This is the fourth article in a Microgrid Knowledge series that explores why we need to focus on microgrid cybersecurity and how to create a cybersecure microgrid while also protecting the macrogrid.
Download the full report.
Cybersecurity should be a prime consideration at the outset of microgrid design. If a microgrid is being installed for resilience, it doesn’t make sense for it to increase the vulnerability of its customers or the main grid.
In comparison with the centralized model widely used for primary power grids, microgrids use a distributed architecture with multiple systems that communicate with each other. This distributed architecture innately includes power redundancy and resiliency. The microgrid controls also provide a basic level of security because they are distributed, with no single point of failure that could result in the loss of the entire system. As discussed, advanced microgrids are able to compensate for loss of one or more control points.
An advanced microgrid design includes switchgear, generation sources, energy storage, and other equipment that communicates seamlessly using a supervisory software control system. The controller is the brain and nervous system of a microgrid. Its software gathers a wealth of data from microgrid participants and makes and communicates operational and safety decisions for the microgrid and communicates instructions to its connected assets. The controller also coordinates and manages its resources and relationship with the central grid to operate at maximum efficiency at all times.
While a microgrid’s diverse resources increase its resilience, the complex control and communication systems required to coordinate the equipment also have the potential to increase its vulnerability – if proper cybersecurity is not implemented. For true resilience, cybersecurity protections must be built into the microgrid from its inception.
Resiliency through the cybersecure microgrid
“True microgrid cybersecurity requires that there is no single point of failure in the system, as there is in centralized architecture. Resiliency is provided by failover of the ‘master’ from one distributed controller to another. Putting intelligence and processing power at the endpoints allows localized communications and control which means a smaller network footprint that can be secured and monitored,” said Erik Svanholm, CEO of IPERC, a subsidiary of S&C Electric, which offers a cybersecure microgrid controller, the GridMaster Microgrid Control System.
Svanholm describes a “Defense in Depth” (DiD) approach, which calls for the use of a large number of security countermeasures, all working together in a layered, coherent way to protect against every imaginable form of cyberattack while allowing legitimate microgrid communications and datahandling activity to proceed unimpeded.
The first line of defense occurs at the perimeter of the microgrid, with the objective of keeping attackers out altogether. Here, a useful start might be something simple, such as sensors that log and alert if microgrid assets have been physically tampered with. Firewalls and intrusion-detection systems also seek to keep intruders out and identify attempts (and successes) to penetrate the network perimeter. Hardware hardening, in the form of removing unnecessary software and services, and disabling unneeded communications and data ports (particularly USB ports) on the computers hosting the control software, adds another, host-based layer of “perimeter” security.
[clickToTweet tweet=”Cybersecurity should be a prime consideration at the outset of microgrid design. #microgrids” quote=”Cybersecurity should be a prime consideration at the outset of microgrid design. #microgrids”]
This is where security stops for most legacy industrial control systems and many contemporary microgrid control systems. If attackers penetrate the network perimeter shell, they gain access to easily legible, exposed data streams and archives, and can design and deploy devastating malicious code.
Standard energy industry protocols were not written with cybersecurity in mind, so the vast majority of them send data in the clear. Many more layers of defense must be built into the system so all is not lost if the network perimeter is breached. And if those security measures weren’t included in the original control code’s DNA, it is almost impossible to add them later without significant reengineering of software and testing of interoperability with microgrid participants, including utility systems. This gives operators of large, expensive industrial control systems an unpleasant choice: They can apply modern external protections to exposed older software and hope they are never breached – a low-cost, high-risk solution — or replace the entire control system with a newer, much more secure product.
In contrast, attackers who succeed in penetrating sophisticated control systems using a DiD approach are met with a variety of integrated defenses to keep them from doing harm even while they are inside.
Operating systems, software, and firmware are hardened by disabling or removing code, protocols, and services that aren’t specifically required to operate the microgrid. Stored data and communications among microgrid components are encrypted so intruders can’t read, intercept, or manipulate the control traffic, configuration files, and archives.
Whitelisting is a security protocol where only pre-approved devices are allowed system access. And even if a new device appears on a DiD-protected microgrid network and passes the whitelist test, the software still executes a series of authentication exercises to validate that any device trying to communicate on the microgrid is a legitimate participant.
A cybersecure microgrid also enables monitoring of internal communications and system processes to identify abnormal events during operations. This includes real-time alerts and the creation of security audit logs for operator awareness of the system’s security posture, its level of availability, and potential anomalies, all without affecting the microgrid’s operation. Those alerts and audit logs can also be incorporated into a utility’s Security In
Microgrid connections to the utility grid require additional secure gateways, or de-militarized zones (DMZs), and firewalls dedicated to securing that connection point. Where feasible, unidirectional gateways (e.g., data diodes) can be used where bidirectional communications aren’t necessary. Direct connections between a microgrid and the utility or to the Internet should never be used.
No shortcut to cybersecurity
All of these methods are just examples of dozens of countermeasures used in DiD-based control systems to establish strong cybersecurity for advanced microgrids. Most of the defensive approaches used are well-known in security circles and are widely used for many applications. But deploying so many protections simultaneously, and coherently, so the system is all but airtight except for the precise data movements needed for the microgrid to function, is extremely difficult to achieve and takes years of software and hardware development.
“A significant challenge for utilities is that many do not have budget lines specifically for cybersecurity. So they naturally tend toward the pragmatic approach ‘if it ain’t broke, don’t fix it’. They are managing systems that are intended to remain in place for decades, not years. So they require a cyber solution that can be integrated into a new system, yet be interoperable with legacy assets,” said David Chiesa, senior director of global business development at S&C Electric.
It’s important for utilities – and others – to be aware that the business case differs for cybersecurity, and for microgrids themselves, from the standard energy infrastructure they procure.
“The cost of ensuring cybersecurity should be viewed as a form of insurance. Just as microgrids protect against disruptions to the utility grid, cybersecurity is insurance for the safe, secure, and reliable operation of microgrids,” Chiesa said. “Having robust cybersecurity systems will pave the way for the proliferation of microgrids that enhance and strengthen the grid in the face of hazards, both natural and man-made.”
Today’s cybersecure microgrid emerged out of years of work by the military. In the next chapter, we interview one of the key figures behind their development.
Over the next few weeks, the Microgrid Knowledge Special Report series on creating a cybersecure microgrid will cover the following topics:
- Microgrid Cybersecurity: Fighting Asymmetrical Warfare
-
First Cybersecure Microgrid Controller Installed by Midwestern Utility
The full report, “Microgrid Cybersecurity: Protecting and Building the Grid of the Future,” is downloadable free of charge courtesy of S&C Electric.
