Before the smartphone, telephones and the telecom business were all about landlines and wires. Despite decades of investment in wire-based business plans, digital technology changed everything within a few years. The core value proposition of telephone companies went from connecting landline to landline calls securely and cost effectively, to delivering secure data on demand to a flood of consumer devices.
A similar revolution is happening in the energy industry. It is affecting everything from charging your car at home to managing intermittent energy sources like wind power to municipal smart meters and commercial energy batteries in office buildings. Each of these innovations call for more sophisticated digital controls. That means that if we want the kind of future sci-fi fans can geek out about, utility companies need to reinvent – and secure – the entire energy ecosystem.
“There are two mega trends that are driving the transformation in the energy industry. The first is digitalization, and the second are the changes in power production and distribution.” That’s according to Leo Simonovich, who leads industrial cybersecurity Siemens Energy, Inc. —a company that has devoted considerable effort to protecting the infrastructure needed to deliver the coming changes.
How megatrends are driving a seismic digital shift in the energy industry
Utilities are using digital tools to shift decades-old business models towards optimization along the entire energy value chain. They are bringing more renewables online, digitally connecting old and new energy assets, and enabling remote operations so that the electric grid functions with internet-like speed, communication and interconnectivity – and less like electrons moving down a one-way street from power plant to consumer.
When we spoke with Simonovich, he wasn’t sugar-coating the magnitude of this shift: some things are going to have to change, and utilities will have to focus on cybersecurity like never before, or risk losing their competitive advantage and customers.
The challenge utilities face is existential in many ways. The grid, and the utility industry responsible for its security, was designed for the old ecosystem where power plants just pushed electrons to its customers. Households, municipalities, and businesses that used to passively consume electricity now interact with grid-edge technologies in more complex relationship. In this model, customers become engaged producers – or prosumers – and a utility’s role is less about providing power and more about safeguarding the networked ecosystem that moves power from where it’s available to where it’s needed.
Why cybersecurity will become the foundation for utilities
While each new technology brings tremendous opportunities for positive change—economic, environmental, and otherwise - each also opens a new potential weakness in the grid’s security. It’s a fact of physics that changes in the grid move as fast as lightning. If operators don’t intervene correctly, a single failure can cascade across the grid. With nearly all energy assets interconnected today, a cyberattack on any piece of the energy industry’s vast infrastructure is an attack on the whole, and that attack surface is growing—rapidly. And this is taking place in a world of flourishing cyber-crime and nation-state-backed bad actors who intentionally target critical infrastructure.
That’s why cybersecurity can no longer be viewed as just a cost of ensuring the flow of electrons from the power plant to consumers. Now it is the foundation that upholds the entire energy ecosystem, and utilities will have to make cybersecurity a core of their business model in order to protect everything touching the grid.
“Utilities will compete on security,” Simonovich said. “They will need to demonstrate that they’ve reduced risk and kept consumers safe. It will need to be measurable, and it will need to be traceable. In other words, cybersecurity now must be viewed as part of any offering that utilities will provide to their customers,” he continued. “It needs to be reflected in the pricing methods.”
How new solutions are turning cybersecurity into a business model for utilities
So how does a utility begin to place cybersecurity at the core of its business while implementing new defenses to protect ever-increasing attack surfaces?
“At its most basic level, utilities are incapable of defending what they can’t see,” said Simonovich. Cybersecurity strategies begins with context and visibility into their operating environment, and can now use an expanding set of tools to monitor that information and get ahead of attackers.
By analogy, visibility is pointing a camera at your front gate, and context is the information you need to understand who’s coming through, when, and why. Both are needed. Visibility ensures cybersecurity teams can see what’s happening across every digitally connected node in the ecosystem. Context provides security professionals with an understanding of a grid’s normal operating environment, so they can better detect anomalies.
But making sense of all this raw intelligence gathered from across the grid remains a core challenge. To truly secure the grid, cyber experts need to analyze and de-code vast amounts of data generated every minute from two sources that were never designed to be looked together. Security professionals need context and visibility into both a company’s information technology (IT) systems and from its physical equipment (collectively known as OT or operating technologies).
Simonovich’s group at Siemens Energy came up with a methodology called Process Security Analytics that helps unify IT and OT data into a unified threat stream by creating a common language between digital and physical assets. Because the grid can be manipulated by both IT and OT commands, “a key stroke on a computer is as powerful as pulling a lever or altering a valve on a physical machine – and vice versa,” explained Simonovich.
Understanding the relationship between physical and digital assets when either one is given a command is “the only way for utilities to know how this new energy system is being manipulated by attackers,” explained Simonovich. With a unified IT and OT threat stream, utilities also gain the opportunity to unleash a powerful new cybersecurity tool: artificial intelligence.
A new security business model built around AI and machine learning
Siemens’ Process Security Analytics presents a breakthrough in applying artificial intelligence (AI) and machine learning to help the utility industry tackle two of its greatest challenges – managing, detecting and responding to threats in real-time and security for edge assets.
With a unified IT and OT threat stream, utilities can now feed data from across the grid into a centralized and standardized format to quickly prioritize alerts and begin appropriate response activities for a range of threat scenarios. These potential threats can be hundreds of miles from one another and seemingly have no correlation, so in this new ecosystem, only the utility will be capable of detecting and acting on these threats. Unified data streams also enable “digital twin” technology that helps analysts understand how the system typically operates to how it’s operating in reality.
“That’s why at Siemens, we’ve created a managed detection response offering to not just provide a full picture of an ever-evolving OT threat landscape, but also a solution that uses AI to create a digital twin. This gives utilities the ability to compare any real-time abnormalities they detect against a digital replica of the system performing correctly,” Simonovich added.
The ability to bring together OT and IT information with artificial intelligence also unlocks the potential to deploy AI analysis in relatively isolated systems. Siemens recent partnership with the AI company SparkCognition lets companies put AI defenders on the spot to secure both aging and edge assets—like meters in the home, pumping stations in a pipeline, or car charging stations on the road. It leapfrogs conventional methods because it’s often impossible to have humans patch or constantly monitor these assets.
Machine learning trained to recognize normal operations can monitor continuously and intervene when anomalies occur – even at sites usually disconnected from internet access. Unlike conventional defenses, AI-based systems predict the outcome of commands, making them effective even if novel threats crop up. That potency will be critical to defending systems with long periods between security updates. “The whole aim is to bring edge assets to a baseline level of security using artificial intelligence—even if they're isolated,” Simonovich said.
The time is ripe for utilities to step out of their comfort zone and into the future
Energy companies are risk averse by necessity. It’s a safety and reliability business, so leaders may be skeptical of AI solutions. But with the combined pressures of the digital revolution, high stakes, and fast-moving consequences attacks, utilities are being forced out of their comfort zones.
Securing the new energy landscape will be the most important challenge facing utilities in the coming years. But there are reasons to be confident. Historically, the electricity sector does a good job of re-inventing itself new technologies and business models arise – today is no different. In the past, utilities competed on safety and reliability, and now must compete on security too.
Today, utilities are increasingly able to arm themselves with an expanding toolkit for visibility, monitoring to proactively defend against the grid’s entire operating environment. This wasn’t the case only a few years ago. If the industry can embrace cybersecurity as its core function, it will both realize new business possibilities and a secure energy future.
Learn more about a new vision for cybersecurity by visiting Siemens Energy.
This story was produced by WIRED Brand Lab for Siemens.
