Enacting Organisational Action Towards the Goal of Cyber-Resilience

Cybersecurity at the eye of the storm

The Smart Grid is a modern electrical power system designed to integrate advanced technologies, such as renewable energy sources, energy storage systems, and intelligent control systems. These technologies make the Smart Grid more efficient, reliable, and sustainable than traditional power systems, especially considering the scale of the challenge that integrating Distributed Energy Resources (DER) represents.

However, with the increasing use of digital technologies and the Internet of Things (IoT) in the power grid, there is also an increased risk of cyber threats capable of compromising the security and reliability of the grid. The Cyber Priority report published by DNV in 2022 ?asked over 900 industry professionals about the current most pressing concern in the sector, and 71% of the interviewees placed cyberattacks in the number one spot.

Last week, the Smart Grid Forums ’ LinkedIn page featured content related to Smart Grid cybersecurity, highlighting multiple trending topics about development strategies, technological approaches, and other implementation aspects. In this article, I will dive deeper into cybersecurity governance as a key piece of the puzzle that allows greater adaptability and defence.

IT – OT integration challenges

First, it is important to understand that Smart Grid systems are divided into two main areas, information technology (IT) and operational technology (OT). When it comes to the former, operators have already developed effective defence and protection mechanisms to ensure information and data integrity.

On the other hand, operational technology is currently facing a significant challenge since it has evolved rapidly with the adoption of smart grid technologies. Previously, analogue technology meant the infrastructure was naturally armoured against cyberattacks, nevertheless, the recent trend toward digitalisation has removed this protective layer with the introduction of remote-control functions of intelligent electronic devices (IEDs).

A fairly obvious question is why not apply IT cybersecurity approaches to OT systems? The answer is complex, and the most concise way to frame it is: Compatibility.

Let’s recap briefly and not forget that both systems serve different purposes. Information technology is concerned with data communication, and operational technology deals with remote operations and infrastructure control. Therefore transposing IT cybersecurity approaches to OT systems raises some questions about preserving productivity rates.

Effective governance as the key enabler

Another layer of complexity is added when considering the vast plurality of structures within each company. This scenario makes the one-size-fits-all solution virtually unfeasible in the short term. The response to this, at first sight seemingly pessimistic situation, has been spearheaded by strengthening cybersecurity governance strategies.

The American? Cybersecurity and Infrastructure Security Agency or CISA defines cybersecurity governance as a “strategy that integrates with organisational operations and prevents the interruption of activities due to cyber threats or attacks”. In other words, the idea of generating an organisational plan to deal with such situations resides at the core.

DNV’s customer success director, Shaun Reardon has carried out a great deal of work on the topic and addresses the importance of C-level involvement by raising awareness of the relevance and urgency of the issue. This top-down approach can provide the necessary ingredients to create a cohesive structure meant to deal with constantly changing threats and create clear guidelines within the organisation.??

The availability of funds destined for drafting governance strategies would be the first consequence of involving senior executives. The next step entails clear decision-making hierarchies and effective communication channels. The last piece of the puzzle would be to formulate technical strategies capable of cementing reliable management mechanisms. These are crucial in the context of surveillance, reaction and recovery.

Resilience and Collaboration

Summarised, developing effective cybersecurity governance frameworks can only work after defining a process in which people will actively monitor, protect, and address vulnerabilities with the assistance of continuously evolving technologies. A symbiotic system is made of different variables working together towards the same goal.

The growing concern for these types of attacks has elicited strong reactions at the national and international levels. Government entities have emitted guidelines meant to aid private companies in tailoring their strategies. Nevertheless, a crucial part of the process resides in the operator's ability to collaborate. Despite concerns about exposing each other's vulnerabilities, the only way forward is to expand the entire ecosystem of operators.

As a result, the key lies in operators' ability to share experiences and implement progressive solutions as a catalyst for effective personalised cybersecurity governance frameworks.

?References:

Cybersecurity Governance, CISA, 2023

SEC Proposes New Cybersecurity Rules for Public Companies, Security Intelligence, 2022

Survey of Cybersecurity Governance, Threats, and Countermeasures for the Power Grid, Energies, 2022

Risk Management Guidance, National Cyber Security Centre, 2016

The Cyber Priority, DNV, 2022

Cyber threats to critical infrastructure: why collaboration is key, DNV, 2022?