BYOD
Customer Engagement
Demand Response
EV Charging
Incentive Processing
Program Design
Program Management Automation
Flexible Dispatch
Virtual Power Plants
Platform
Grid-Edge DERMS
Customer Engagement
Demand Forecasting
The energy landscape is rapidly evolving with the proliferation of distributed energy resources (DERs) and the aggregation of these assets into demand flexibility programs like demand response, EV charging, and virtual power plants (VPPs). While these innovations promise a cleaner, more flexible grid, they also expand the digital attack surface, demanding heightened vigilance. The nature of cyber threats targeting vital infrastructure is constantly evolving, with adversaries continually refining their strategies and tactics.
Utility cybersecurity is a target for both physical and virtual attacks by nation-state actors, organized crime, and even hacktivists. Each group has varying reasons for destabilizing the grid. Nation-state actors’ objectives include espionage, political influence, and sabotage; whereas organized crime objectives are financial gain through ransomware and data theft. So, how can utility cybersecurity mitigate these threat risks?
Implementing Access Controls
Part of cybersecurity for utilities includes controlling personnel access. Specifically, this speaks to the cybersecurity framework of role-based access control (RBAC). The premise behind RBAC is to assign permissions to personnel based on their job within the organization.
Virtual Peaker strengthens our security posture by integrating advanced authentication factors (MFA, PINs, Fingerprints, and IP address-based restrictions) with our identity provider (IdP) to enhance our identity access management (IAM) framework. Additionally, Virtual Peaker regulates our IAM framework includes user audits, identity lifecycle management, and permission reviews. These concepts are widely known practices within the cybersecurity industry, as RBAC, authentication factors, user lifecycle management, and user audits are methods and tools within the larger framework of IAM.
The IAM framework is a critical pillar within the cybersecurity industry because it determines which individuals/groups can access what resources within an organization. Furthermore, it allows organizations to keep their information confidential. As the traditional network perimeter dissolves with cloud computing, mobile devices, and IoT (internet of things), it is key to use identity to help parameterize the network.
To further assist with securing systems, adopt a Zero Trust security model. This model ensures that every user, device, and application that tries to access a resource is authenticated, authorized, and constantly validated. Zero trust means no trust, whether the requests come from inside or outside the network – no exceptions for assumptions permitted..
Multi-Factor Authentication
Multi-factor authentication (MFA) builds upon user roles by offering more layers of protection to individual users. Why is that important? Despite having an MFA in place, additional layers of authentication factors are needed. This is due to the possibility of attacks such as credential stuffing and brute force attacks. These attacks target the user’s login credentials to gain unnecessary access to a device, network, or application (endpoint). MFA becomes more pertinent as sign-in techniques such as federation (3rd party authorization by an Identity provider) become more widely adopted within an organization.
Cybersecurity Audits & Vulnerability Assessments
An organization must be ready and capable of identifying, protecting, responding to, and recovering from a cyber threat, which speaks to the organization’s security posture. Utility cybersecurity audits are key for an organization as they provide insight into the alignment of the policy and tools used to define the security posture. Furthermore, it gives the organization insight as to where to make specific adjustments and corrections to existing procedures, which ensures that policies are kept. It is key to know that policies define the security standard, and procedures detail the activities required to maintain the standard. The cybersecurity audit assures that policies and procedures are aligned with each other, which enables the organization to have a strong security posture.
– Lauren Corley, IT Systems & Security Engineer, Virtual Peaker
Utility cybersecurity audits can vary from mandatory regulations to best practices, which are used to ensure the security posture of an organization and operate in due diligence. Regulation audits can include compliance audits that ensure industry standards are maintained. Vulnerability assessments are also an audit type. This audit detects any weaknesses in systems, networks, and applications. Vulnerability audits use scanning tools to detect misconfigurations, default credentials, and unpatched software. User audits confirm that identifying and removing unnecessary elevated privileges, detecting unauthorized access, and preventing insider least privilege.
Penetration Testing
Penetration testing (pen test) involves a legally consenting organization, with a binding document, undergoing a simulated attack by a hired third-party ethical hacker. These simulated attacks can vary in the level of knowledge that an attacker would have about the organization. This level of knowledge determines the type of penetration test. For instance, an attacker who knows nothing about the organization would be a black box test. Black box testing also indicates that this attack is external to the organization. However, white box testing simulates an attack coming from an insider threat, as the attacker has full knowledge of the organization.
An additional pen test type includes gray box testing, where the attacker has partial knowledge of the organization. Results from a pen test identify possible breaches that an organization could experience if exploited vulnerabilities go unremedied. Conducting pen tests helps IT security teams strengthen an organization’s security posture and gain further insight into the attack surface.
Are You Assessing Your Vendor’s Cybersecurity?
The attack surface in utility cybersecurity is the sum of all entry points where an attacker could gain unauthorized access to an organization’s digital or physical resources by exploiting a vulnerability. Physical resources in utility cybersecurity can include buildings, hardware (laptops/workstations, servers), mobile devices, USB Drives, Network infrastructure (routers, switches, cabling, wiring), and IoT (internet of Things) devices like distributed energy resources (DERs) which include solar, battery energy storage systems (BESS), electric vehicles (EVs) and EVSE chargers, and smart home devices like thermostats and water heaters.
These physical resources can be exploited if a vendor becomes compromised by manufacturing devices with malicious malware. When an organization’s vendor becomes compromised with malicious devices, this is known as a supply chain attack. Thus, the supply chain is a part of the attack surface that IT security teams must protect. Therefore, IT security teams must set and abide by policies for purchasing physical devices used in network infrastructure as well as IoT and endpoint devices.
Types of polices an IT security team would implement include:
- Vendor security questionnaires
- Vendor contractual agreements for audits
- Continuous monitoring is used to prove due diligence.
Also, an IT security team may create an approved vendor list and a software bill of materials, which help verify the integrity of purchased software and hardware.
As a SaaS company, Virtual Peaker is both a vendor and a customer. As a vendor, utility companies can require us to maintain regulatory requirements with NECR CIP as it relates to grid reliability, ensuring our software does not cause issues within their grid. As a DERMS vendor that manages DERs, Virtual Peaker can also be required to provide SOC 2 audits to verify our controls as they relate to availability, processing, integrity, confidentiality, and privacy. Since data is sent between Virtual Peaker’s Shift Grid-Edge DERMS infrastructure and the utility’s, there is a requirement that transmitted data be encrypted.
For customers who purchase software and hardware for our platform, we look for contractual agreements that ensure privacy and confidentiality to protect the company’s intellectual property. If using cloud platforms, we very intently review service level agreements (SLAs), which confirm uptime guarantees, performance metrics, and support response times should any issues occur. Policies regarding vendor management help prevent the possibility of a supply chain attack.
Security Awareness Training
The attack surface is not just composed of machines, networks, and software. There is also a social component known as users. Although users are a part of the attack surface, IT security teams reduce their threat level by empowering users with security awareness training.
By providing security awareness training to users, we allow them to become our first line of defense regarding protecting digital, intellectual, and physical assets. The task of protecting cyber assets is not just a silo mission for IT security; it includes collaboration with end users and stakeholders. Depending on the size of the organization and the IT-security team, end-user collaboration for cybersecurity efforts becomes mandatory.
– Lauren Corley, IT Systems & Security Engineer, Virtual Peaker
Such training includes simulated phishing campaigns, tabletop exercises, brown bag informational lunches, and interactive user training. Furthermore, the collaboration of utility cybersecurity efforts with end users does not just stop at training—it also includes establishing and encouraging a culture of awareness and protection. This is how the end user becomes a cyber asset and not just another liability.
Response Plan
The best course of action is to follow the incident response lifecycle, which includes:
- Preparation – This includes planning for possible attacks, the identification of key stakeholders to notify concerning communication planning, the configuration of SIEM tools, and establishing a reporting structure in the event of an incident
- Identification – Confirm and verify that the security incident is real. The collection of evidence by analyzing logs and determining the impact on the organization
- Containment – Isolate the issue so that it cannot cause additional damage. Isolation measures include disconnecting networks, disabling, compromised accounts, moving compromised devices to a VLAN (virtual local area network), blocking compromised IP addresses w/ a firewall, resetting passwords, revoking/regenerating API Keys/Tokens, application shutdown, email filtering, adding web proxies to block command and control (C2) communication to zombie machines; and even data freezing (snap shots of the current state of data)
- Eradication – This is the resolution of the issue. Activities can include account deletion/revocation, patch installation. Malware removal, configuration hardening (closing open ports), code fixes, and cleaning system logs
- Recovery – This is restoring the system with its data intact before the incident occurred. Activities include: system recovery from the most recent backups, verifying the installation of patches and configuration changes in the production environment, and restarting systems.
- Post Incident Activity – This is all about lessons learned. It is a review of all the activities that took place during incident response, as well as a review of the root cause analysis. This allows security teams to improve their security posture and incident response activities for future reference. Activities include the documentation of events, updating policies and procedures, configuration changes to SIEM systems for better detection, and the creation/update of training documentation.
Utility Cybersecurity: How To Mitigate Potential Cyberattacks Conclusion
Despite rapid technological advancements and the increasing sophistication of cyberattacks, defending these critical systems within the renewable resource energy industry remains fundamentally rooted in core cybersecurity practices. A layered defense-in-depth approach is paramount, ensuring that if one control fails, others are there to prevent compromise. Central to this strategy is stringent identity and access management (IAM), which governs who can access what within these complex environments. Complementary practices like proactive threat hunting and continuous monitoring are essential to detect stealthy intrusions that bypass initial defenses. Furthermore, robust supply chain security is non-negotiable, given the interconnected nature of DER components and vendors.
Subscribe & Learn More About the Evolving Energy Landscape
