In recent years, the power industry has become more connected than ever, with a delicate grid supporting much of our critical infrastructure. Any disruption could be catastrophic, highlighting the need for organizations to proactively protect their assets from pressing risks, including the surge in cyber attacks. The addition of solar and other renewable energy plants has only heightened these vulnerabilities, as these assets are targets for attackers.
As a result, the North American Electric Reliability Corporation (NERC)’s Critical Infrastructure Protection (CIP) standards now include cybersecurity requirements with hefty consequences for violations. This has made compliance top of mind for chief information security officers (CISOs) and their teams, but implementing good cyber hygiene requires more than baseline compliance—it requires an investment into an industrial cybersecurity program that grants you full visibility and control over your operational technology (OT).
NERC CIP Standards: Cybersecurity is Here to Stay
The old adage “spend a dollar today to save a hundred tomorrow” rings true for compliance. In 2021, NERC CIP enforcement charged 37 compliance penalties totaling $16,786,000, an average of $453,676 per violation. As significant as these fines are, most power producers understand that these penalties can incur even higher costs.
Regulations are constantly being updated, and now include cybersecurity controls. What was once only required of medium or high-risk groups is now commonplace at low-risk levels. To best prepare themselves for imminent regulatory standards and inevitable cyber attacks, organizations should not wait for regulations to dictate what cybersecurity looks like at their facilities; the probability of it being more expensive in the long run (through penalties or attackers exploiting regulation gaps) is high. It leaves fleet owners in a position of constantly playing catch-up; an unnecessary burden as regulations are clearly moving in a direction that requires strong cybersecurity measures.
Staying ahead of requirements also allows organizations to implement controls at a manageable pace, proactively keeping costs down and enabling managers to spend more time assessing and addressing risk.
Moving Beyond Compliance: Adopting Cybersecurity Best Practices
Before adopting an OT cybersecurity program, it is important to understand the difference between compliance and best practices. Although they can seem interchangeable, internal teams and Managed Security Service Providers (MSSP) should understand that a cyber risk management program will go beyond compliance to truly manage, monitor, detect and defend an organization against growing cyber threats.
Compliance is a minimum set of rules or actions that a team must follow to conform to a policy or standard. However, best practices establish actual methods and techniques that leadership will adapt to because they are superior to any alternatives, proven by their results. Furthermore, best practices are built into an organization as a standard way of operating.
Knowledge is Power: Educating Your Organization from the Top Down
Education about cybersecurity best practices, including procedures, processes and the use of technology solutions, must be consistent at all levels, from the CISO to site operators. Power generation CISOs (or those responsible for compliance within an organization), are beginning to understand the importance of industrial cybersecurity—especially with the rise of cyber attacks and the outward threat against the US power grid from foreign adversaries. Furthermore, boards of directors are becoming actively involved in cybersecurity as it now affects the bottom line.
At a more granular level, operators are now being instructed to complete system inventories, including both hardware and software to determine the criticality of these systems. Knowing which systems to protect allows plant operators and managers the ability to prioritize their budget and focus on protecting their most critical assets first. This knowledge empowers and assists CISOs in making cybersecurity a priority and ultimately implementing a strong industrial cybersecurity program to manage cyber risk in the most cost-effective way.
Don’t Fall Behind: The Cybersecurity Curve
It is no longer a question of if your plant will experience a cyber incident, but when. The next step for industrial companies is to proactively prevent operational disruptions that could impact critical infrastructure. As global markets transition toward more renewable energy sources, cyber hackers will look for ways to exploit those resources. This makes cybersecurity a business imperative.
Hackers are aware of and will turn their attention to the increasing number of new generation and transmission projects being proposed. Don’t join the list of organizations that fall behind the curve and can’t address vulnerabilities until it’s too late.
When it comes to mitigating cyber risk, what end of that spectrum do you find your facility on? If your organization needs to move beyond compliance, it’s best to start from the top to implement change and reduce the overall likelihood of cybersecurity gaps that could prove costly to an organization.
Kyle Tobias is a senior cybersecurity assessor with ABS Group. He has over 18 years of OT cybersecurity experience in planning, operations, training and audits in the maritime, energy, banking, finance and telecommunications industries, and has successfully achieved client goals across the globe. Kyle holds a BA from Olgethorpe University and a MS in Cybersecurity from the Georgia Institute of Technology.
The views and opinions expressed in this article are the author’s own, and do not necessarily reflect those held by pv magazine.
This content is protected by copyright and may not be reused. If you want to cooperate with us and would like to reuse some of our content, please contact: firstname.lastname@example.org.