Digital 
Transformation 
in the Power
Industry

In this episode, OMICRON cybersecurity experts Thomas Friedel and Eugenio Carvalheira discuss the importance of cybersecurity in the digital transformation and how it plays a critical role in power system infrastructures. 
Some governments, such as in Germany, have introduced laws which require all companies with critical infrastructures to fulfil a certain level of cybersecurity for their equipment and facilities. Other governments handle this topic differently. However, one thing is for certain: There are increasing risks of cyberattacks on critical power system infrastructures throughout the world which can have dangerous repercussions. 
Thomas and Eugenio describe recent cybersecurity directives in Europe and North America and their implications for power system organizations around the world. They also discuss the challenges these organizations face in successfully implementing cybersecurity into their infrastructures and offer tips to meet these challenges.   
Lastly, they describe how OMICRON is involved with cybersecurity and which solutions it offers to the power industry to deal with the growing threat of cyberattacks.

Listen to our podcast

Scott: Hello Everyone! In this episode of Energy Talks, we will present Part 3 of our miniseries called Digital Transformation in the Power Industry. Together with my guests in this episode will discuss the importance of cyber security in the digital transformation and how it plays a critical role in power system infrastructures.
We will address why it is important to implement cyber security now in your facilities, power plants and substations. Some governments, such as in Germany, have introduced laws which require all companies with critical infrastructures to fulfil a certain level of cyber security for their equipment and facilities.

Other governments handle this topic differently. However, one thing is for certain: There are increasing dangers of cyber attacks on critical infrastructures throughout the world and can have dangerous repercussions. We will also discuss what OMICRON is doing in the area of cyber security and which solutions it offers to the power industry to deal with the growing threat of cyber attacks. Joining me in this episode to discuss these points is first of all Thomas Friedel.

Thomas joined OMICRON in 2020. Prior to that he worked for several technology companies in the areas of networking and cyber security. He currently works in the Power Utility Communication Unit at OMICRON and is responsible for supporting cyber security related projects with customers around the world. Thomas is based in Germany.

Scott: Hello Thomas – welcome to Energy Talks!
Thomas: Hello. 

Scott: Also joining me is Eugenio Carvalheira. Eugenio joined OMICRON in 2008 and is based in Houston, Texas. In his current role as Engineering Manager at OMICRON, Eugenio leads the Application Engineering team in North America. His areas of expertise include power systems protection & control, digital substations, and cyber security. Thank you for joining us Eugenio!

Scott: How are each of you involved in the topic of cyber security? What is your experience in this field? Thomas, let me start with you.
Thomas: Since over 20 years I’m working in the field of networking/cybersecurity supporting large enterprises. During the last 4 years I’m focused solely on the field of OT- (Operational technology) Security and in the area of Utilities in particular. At Omicron the product I’m focusing on, is StationGuard, which is an IDS (Intrusion Detection System) tailor made for Utilities and the Energy industry.
Scott: Eugenio, what is your experience in the area of cyber security?
Eugenio: My background is as a Protection & Control Engineer for substations and power plants. Since 15+ years I have been very involved in substation communication and automation topics, especially with topics related to implementation and testing of IEC 61850 digital substations. You can imagine that nowadays you cannot talk about digital substations without talking about cybersecurity. Utilities starting their journey into this new technology, at some point, will raise concerns and questions… in many times they will have the fear they will not be able to be complaint with cybersecurity regulations. So, the best way for us to overcome their fear is by educating them, discuss about threats, measures and make them aware of the opportunities this technology can bring, increasing visibility for example.
At OMICRON, same as Thomas, our IDS solution is one of the products I am focused on. From an industry standpoint, I am an active member of many working groups of the PSCC (Power System Communications and Cybersecurity) Committee.

Scott: Thomas, the German government has been pro-active in regulating the cyber security of companies in the critical infrastructure. Could you describe what is being done in Germany, and do you agree with the steps taken?
Thomas: The last year passed bill (ITSiG 2.0) is already the second version in a short (in terms of how laws typically are changed). This clearly shows, that the dynamics in Cyber Security and in particular in increasing risk exposed to major, important industries needs to be faster responded to as otherwise it may have an bad impact to the whole community/society. In general this law covers and sharpend a couple of things, like:
a) Focusing on critical infrastructure provides like Utilities and how the should empower their IT/OT to make them more resilient against the ever becoming better attackers in particular  so called state sponsored ones like the Russian governmental controlled hackers or crime organizations which simply consider hacking as a business to earn money from (ransomware …).
b) Make it mandatory to have those critical infrastructure providers capable solutions like Intrusion Detection Systems (IDS)to being able to attack possible attacks early enough and remediate quick.
Apply penalties if companies don’t do this.
c) Having more resources assigned to the agency (BSI) to support this process much better as well collect centralized information about happened attacks to warn/advise as early as possible as much as possible companies.
Personally I absolutely agree to do much more in the field of protection OT infrastructures of critical infrastructure providers because if power delivery is broken to larger Cities or large goods for daily live needed producing companies  will impact immediately all our lives and may cause heavy frictions in the society  and we should do everything to avoid this.

Scott: Thomas, what is the general situation in other countries around the world? Should other countries also follow Germany’s lead?
Thomas: Not quite sure if other countries should follow this exactly, but in general, improving cyber resilience should a topic to all countries as we are not leaving on Island and due to the interconnection of large transmission providers an incident in one European country may more or less immedicably impact others.
The European NIS directive trying to address this and to having a kind of security standard for all European countries. In the ITSiG law in Germany you will find a lot of those recommendations already implemented.
Talk a bit (if time) about Austria/Switzerland…

Scott: Eugenio – what is the situation in North America?
Eugenio: In NA, the North American Electric Reliability Corporation (in short NERC) is the regulatory authority responsible to develop reliability standards and enforce compliance. All entities connected to the Bulk Electric System (BES) have to comply to the NERC Reliability standards. NERC-CIP is the set of standards for “Critical Infrastructure Protection”. The NERC-CIP is comprised by 13 standards which apply to BES Cyber Assets and Substations depending on their impact level (low, medium or high). Some of the standards are on the governance side of things, setting basic policies and deal with topics like personnel management, training requirements, and supply chain risk management. And then we have the more technical standards… CIP-002 defines the process of asset identification and classification; CIP-007 for system security define requirements for malicious code prevention, deploy method to detect incidents and generation of alarms; CIP-008 enforces the need to have an incident response process in place; while CIP-009 brings the need to have a recovery plan when services are affected.

Scott: Thomas, the Corona pandemic as well as the current war between Russia and the Ukraine has impacted all of our lives, not to mention the increasing threat of cyber attacks. Do you think there is a shift in the power system sector towards even more data security and sustainability?
Thomas: Yes, it is cleary to see, that more and more Utilities accelerate some project (we can conclude this from more requests to our solutions) to improve.

Scott: Eugenio, how does the US government plan on handling the increasing incidences of cyber attacks, specifically in the power sector?
Eugenio: Cybersecurity has been identified as a critical political and economical risk by the US government. One of the key initiatives was launched in April 2021 by the Biden Administration: the Industrial Control Systems (ICS) Cybersecurity initiative. The initiative had the objective to strengthen the cybersecurity of the critical infrastructure. As part of this initiative, they released a 100-Day Action Plan for the Energy Sector led by the department of energy and other agencies. Interesting is that right after the kick-off of this initiative, in May 2021, we all saw in the news the report of a major cyber attack to Colonial Pipeline, an American oil pipeline company. Following this incident, the government once more further emphasized the importance of this initiative. As part of the 100-day plan, the DOE is seeking to advance technologies, modernize cybersecurity defenses, and encourages owners and operators to implement measures or technology that enhance their cyber visibility, detection, mitigation, and forensic capabilities. It includes concrete milestones over the next 100 days for owners and operators to identify and deploy technologies and systems that enable near real-time situational awareness and response capabilities in critical ICS and operational technology (OT) networks. So, in summary, enhancing the visibility, monitoring and detection capabilities in OT networks was identified as a key measure to improve security. At this point, this is just a recommendation, but that at some point may also become a requirement in CIP standards.

Scott: Eugenio, what are some of the difficulties power plants and substations face when they attempt to improve their cyber security? 
Eugenio: Many of the regulations imposed to the utilities are a big burden to them. Protection & Control engineers have to deal with new processes. Even their commissioning tools like test sets and laptops now become part of this process… they are defined as Transient Cyber Asset (TCA) and need to be managed. The identification process and patch management are a big burden just to name a few…
For the small utilities, engineers have limited support from IT departments and face a big lack of resource issue. For larger utilities, the IT departments are usually involved. But that’s where also some challenges are faced when both IT and OT world collide. There is a strong need for these 2 groups to work together and learn each other problems and available solutions. There is a big range of tools from IT that are for sure very interesting and helpful in the process, but there are specific requirements in OT that asks for different solutions.
As we interact with some of our customers, we hear about IDS pilot projects that failed due to a very high amount of false alarms they get. So, the utility do an effort to improve the visibility of their OT network to detect malicious activities, but are then bombarded by alarms. After some time, they get so tired of finding out that most of these alarms are false, that they either start neglecting them or simply come to a point where they shut the system down. So, creating a system that gives less (or lose to zero) false alarms was something we identified as a need for our customers.
Another challenge faced is the level of expertise that is required for the person to be able to analyze and understand the events and alarms. Very skilled IT people are required for many of the cases. So, this brings the need to implement technology that speak the language of both OT and IT engineers and foster a better collaboration between them. For a protection engineer, it is important that the events and alarms are strongly related to his application and that the cause can be easily identified. 
Sharing information is a big challenge due to CIP requirements.

Scott: Thomas, is there less of a risk from any cyber attacks for smaller utilities?
Thomas: Not at all – the immediate impact might be smaller, but if an attacker is organizing an attack to a lot of smaller utilities in one region at the same time it may have a similar impact.
The challenge for the smaller ones is more, that they really don’t have that much IT/OT security resources. Professional, on OT specialized MSSPs (Managed Security Service Providers) might be a help to those.

Scott: Thomas, besides the increased cyber security activities associated with the law in Germany, what is happening in Europe? Isn’t there a new EU initiative since last summer?
Thomas: Yes, this the so-called NIS 2 directive which is an update on the in June 2016 issued first version. It talks about …. I’ll give a couple of key metrics/changes from there.

Scott: How will this directive be enforced or how will utilities be motivated to improve their cybersecurity?
Thomas: It various from country to country. In Germany, for example, the BSI Agency (explain) outlined rules for testing Critical infrastructure provider if the comply with the requirements. This will be done by certified controller. A list of results will be sent back to the BSI and the company is getting a timeline to improve where not complying. The BSI is as well empowered to have them paying penalty fee. Providers have to re-certify being tested on a regular base. Similar processes are implemented in other countries.
On European level there is as well a discussion around to link the penalty fee to annual revenue of the companies (similar to the GDPR laws).

Scott: What are your tips for organizations in the power industry to include and implement cyber security initiatives into their digital transformations? Thomas, what tips do you have?
Thomas: In general, the utilities should involve OT experts more during the process of selecting Cyber security solutions. Currently it is quite often the case, that those taks are given traditionally to the (Office) IT- people which don’t have that much experience in the field of OT and in consequence they selecting solutions, OT can’t work with. This causes projects to failure very often.

Scott: Eugenio do you have any tips for our listeners.
Eugenio: We talked a lot about regulations in this podcast. Of course, utilities have to be worried about complying to these regulatory standards, but a tip is to look at it from a different perspective. Instead of starting from the regulations, they should be thinking on best practices and be open to new technology. Regulations are always behind and will be constantly evolving and changing. For a utility that just trying to do the minimum to comply, the process will end up being very costly. By following best practices instead, they will be on top of the game and eb compliant at the same time. Get involved with organizations such as IEEE PSCC Committee and share experiences with the industry.
I want also to second what Thomas mentioned about the involvement of the OT engineers in the definition of the solutions to be adopted.

Scott: What is OMICRON doing to help organizations in the power industry improve cyber security around the world?
Thomas: Whilst our cyber security portfolio (StationGuard) already had been developed after a couple of years of research what specifically it is needed in the power industry, which already shows clearly our engagement to improve cyber resilience specifically for that industry. We as well participating in various communities like EE-ISAC (explain) or ACS (explain) to share our experience but as well learning from customers to optimize our solution. Beside that we offer consulting and training services to help our customers in designing cyber secure architectures and as well educate them which ultimately improves their capabilities to stand against the increasing number of attacks tailored for the power industry.

Scott: Eugenio – do you have anything to add?
Eugenio: Thomas have already mentioned how we support cybersecurity in substations with our tailor-made IDS. I wanted also to mention some other ways we support it.

We discussed before about test sets being TCA that are brought to the substation and are seen as an attack vector. We take cybersecurity seriously throughout the development of our software and hardware products. An example is our MBX and RBX Hardware platforms, where we have implemented many cyber security measures to support requirements like system hardening, authenticated firmware updates and disk encryption. These test sets also provide an isolation of the windows PC from the OT network.

We also support our customers in their process of identifying and clarifying risks imposed by the test sets, as well as by having an established process to handle and disclose product security vulnerabilities. This is handled by a dedicated product security team at OMICRON.

Scott: Thomas, where can our listeners get more information about these available solutions?
Thomas: First, they can go to the omicron website or direct to www.stationguard.com, where they can find a lot of additional materials as well as kind of small “training videos” or they may want to engage direct with our experts around the globe (we have +25 OE offices  and we are present in +130 countries). In addition to that we are regularly conducting Webinars; attending fairs and exhibitions.

Scott: Eugenio – Thomas briefly mentioned this, are there any specific OMICRON webinars or online courses you could recommend where our listeners can learn more about cyber security in the power industry?
Eugenio: Yes, we do offer webinars. Go to Training/Webinars in our website. We have a series of webinars and also some co-hosted with our partners. You can filter by recorded webinars.

Scott: Thomas and Eugenio – thank you very much for your insights and sharing your experiences with implementing cyber security in the power industry!
Thomas and Eugenio: Thank you both again!

Scott: And a big thank you to our audience for listening to this episode of Energy Talks!

We would really like to know what you think about our podcast, and which topics you would like to hear more about in the future. Also, if you have questions about a particular episode for our guest experts, please let us know.

To do this, simply send us an email to podcast at omicron energy dot com. We greatly appreciate your questions and feedback.

OMICRON has several years of experience in power system testing and offers you the matching solution for your application. This includes solutions for cyber security, which were discussed in this episode.

For more information, be sure to visit our website at omicron energy dot com. Here you can also find information about upcoming OMICRON Academy webinars and training courses as well as the latest issue of OMICRON Magazine to keep up to date about the latest in power system testing. 
<o:p></o:p>

Please join us to listen to the next episode of Energy Talks.  

Good-bye for now everyone!