You need an account to access this content
Create a free account and get access to all downloads and more!
As the world becomes increasingly digitized, so too does the power generation industry. The power generation industry is becoming more and more ‘online’ as consumers demand more from their power generation suppliers. Historically power was generated, supplied, and used in a relatively simple, (and one-way), fashion. Systems were constructed as isolated solutions, or were at least ‘air-gapped’ from the internet. These systems were guarded by what’s been called a ‘security by obscurity’ system – meaning they weren’t vulnerable because they weren’t seen.
However, with increasingly sophisticated consumers, ‘smart grid’ programs such as demand response and spot price dispatch, and even something as simple as online billing, the need for connectedness, and the need for data is what is now driving the power generation industry. This data requires remote access and along with remote access comes cyber security vulnerability.
Along with the increasing connectedness and the progressively data driven power generation industry come expanding vulnerabilities in power generation systems. Criminals, politically motivated (or even state sponsored) hackers, and cyberterrorists are increasingly targeting power generation infrastructure due to the vulnerable nature of power generation systems, and the severe impact loss of power has to our way of life. Whether it be due to insecure IT systems, outdated or poorly maintained equipment, or even the assumed ‘security by obscurity’ principle mentioned earlier, power generation systems are susceptible to intrusion.
One such event took place on December 23rd, 2015. There was a cyber-attack on three power companies in Ukraine. This was a revolutionary event for the power generation industry as it was the first known cyber attack on an electricity grid’s operations. This cyber-attack left more than 225,000 customers without power for over six hours. But more importantly, the attack disrupted SCADA systems within the power companies, which in some cases took over a year to fix.
Systems are getting smarter, but so are cyber-attackers, which means power generation operators need to keep up to date with the latest in security to ensure that their systems are not compromised.
When cyber-security is mentioned, it is usually thought of as an IT problem involving servers, network communications, and mobile devices. These systems are updated regularly and have vulnerabilities patched. However, as with the Ukraine attack, it is increasingly the OT, or operational technology that is the main vulnerability in power systems ready for exploitation by hackers. Operational technology in power generation includes any of the systems used to manage, monitor, control and transmit power. These OT systems are usually made up of older devices that are complicated and expensive to replace, or legacy systems which have been in place for 10-20 years. These legacy systems, in combination with IT hacks, can lead to power generation systems becoming vulnerable to attacks.
Providing cyber-security for industrial control systems present several unique challenges, including:
This is in addition to the usual IT cybersecurity vulnerabilities – including the biggest weakness of all: human users. A company can build secure IT and OT infrastructure, but it will still be vulnerable due to the staff tasked with using, monitoring and maintaining the system. Something as simple as clicking on a link in a malicious email can let hackers infiltrate a system and load malware into it – which is what happened in the Ukraine example.
The ISA-62443-1-2009 Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program2 recommends any business with OT systems focus on four key areas when evaluating OT systems for security vulnerabilities.
What are the possible negative outcomes in a cyber-attack to your organisation?
In a power generation organisation, the negative outcomes are clear – loss of power for customers. Then there are the negative outcomes for your customers, which may lead to legal action or more.
What is the threat environment in which your organisation operates?
Power stations and other power infrastructure sites are increasingly becoming targets for hackers because of the potential damage loss of power can cause. Not just to the power station itself, but to hospitals, datacentres, traffic control and other essential services that they can take of the grid and exploit in a coordinated attack.
What is the cost of recovery from a cyberattack? How long would it take?
In the Ukraine example, power was restored within a matter of hours. However, it took almost a year to ensure the security of their network again. It is not just the issue of getting the power restored that is important in recovery from a cyber-attack in power generation. There is also the reputational harm to the organisation to be considered.
What is the cost for OT upgrades and cybersecurity protocols?
The cost to upgrade or replace OT equipment can be high, but on the other hand, the cost of repairing systems and reputations after a cyber-attack is much higher.
ComAp designs and manufactures OT equipment for the power generation industry. The remote monitoring of ComAp products allows our customers to save time, save money, and provides reliable data for making crucial business decisions. However, these advantages require our products to be connected to the internet. Security has always been a focus at ComAp, so our customers can rest assured ComAp always has and always will take the security of customers data and equipment seriously.
When we are developing products at ComAp, we adhere to the principle of ‘Security by Design’. Security by design means that when we begin a new product development process, we start with the question “what are the requirements for cyber-security?”
As part of this process, we have developed five essential criteria for security:
We update firmware for our products for various reasons, including updating to any new security protocols, to add new features or to fix any bugs that may have been identified.
We recommend all our customers to update their controllers’ firmware to the latest version as soon as practical for their application. The software updates are available on the products’ pages on our website. Installing the new firmware is easy, and our technical support department can provide any assistance you might need.
All ComAp controllers have a default password. This default password should be changed immediately upon installation of the controller. Do not choose a password that is easily guessed. If you need help changing the default password, consult the product manual or contact ComAp’s technical support department.
We recommend to use multiple accounts and give users minimum levels of access needed to perform his/her job functions. Individual login credentials also ensure that any actions or changes made while a user is logged in can be recorded and monitored.
Contact your local ComAp representative to see how ComAp products and services can help you maintain your power generation securely, whilst also giving you the flexibility to monitor and manage your equipment via the internet.