowledge February 2020, the European Commission set to learn from each other and prepare joint and up a drafting team of relevant stakeholders to synchronized actions during a cyber crisis. Joint set European standards for the cybersecurity efforts nationally and internationally, as well as of cross-border electricity flows. The Network appropriate prevention and an aggressive de- Code includes rules on cyber risk assessment, fense, could be a major deterrent to cybercrime. common minimum requirements, monitoring, reporting, and crisis management.87 86 The grid code, also known as the transmission code in some countries, is the set of rules a TSO uses to define conditions for accessing the electricity grid. In some countries, a DSO sets the rules for the electricity grid at the low-voltage or distribution level separately in the distribution code. 87 Cybersecurity (entsoe.eu). Strengthening the Cybersecurity of Electricity Grids 50 Annex 1. Summary of IT and OT System Differences Strengthening the Cybersecurity of Electricity Grids 51 Annex 1. Summary of IT and OT System Differences Parameter IT OT Security goals Confidentiality, integrity, availability of informa- Safety, operability, continuity of the and main focus tion, server, endpoint security physical process, control device, and pro- cess stability/reliability Performance Non-real time Real time. requirements Response must be consistent. Response is time-critical. High throughput is demanded. Modest throughput is acceptable. High delay and jitter may be acceptable. High delay and/or jitter is not acceptable. Less critical emergency interaction Tightly res- Response to human and other emergency tricted access control can be implemented to the interaction is critical. degree necessary for security. Access to industrial control system (ICS) should be strictly controlled but not hamper or interfere with human-machine interface. Availability Delays are acceptable (95–99%). Responses such Continuous operations (99.9–99.999%) as rebooting are acceptable. Responses such as rebooting may not be Availability deficiencies can often be tolerated, de- acceptable because of process availability pending on the system’s operational requirements. requirements. Availability requirements may necessitate redundant systems. Outages must be planned and scheduled days/weeks in advance. High availability requires exhaustive pre-de- ployment testing. Risk management Manage data Control physical world. requirements Data confidentiality and integrity are most impor- Human safety is paramount, followed by tant. protection of the process. Fault tolerance is less important, and momentary Fault tolerance is essential, and even mo- downtime is not a major risk. mentary downtime may not be acceptable. Major risk impact is delay of business operations. Major risk impacts are regulatory non-com- Focus on threat mitigation. pliance, environmental impacts, and loss of life, equipment, or production. Change Regular maintenance Highly managed and complex. management Software changes are applied in a timely fashion Software changes must be thoroughly tes- in the presence of good security policy and proce- ted and deployed incrementally throughout dures. The procedures are often automated. to ensure that the integrity of the control system is maintained. The outages often must be planned and scheduled days/weeks in advance. ICS may use operating systems that are no longer supported. Authentication Often centrally managed user accounts, Often local to each device, may be very two-factor authentication. basic. Strengthening the Cybersecurity of Electricity Grids 52 Parameter IT OT System operation Systems are designed for use with typical opera- Differing and possibly proprietary operating ting systems. systems, often without security capabilities Upgrades are straightforward with the availability built in. of automated deployment tools. Software changes must be carefully made, usually by software vendors, because of the specialized control algorithms and perhaps modified hardware and software involved. Problem response Reboot Fault tolerance, online repair. Scanning and Regularly scheduled Rare, unscheduled, and complex. patching Anti-virus Common, widely used Uncommon, difficult to deploy effectively. Communications Standard communication protocols. Many proprietary and standard communi- Primarily wired networks with some localized cation protocols. wireless capabilities. Several types of communications media Typical IT networking practices. used to include dedicated wire and wireless (radio and satellite). Networks are complex and sometimes require the expertise of control engineers. Component lifetime 3 to 5 years Up to 20 years Managed support Allow for diversified support styles, diversity of Service support is usually via a single vendors vendor. Resource Systems are specified with enough resources to Systems are designed to support the inten- constraints support the addition of third-party applications ded industrial process and may not have such as security solutions. enough memory and computing resources to support the addition of security capabi- lities. Component location, Components are usually local and easy to access. Components are widely dispersed, some in physical security Components are mostly concentrated in a central publicly accessible areas that may be sub- area that is not accessible to the public and is ject to physical tampering. Some can also protected against physical tampering. be isolated, remote, and require extensive physical effort to gain access to. Source: Authors, based on NIST, “Guide to Industrial Control Systems (ICS) Security” (Gaithersburg, MD: National Institute of Stan- dards and Technology, 2015); and “Trends and Challenges Shaping the Security Look of OT and IoT Systems,” ActiveCyber, October 4, 2021. Strengthening the Cybersecurity of Electricity Grids 53 Annex 2. Cybersecurity of Energy Infrastructure in the European Union, United States, and Australia: Relevant Policy and Legislation Overview Strengthening the Cybersecurity of Electricity Grids 54 Annex 2. Cybersecurity of Energy Infrastructure in the European Union, United States, and Australia: Relevant Policy and Legislation Overview European Union 2008 Council Directive 2008/114/EC of December 8, 2008, on the identification and designation of Euro- Directive 2008/114/ pean critical infrastructures and the assessment of the need to improve their protection is the main EC EU legislation for the protection of critical infrastructure in the energy and transport sectors. It esta- blishes procedures for identifying and designating European critical infrastructures and introduces a common approach to assessing their protection and the need to improve it. 2013 The EU Cyber Security Strategy issued in February 2013 outlines the EU’s vision for building cyberse- EU Cyber Security curity capabilities. It has three aims: first, to strengthen the security and resilience of networks and Strategy information security systems; second, to prevent and fight cybercrime; and third, to establish a more coherent cybersecurity policy across Europe. 2016 The EU’s Directive on Security of Network and Information Systems (NIS Directive) forms the basis Directive (EU) for the current EU cybersecurity regime. It requires the designation of competent national authorities 2016/1148 to monitor the application of the Directive, the creation of cybersecurity incident response teams, and the adoption of national cybersecurity strategies in all EU member states. It also obligates essential and digital service providers to take the appropriate security measures and to notify the relevant national authorities about serious incidents. 2019 Regulation (EU) 2019/881 of the European Parliament and of the Council of April 17, 2019, imple- Regulation (EU) ments the EU Cybersecurity Act, which equips the EU with further legislation on the certification of 2019/881 cybersecurity products and services and also reinforces the mandate of the EU Agency for Cyberse- curity (ENISA). It aims to strengthen the EU’s response to cyberattacks, improve cyber resilience, and increase trust in the digital single market. 2019 In April 2019, the European Commission issued a recommendation on energy cybersecurity that Recommendation contains guidelines that member states and key stakeholders (particularly energy grid operators) (EU) 2019/553 should take into account when making decisions on infrastructure. These measures include carrying out cybersecurity risk analysis and preparedness, in particular for legacy systems, updating softwa- re and hardware, and establishing an automated monitoring capability for security events in legacy environments. 2019 The Electricity Risk Preparedness Regulation focuses on crisis prevention and crisis management in Regulation (EU) the electricity sector. It foresees the development of common methods to assess cyber risks, inclu- 2019/941 ding risks of cyberattacks, common rules for managing crisis situations, and a common framework for better evaluation and monitoring of electricity supply security. June 2019 In June 2019, the European Commission published an evaluation of the Critical Infrastructure Directi- Evaluation of the ve (2008) that determined that its relevance had diminished in the light of evolving challenges brou- Critical Infras- ght about by technological, economic, social, political, and environmental developments. It concluded tructure Directive that the Directive has been partially effective but has failed to establish a common approach to the (2008) assessment of critical infrastructure protection measures. Options identified for a future review of the Directive include a more systems-focused approach and better alignment with other relevant EU legislation. Strengthening the Cybersecurity of Electricity Grids 55 European Union 2020 The European Commission presented a new EU Cybersecurity Strategy at the end of 2020. It covers EU Cybersecurity the security of essential services, such as hospitals, energy grids, and railways. It also covers the se- Strategy for Digital curity of the ever-increasing number of connected objects in homes, offices, and factories. The Stra- Decade tegy focuses on building collective capabilities to respond to major cyberattacks and working with partners around the world to ensure international security and stability in cyberspace. It outlines how a Joint Cyber Unit can ensure the most effective response to cyber threats using the collective resources and expertise available to the EU and member states. 2020 The NIS Directive of 2016 was reviewed at the end of 2020. As a result of the review process, the pro- Revision of NIS posal for a directive on measures for a high common level of cybersecurity across the EU (as a NIS2 Directive (2016)/ directive) was presented by the European Commission on December 16, 2020. The NIS2 Directive Proposal for NIS2 proposal aims to improve the resilience and incident response capacities of public and private entities Directive and owners of critical infrastructures. It categorizes entities into “essential” and “important” based on the criticality of their services and lays down differentiated cybersecurity risk management and reporting obligations for them. The proposal also introduces greater legal harmonization across the EU. 2020 The European Commission adopted a proposal for a new directive on the resilience of critical enti- Proposal for a new ties that expands both the scope and depth of the 2008 European Critical Infrastructure Directive. Directive on the Ten sectors are now covered: energy, transport, banking, financial markets, health, drinking water, resilience of critical wastewater, digital infrastructure, public administration, and space. Under the proposed directive, entities member states would each adopt a national strategy for ensuring the resilience of critical entities and carrying out regular risk assessments. 2021 The Network Code on Cybersecurity aims to set a European standard for the cybersecurity of Draft of Network cross-border electricity flows. It includes rules on cyber risk assessments, common minimum re- Code on quirements, cybersecurity certification of products and services, monitoring, reporting, and crisis Cybersecurity management. (NCCS) Source: Authors based on publicly available information. Strengthening the Cybersecurity of Electricity Grids 56 United States 2005 This is probably the first significant piece of legislation to address the growing challenge of cyberse- Energy Policy Act curity in the energy sector adopted in the United States. The act granted the Federal Energy Regu- latory Commission (FERC) the power to appoint an Electric Reliability Organization (ERO) to develop and enforce mandatory reliability standards for all power electric utilities in the country. 2006 The North American Electric Reliability Corporation (NERC) was designated as the ERO for the United North American States and several Canadian provinces in 2006. The NERC is responsible for developing a list of criti- Electric Reliability cal infrastructure protection standards that are delivered to the FERC for review. Of the 12 standards Corporation currently subject to enforcement, 11 are dedicated to cybersecurity standards and one relates to the physical security of energy grids.88 2013 Executive Order 13636, Improving Critical Infrastructure Cybersecurity, and Presidential Policy Direc- Executive Order tive on Critical Infrastructure Security and Resilience of 2013 reinforce the need for holistic thinking 13636 - Improving about security and risk management. These policies require federal agencies to develop and incen- Critical Infrastruc- tivize participation in a technology-neutral cybersecurity framework and to increase the volume, ture Cybersecurity timeliness, and quality of the cyber threat information they share with the private sector. and Presidential Policy Directive on Critical Infrastructure Secu- rity and Resilience 2014 The Cybersecurity Enhancement Act of 2014 updated the role of NIST to include identifying and Cybersecurity En- developing cybersecurity risk frameworks for voluntary use by critical infrastructure owners and hancement Act operators. NIST must identify “a prioritized, flexible, repeatable, performance-based, and cost-effec- tive approach, including information security measures and controls that may be voluntarily adopted by owners and operators of critical infrastructure to help them identify, assess, and manage cyber risks.” 2014 NIST released a voluntary Framework for Improving Critical Infrastructure Cybersecurity in February NIST Framework for 2014 to provide a common language that organizations can use to assess and manage cybersecurity Improving Critical risks. The Framework recommends risk management processes that enable organizations to inform Infrastructure and prioritize decisions regarding cybersecurity based on business needs, without additional regula- Cybersecurity tory requirements. It was published in 2014 and revised in 2017 and 2018. 2017 Executive Order 13800: Strengthening the Cybersecurity of Federal Networks and Critical Infrastruc- Executive Order ture aims to improve the nation’s cyber posture and capabilities in the face of intensifying cybersecu- 13800: Strengthe- rity threats. The order focuses federal efforts on modernizing federal information technology infras- ning the Cybersecu- tructure, working with state and local government and private sector partners to more fully secure rity of Federal Ne- critical infrastructure, and collaborating with foreign allies. The work undertaken to implement EO tworks and Critical 13800 reflects the strong cooperation that exists across the federal government and with industry Infrastructure partners to safeguard the security of critical infrastructure and reduce national cybersecurity risks. 2018 The Cybersecurity and Infrastructure Security Agency Act of 2018 was signed by the president to Cybersecurity and create the Cybersecurity and Infrastructure Security Agency (CISA) under the Department of Home- Infrastructure land Security. The Agency leads the national effort to understand, manage, and reduce risks to the Security Agency Act country’s cyber and physical infrastructure. 88 “CIP Standards,” North American Electric Reliability Corporation. Strengthening the Cybersecurity of Electricity Grids 57 United States 2018 The Office of Cybersecurity, Energy Security, and Emergency Response (CESER) at the U.S. Depart- The establishment ment of Energy (DOE) was established in 2018. The creation of the CESER office aims to elevate the of the Office of DOE’s focus on energy infrastructure protection and enable more coordinated preparedness and Cybersecurity, response to natural and man-made threats. Energy Security, and Emergency Response 2020 Executive Order 13920, Securing the United States Bulk-Power System (May 2020), directs the Se- Executive Order cretary of Energy to work with various federal agencies to ensure that the acquisition of bulk-power 13920: Securing the systems is in line with national security demands. United States Bulk- The bulk-power system comprises the facilities and control systems necessary for operating an in- Power System terconnected energy transmission network and the electric energy needed from generation facilities to maintain transmission system reliability. Ongoing The Cyber Sense Act of 2021 would direct the DOE to establish a voluntary program to test the cy- bersecurity of products and technologies intended for use in the nation’s bulk-power system. Ongoing The Enhancing State Energy Security Planning and Emergency Preparedness Act of 2021 would authorize the DOE to provide financial assistance to states to develop or revise their State Energy Security Plans. It also outlines the contents of the State Security Plan, including the need for coordi- nation and joint exercises with industry and federal stakeholders. Finally, it would authorize the DOE to spend US$90 million annually in FY2022–26 to offer financial and technical assistance to states as they develop and update their plans. Ongoing The Enhancing Grid Security through Public-Private Partnerships Act would direct the DOE to im- plement a program to facilitate and encourage public-private partnerships in order to address and mitigate the physical security and cybersecurity risks of electric utilities. Ongoing The Energy Emergency Leadership Act would create a new DOE Assistant Secretary position with jurisdiction over all energy emergency and security functions related to energy supply, infrastructu- re, and cybersecurity. Source: Authors based on publicly available information. Strengthening the Cybersecurity of Electricity Grids 58 Australia 2014 The Australian Cyber Security Centre (ACSC), along with Joint Cyber Security Centres positioned The establishment around the country in state capitals, was established in 2014. The ACSC is a hub for private and of Australian Cyber public sector collaboration and information sharing on cybersecurity to prevent and combat threats Security Centre and minimize harm to citizens. It provides advice and assistance across the whole economy, inclu- ding to critical infrastructure and systems of national interest, federal, state, and local governments, small and medium-sized businesses, academia, and not-for-profit organizations. The ACSC oversees a nationwide program of cyber resilience and response activities for the electricity industry and for government agencies that have an energy and/or cybersecurity role, including information exchange and training activities. 2017 The Critical Infrastructure Centre was established in January 2017 to safeguard Australia’s critical Critical infrastructure. The Centre, located within the Department of Home Affairs, works across all levels of Infrastructure government and with owners and operators to identify and manage the risks to Australia’s critical Centre infrastructure. It brings together expertise and capacity from across the government to manage the increasingly complex national security risks of sabotage, espionage, and coercion in such sectors as telecommunications, electricity, gas, water, and ports.89 2018 The Security of Critical Infrastructure Act 2018 seeks to manage the complex and evolving national Security of Critical security risks. It contains a range of powers, functions, and obligations that apply only in relation to Infrastructure Act specific critical infrastructure assets in the electricity, gas, water, and port sectors. The Act applies to approximately 200 assets in these sectors. 2018 The Australian Energy Regulator and Australian Energy Market Operator, along with energy provi- Australian ders, have developed the Australian Energy Sector Cyber Security Framework (AESCSF). This com- Energy Sector Cyber bines industry best practices from a range of trusted sources, such as the U.S. DOE’s Cybersecurity Security Framework Capability Maturity Model (ES-C2M2) and the NIST Cyber Security Framework (CSF), and controls (AESCSF)90 from ISO 27001, NIST SP 800-53, and the Control Objectives for Information Technologies (COBIT). It builds on the ACSC Essential Eight Strategies to Mitigate Cyber Security Incidents and Australia’s privacy principles. 2021 On September 1, 2021, the Cyber and Infrastructure Security Centre was established within the Establishment of Department of Home Affairs. The Cyber and Infrastructure Security Centre aims to deliver a best Cyber and Infras- practice, industry-focused, active, and engaged regulatory and partnership function that works with tructure Security industry to ensure the protection of Australia’s critical infrastructure. Centre The Cyber and Infrastructure Security Centre drives an all-hazards regime of critical infrastructure protection enabled by a stronger focus on cybersecurity. Ongoing On December 10, 2020, the Minister for Home Affairs introduced the Security Legislation Amend- ment (Critical Infrastructure) Bill 2020 to Parliament. The bill seeks to amend the Security of Critical Infrastructure Act 2018 and expands its coverage beyond the four original sectors (electricity, gas, water, and ports) and the substance of the regulatory obligations on the private owners and opera- tors of critical infrastructure assets. In addition, it proposes to confer an extraordinary power of go- vernment intervention in response to cybersecurity incidents affecting critical infrastructure assets. Source: Authors based on publicly available information. 89 “Critical Infrastructure Resilience,” Department of Home Affairs, Canberra. 90 “Cyber Security for the Australian Energy Sector,” Huntsman, June 29, 2020. Strengthening the Cybersecurity of Electricity Grids 59 Annex 3. A Comparative Summary of Relevant Standards Strengthening the Cybersecurity of Electricity Grids 60 Annex 3. A Comparative Summary of Relevant Standards Communications and operations management Systems development and maintenance Risk assessment and vulnerabilities Physical and environment Security Certification procedures and audit Business continuity management Asset classification and control Industrial control systems (ICS) Organizational security Incident management Personnel security Security policy Access control Compliance ISO/IEC 27001 ISO/IEC 27002 ISO/IEC 27005 ISO/IEC 27006 ISO/IEC 27019 ISO/IEC 27035-1 ISO/IEC 24762 ISO/IEC 31000 ISO 19011 ISA/IEC 62443 MAGERIT NIST SP800-27 NIST SP800-30 NIST SP800-34 NIST SP800-53 NIST SP800-61 NIST SP800-64 NIST SP800-100 ISO 15408 ISO 19791 Source: Authors, based on C. Alcaraz, G. Fernandez, and F. Carvajal, “Security Aspects of SCADA and DCS Environments,” in Critical Infrastructure Protection: Information Infrastructure Models, Analysis, and Defense, LNCS 7130 (Heidelberg: Springer-Verlag, 2012), 120–149. Strengthening the Cybersecurity of Electricity Grids 61