The NERC Critical Infrastructure Protection (CIP) standards will soon become required for electric grids. GCUD engineers turned to a consultant and automation vendors such as Emerson Process Management, Austin, Texas, for direction. “We have a consultant to help with CIP, and the consultant wrote a lot of our procedures and guidelines to meet the requirements,” says Jeff Reams, systems engineer for hydro power plants at GCUD. “We also created an internal group of about 20 of us.”
Unlike a lot of plants implementing security, Reams’ team didn’t run into conflicts with its information technology (IT) department. “IT manages our firewalls, but they stayed out of the control side,” says Reams. “We don’t have the typical turf battle. IT does batch processes, and we’re a hydro facility, so we never shut down.”
In past years, plants haven’t worried about cyber security because they didn’t connect to the outside world. New data systems have changed that for most plants. “Our systems are fairly isolated from the outside world, even from corporate systems. We limit access,” says Reams. Even so, software and devices share data, and where data is shared, there is always the possibility of a breech. The cyber security implementation was prompted by NERC’s assessment program. “Our company is going to have a spot audit next month,” says Reams.
Cyber security has become a major issue with electric plants. NERC has launched a number of programs designed to protect the electric grid from Internet-based attacks. Any connection that goes outside the plant—whether it’s Internet connectivity or dedicated connections to corporate offices—leaves the plant vulnerable to cyber attack.
Prompted by new NERC standards, plants are adding or beefing up cyber security. Sometimes, IT is involved in the process, sometimes not. Often, vendors that are familiar with NERC programs implement and run the security programs.
Outside connections
Electric plants have traditionally been isolated from the outside world. But electric plants are now using automation systems that provide data for corporate offices and allow remote monitoring. That means virtually all electric plants are now connected to the outside world. Some plant operators believe they’re still isolated, but that’s not the case, even if they’re only sending production data to their own corporate offices. “People looking at control systems say ‘I don’t have to worry about cyber security because I’m not connected to the Internet,’” says Paul Forney, system architect at Wonderware, an automation software supplier in Lake Forest, Calif. “But they’re connected to the corporate network and it’s connected to the Internet.”
A good portion of new plant connectivity comes from the development of smart grids. “Renewable power needs to be monitored more frequently than traditional power,” says Eric Casteel, manager of security, SCADA and renewable energy development at Emerson Process Management. “You have wind that’s variable, solar that’s variable, and those variables need to be managed frequently. Oversight is deeper and it’s shared with executives, so it’s exposed to the outside world.”
Any time you share data, there is an opening for an attack. Plants are now run by information systems that transfer data from device to software, software to device. So the reality is that virtually all plants are vulnerable to cyber attack. “Anything, any device, any software that communicates over the Internet is a potential target for attack,” says Tyler Williams, chief executive officer, Wurldtech Security Inc., a cyber security firm based in Vancouver, British Columbia, Canada. “Instead of qualifying the potential risk, we look at the components that exist—which are built for reliability, not for security—and we make them more robust so the hacker can’t get in.”
One of the challenges for cyber security is that it’s abstract. The plant is trying to protect itself from something that hasn’t happened. Safety programs are often developed and augmented based on actual accidents. With cyber security, plants are working to protect themselves from events that have not occurred—potential events.
Yet the prevention of cyber attack can be every bit as important as safety precaution. “People need to look at cyber security like safety,” says Ernest Rakaczky, principal security architect at Invensys Process Systems, in Plano, Texas. “You have a safety organization to make sure training goes on and it’s everybody’s responsibility—everyone is looking out for each other. Everyone needs to feel the same ownership of cyber security.”
Many, if not most, electric plants have turned to consultants and vendors to keep up on NERC developments, standards and compliance requirements. Many vendors and consultants have been involved in the development of NERC programs and industry security standards. “End-users are looking for guidance from us,” says Wonderware’s Forney. “The security of a system relies heavily on the system’s deployment. We can make secure software, but we have no control on how it’s deployed in the field. If we’re involved, we can educate people about cyber security.”
Vendors often take a role in cyber security implementation because it’s not enough to build security into the system’s components. If security is not implemented at the plant itself, the vendor cannot ensure that the system is secure. “As a control supplier, we look at what is required for compliance,” says Invensys’ Rakaczky. “We look at any of the requirements that affect the control product and we put together a major program. We try to position our product so it supports all the compliance requirements.”
When it comes to security, the IT department has deep experience. But IT is accustomed to applying security patches at night when the office workers are gone. It doesn’t matter if a desktop is shut down and restarted at night. Uptime is the high value for the plant control system. You can’t arbitrarily shut it down to implement a patch. Yet the IT department typically doesn’t want to leave security entirely to control engineers who may not be familiar with security systems. “I’ve heard horror stories where IT says they’re going to do everything with security,” says Emerson’s Casteel. “The problem is, they have conflicting objectives. In IT, confidentiality is big. With control, it’s availability.”
At many plants, a compromise is worked out by which control and IT join as a team for implementing security. Often, plants bring in a consultant who is familiar with NERC and safety standards. “Some plants are bringing in a consultant to work with control, and bridge the gap with IT,” says Casteel. “Where it’s been most successful is where control still has the responsibility for security, but they work closely with IT.”
Stay on top
Cyber security is not a program that can be turned on and left alone. Much like the security on your personal computer, the plant security systems become obsolete as soon as a new worm hits the street. So cyber security becomes an ongoing program rather than a simple installation. “You have to keep up with the underbelly of the Internet—that includes technical tools and attack methodologies,” says Doug Wylie, Mayfield, Ohio-based business manager, networks, for automation vendor Rockwell Automation Inc. “You’re only one 14-year-old kid away from the system crumbling, if you’re not paying attention.”
Cyber security has become a permanent part of running an electric plant. Connectivity to the outside world is inevitable. The Smart Grid requires shared information across multiple plants and multiple offices. NERC programs and audits are compelling electric plants to demonstrate their ability to withstand cyber attacks. To cope with all of this, plants are bringing together the expertise of consultants, vendors and their IT departments to ensure that they’re well protected.
Subscribe to Automation World's RSS Feeds for Feature Articles
