Dominion Energy oversees $100 billion in assets sprawled across 16 states. Protecting those assets from a potential cyberattack is a huge undertaking.
“We are living in history,” said Adam Lee, VP and chief security officer at the utility. “The only other time that I lived in sort of a geopolitical shift like we’re experiencing right now is 9/11.”
Lee is the first corporate officer dedicated to cybersecurity in Dominion Energy’s history – perhaps a metaphor for how energy companies have shifted their priorities in recent years.
“The idea of a major cyberattack on the information networks has really emerged as the greatest security risk area for companies like Dominion,” he noted.
Russia’s invasion of Ukraine in February has brought concerns about cybersecurity in energy systems back to the forefront.
The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA) and other federal partners have recently issued alerts to warn that bad actors have shown the ability to access multiple industrial control devices in power systems. By doing so, they could elevate privileges or disrupt critical devices or functions.
“The majority of our nation’s critical infrastructure is owned and operated by the private sector – and those owners and operators must take urgent steps to harden their environments,” said Eric Goldstein, executive assistant director for Cybersecurity at CISA, in a statement to Power Engineering.
The federal agencies joined in urging energy companies to enforce multifactor authentication protocols for all remote access to these devices, change all passwords consistently, and to use continuous monitoring solutions to log and alert any malicious activity.
“We are not bulletproof, but the sky isn’t falling,” said Massoud Amin, on the state of utility cyber readiness in the U.S.
Amin is a University of Minnesota professor and cybersecurity expert who directed all security-related research and development for North American utilities after 9/11.
“In general, cyber defense is in a reactive mode, not in a proactive mode,” he said. “You’re always trying to protect the last threats, rather than being smart and proactively almost like a chess player scanning the chessboard, identifying what are the areas that can be exploited.”
Amin said increased sophistication of cyberattacks will force utilities to implement artificial intelligence (AI)-based technologies to ward them off. He said that software that can simulate real-world cyberattacks and system failures in a controlled environment will be useful for energy companies.
At Dominion, Lee said the utility already conducts proactive risk assessments at its Cyber Security Operations Center in Richmond, Virginia.
“We run simulations through there, whether it’s penetration testing and trying to identify those vulnerable nodes that we can sort of push and see how we would get in if we were a hostile actor, and then building defenses around us to safeguard them,” he said.
Lee said Dominion has established internal cyber compliance standards that exceed those that are already government-mandated.
“We have solar fields that stretch out between here in the Mojave Desert, and a lot of those are not regulated because they don’t produce enough energy to meet any of the NERC standards,” he said. “So we have laid over those [assets] a set of cybersecurity standards that that reflects your basic NIST standards, but are really looking toward, what does NERC expect of us in our regulated business?”
As Renewable Energy World reported, experts say cybersecurity vulnerabilities exist among distributed energy resources (DERs) and inverter-based resources (IBRs) due in part to the lack of protection standards.
Lee added if any device is put into onto Dominion’s industrial control network, is it required that the company’s cybersecurity analysts have studied and reviewed it.
“One thing that’s a challenge for any large commercial enterprise is properly safeguarding your industrial control systems while not having a negative impact on your business,” he said.
Massoud Amin and former Secretary of Energy Rick Perry will be among those speaking at POWERGEN International’s Leadership Summit session, “Power Challenges Bigger than Texas: Addressing Resource Adequacy, Resiliency and Security in an Uncertain World,” on May 23 in Dallas.
This post appeared first on Power Engineering.