search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
| Digital transformation and cybersecurity


authentication measures – combined with restricted access rights – are vital to ensuring only those with permission can gain access to the system. Authentication and restricted access rights also come into play when third party experts and contractors are needed onsite. Dispersed and distributed renewable energy systems, particularly at scale, need constant monitoring and management to produce utilisation reports, lifetime patch status, recalls and other essential capabilities. Either a lack of automation, or automated systems that are themselves not strongly monitored for suspicious traffic can also present threats. Security solutions that offer extended detection and response and specialist Internet-of-Things (IoT) security functionality can provide protection. While there are multiple vulnerabilities to cyber attack from the technical viewpoint, there are also several “softer” behavioural factors which can equally put systems at risk.


Governance is rarely well established, especially in identity access management (IAM), change management and patch management – and often does not consider security properly. It is vital that there is full accountability and that roles and responsibilities in relation to cyber security are clearly defined. The importance of knowledge


sharing and a well thought out generational succession plan will also avoid issues around a potentially limited pool of employees with inadequate security experience leading IT systems. Additionally, response plans often do not address cyber events, with the focus more on maintenance and repair (MRO) operations.


Risks to your bottom line For those renewable energy companies that have not only found themselves inconvenienced from cyberattack, but where the infiltration has also had a serious knock-on effect on the electricity grid – and it can be demonstrated that this is due to a lack of cyber security protection, these firms can receive significant financial penalties. In the UK, for example, operators come under both the NIS Regulations 2018 and the National Security and Investment Act 2021, which not only have powers of inspection, but with monetary penalties up to £17 million for those contravening regulations. Organisations providing essential services in the European Union (EU) will also soon face considerably tougher cyber security regulation (NIS2.0) for failure and non-compliance, with punitive actions including higher fines, bans on management positions and even a withdrawal of the company’s licence to operate.


In the US, there are several nationwide regulation bodies, including the Federal Trade Commission (FTC), which is responsible for enforcing cybersecurity regulations at the federal level. The Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) also have important roles. The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) plan is a set of standards aimed at regulating, enforcing, monitoring and managing the security of the Bulk Electric System (BES) in North America. In 2021, President Biden also signed an executive order to improve the nation’s cyber security.


What’s next? Renewables are predicated on high-tech competencies and connectivity, but these operational advances, combined with the inherent risks that a high-growth cycle can bring, means increased risks of cyber attacks. The EU has classified the renewables industry as a “critical sector”, yet companies operating in this space are having to ward off new cyber security risks daily. Robust cyber security now needs to be built into the core business strategy, with management teams – including those at board level – ensuring they understand the risks and how to take the vital steps to mitigate the threats.


DOE allocates $45 million to cyber projects


The US Department of Energy (DOE) has allocated $45 million of potential funding to 16 projects to help “protect the nation’s energy sector from cyber attacks.” Managed by DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER), the objectives of the selected projects, which have been selected for award negotiation, are as follows:


Topic area 1 – Automated cyber attack prevention and mitigation GE Vernova will develop a small form- factor, secure compute platform that will be connected to the operational technology network for natural gas compressor stations, which are important for maintaining proper gas flow to fuel nearly 40% of all electricity generation in the United States.


Topic area 2 – Security and resiliency by design


EPRI (Electric Power Research Institute) will develop an advanced artificial intelligence and data processing capability to detect and respond to cyber security incidents in control system endpoints at the grid edge. GE Vernova will strengthen the security of communication protocols used in generation, transmission, and distribution and will validate, harden, and standardise a new protocol to replace the non-secure protocol currently in use.


EPRI will research, develop, and demonstrate zero trust architectures for a secure and private 4G LTE and 5G communications


network designed to meet the unique needs of electric power systems, primarily focusing on integrating distributed energy resources (DER) and microgrids.


GE Vernova will develop an innovative approach using quantum communication to securely communicate time-sensitive co- ordination messages that are important to the resiliency of the power grid. Georgia Tech will develop GridLogic, a framework for cyber-physical security of the electricity grid and DERs that will impede cyber attackers and even a malicious insider operator from taking actions that are detrimental to the grid.


Iowa State University of Science and Technology will develop technical solutions to be incorporated within the initial stages of future DER-integrated grid infrastructure development lifecycles for a more resilient operation of critical control functions.


Topic area 3 – Authentication mechanisms for energy delivery systems


EPRI will develop and/or accelerate work on two communications standards to perform centralised management of authentication and authorisation services in a zero-trust architecture.


Texas A&M University will research, develop, and demonstrate a zero-trust authentication mechanism with post-quantum cryptography to reduce the cyber-physical security risks to DER devices and networks.


Kansas State University will address the security vulnerabilities of existing standards by integrating authentication, secret key establishment, and encryption-based secure communication mechanisms with existing standards for reliable authentication and communication between smart grid nodes, inverter gateways, and other grid-edge devices.


Topic area 4 – Automated methods to discover and mitigate vulnerabilities


EPRI will revolutionise vulnerability detection, classification, and exploitability determination techniques within control system software to bolster cybersecurity measures in the energy sector.


Georgia Tech Research Corporation will develop “DerGuard,” a framework utilising artificial intelligence (AI) techniques for automated vulnerability assessment, discovery, and mitigation in DER devices.


New York University will develop an integrated and scalable digital twin for security and code verification. Called “DISCOVER”, it will detect and mitigate vulnerabilities and malware with a focus on ransomware introduced through software/ firmware in the power system supply chain.


Topic Area 5 – Cybersecurity through advanced software solutions EPRI will apply digital twins to detect attacks in power generation assets that focus on malicious modification of the operational technology (OT) system.


www.modernpowersystems.com | May 2024 | 29


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41