Cybersecurity for Utilities in a Multi-Vendor World
As microgrids, installed solar, and EVs become more economically feasible and prevalent, the utilities industry must manage the complexity of two-way power flows and distributed generation resources.
By Duncan Greatwood
Utilities are among the growing span of industries impacted by the rise of Internet of Things (IoT) devices and increasingly connected systems. As distributed energy resources (DERs) such as microgrids, installed solar, and EVs become more economically feasible and prevalent, the utilities industry is suddenly grappling with a shift away from a few centralized generation resources and one-way power flows to managing the complexity of two-way power flows and distributed generation resources.
This shift is a significant reason for many grid modernization endeavors, including improved communication between interconnected distribution substations as well as new smart sensors and smart meters that are deployed with legacy assets still in operation. Smart meters, sensors, controllers and applications are not only becoming easier to purchase and integrate into substations and microgrids, they’re also increasingly sourced from many suppliers. Where utilities companies were previously dependent on devices that came from a single vendor, or perhaps a handful of them, operators can now find a wide variety of IoT systems, opening up the market to more vendor offerings than ever before. Many suppliers are also recognizing this trend toward multi-vendor environments, including Ron Sege, the CEO of industrial IoT company Echelon, who noted that “while supporting existing grid equipment and its legacy protocols is a must-have ... there’s a trend toward having a common protocol, and common language, in all devices.”
Growing Vendor Complexity
According to Global Market Insights’ IoT Utilities Forecast Report 2024, the market for IoT devices in utilities is expected to hit $15 billion by 2024 as adoption continues to grow. Many operations now rely on a mix of these newer IoT devices working alongside legacy systems, such as in the case of one investor-owned utility (IOU) that filed a grid modernization plan with six times more connected devices than before across its infrastructure. And while these IoT additions have gone a long way toward increasing efficiency and enabling remote and distributed operations, they’ve also introduced a new problem for maintaining strong cybersecurity standards in utility operations.
While multi-vendor operations may improve some aspects of a utility’s offerings, they also create a more complex grid environment, composed of thousands of networked devices — and their corresponding vendor-specific and device-specific security mechanisms. This growing complexity of interconnected devices across various networks creates a security challenge for the utility because enforcing uniform and effective security policies can be cost prohibitive or even impossible across these various technologies.
The utilities industry already faces a variety of cybersecurity challenges, making up more than 20 percent of cyber incidents, as reported in 2016, according Deloitte’s study, Managing Cyber Risk in the Electric Power Sector. The increase in networked devices only broadens the industry’s risk. Recent Federal Energy Regulatory Commission (FERC) fines against two major IOUs for failing to meet compliance standards highlight how much work there is to be done in terms of securing U.S. national infrastructure.
In the past, utility solutions were primarily composed of single-vendor devices that could rely on vendor-specific security solutions to protect their operations. Companies could standardize security protocols and develop network protections according to that one vendor’s security specifications. However, the challenge of applying consistent security practices across various vendor-specific solutions was often left to the utility. As a result, internal costs prevent many utility companies from fully implementing certain cybersecurity policies.
Instead of maintaining several disjointed solutions and attempting to standardize security mechanisms across a variety of devices, the next generation of distribution technologies requires a distributed and vendor-neutral solution to reduce the cost of securing a more transactive distribution grid and device ecosystem.
Rethinking Traditional Cybersecurity
Relying on individual vendors to provide end-to-end security is no longer realistic in the multi-vendor, multi-network distributed-energy world of utilities operations. With each new connected device added to the network, utilities operations increase their risk of successful cyber attacks and other security threats if their systems aren’t properly protected. Modern cybersecurity solutions need to rethink traditional security architectures to become vendor-neutral, to work across all generations, models, types of devices, and applications, and to support zero-trust interactions needed for multi-party distributed energy implementations.
Some solution providers, such as Xage Security, have approached this with a decentralized enforcement model at the application level. This concept allows for fine-grained policy management for devices, apps and people while reducing the overreliance on network-level resources such as VLANs and firewalls. This new approach also provides a security platform for establishing trust for more advanced functions, including machine-to-machine interactions and distributed intelligence at the grid edge. Xage’s security fabric facilitates a secure environment for communication between devices, people and data, regardless of network connectivity, type, bandwidth, latency, or distance.
Comprehensive security should also be able to operate regardless of vendor or device type, across decades-old legacy devices as well as the newest IoT models. Multi-vendor industrial environments are also multi-generational, and emerging technologies need to address this reality by protecting devices regardless of the device’s built-in security, if any.
Although utilities companies previously depended on vendor-specific solutions and devices’ strict adherence to industry security standards, the current shift to dispersed-yet-connected operations with many vendors and many participants requires an overarching and universal solution that protects even in the event of network or device vulnerabilities. As utilities adopt distributed energy and advanced IoT architectures, the landscape of cyber attacks and external hacks is changing too, and it’s time our solutions to these emerging threats changed accordingly. UP
THE AUTHOR: Duncan Greatwood is CEO of Xage. Most recently, he was an executive at Apple, helping to lead a number of its search-technology projects and products, having previously served as CEO of social media search and analytics leader Topsy Lab (acquired by Apple in 2013). Prior to this, he was founder and CEO of PostPath Inc. (acquired by Cisco in 2008), and held roles in engineering, product marketing, corporate development, and sales at Virata and Madge Networks. Duncan holds a B.A. in mathematics, an M.Sc. in computer science from Oxford University, and an M.B.A. from London Business School.