A Holistic Approach to OT Cybersecurity in Renewable Energy Projects

Had a productive time representing SEL Inc at a recent solution validation meeting for a utility-scale renewable energy generation project. While it was great to see innovative ideas being presented on OT Cybersecurity, a few areas for improvement were identified.

First, the operator of the generation site should develop and implement an overall risk management strategy that includes an OT cybersecurity risk strategy. This strategy can be divided into three categories based on methodology:

1. Maturity Model Methodology: Provides the operator with a method to assess the degree of an organization’s alignment with best practices in the structure and operation of the organization and its IT and OT systems. (Hint: AESCSF, ES-C2M2)
2. Control-Based Methodology: Addresses the technical aspects related to the configuration of IT and OT systems and protective hardware and software. (Hint: NIST CSF)
3. Compliance Methodology: Focuses on specific mandatory requirements. (Hint: NERC CIP, IEC 62443)

Second, the operator’s enterprise architecture should be included as one component of a risk assessment package. The architecture identifies, for example, the hardware, software, applications, internal and external stakeholders (AEMO, TNSP), other generation sites owned by the operator, vendors, contractors, and data included in the system.

An architecture framework methodology should be defined at the enterprise level to ensure consistency of the architectures developed throughout the organization. Typically, an enterprise architecture does not address cybersecurity specifically, such as the overall attack surface, attack vectors, potential vulnerabilities, and applicable response strategies. Cybersecurity is documented in policies and procedures defined at the organization level. At the system level (generation site), these policies and procedures should be tailored and specifications developed.

The challenge is to develop a security architecture methodology that augments, rather than replaces, current enterprise architecture methodologies and is useful to the operator. The resulting security architecture should document the baseline architecture, the target architecture, and the transition approach. At a minimum, a security architecture includes:

1. A diagram displaying the physical devices and communication links between the devices. The source could be the enterprise architecture diagram. Applicable standards should be included.
2. Identification of the access points to various devices. These access points can be used by an attacker, including an insider, to initiate intrusion into the system.
3. Identification of potential vulnerabilities that may be exploited by an attacker.
4. Specification of response strategies to potential system compromises. The response strategy may include the selection and implementation of cybersecurity technical controls. Applicable standards should be included.

Finally, based on a risk assessment strategy, the systems should be prioritized and the security objectives of confidentiality, integrity, and availability specified for each system. A security architecture should address the requirements and potential risks for each system that is implemented in a specific operational environment. The security architecture should also identify where to apply security controls and applicable standards/guidelines. A security architecture should be overlaid on an existing system/enterprise architecture that may include, for example, the various devices, communications links, communications protocols, operating systems, applications, and data. The security architecture should augment the existing architecture and include the attack vectors, potential vulnerabilities, and mitigation strategies. Output from a cyber kill chain analysis can be used in developing the target security architecture.

The development of a security architecture should be one component of an overall cybersecurity risk management strategy and should facilitate the objectives to manage exposure to business risk. The security architecture may be used as input to evaluate the likelihood and impacts of security threats and vulnerabilities. A security architecture can be developed for the current system and for the target system. These security architectures can then be used to:

• Identify cybersecurity gaps and mitigation strategies to address these gaps,
• Perform a cyber kill chain analysis,
• Assess the operational implementation,
• Ensure that the overall cybersecurity risk management strategy is mirrored in the mitigation strategies,
• Assist in the analysis of new threats, technologies, and vulnerabilities.

The resulting OT security architecture diagram will be one component of the cybersecurity risk assessment package that supports a comprehensive cybersecurity risk strategy.

Conclusion: any OT solution provided without the aforementioned steps as a foundation will be devoid of substance and will cost the project and organization more in the long run. Remember, security can’t be bolted-on; it must be integrated into the entire engineering process, must account for the unique circumstances of your organization, and a particular project.