The IEC Systems Committee on Smart Energy has published a new Technology Report on best practices for protecting the electric grid against cyber attacks. Cyber security and resilience guidelines for the smart energy operational environment is the work of a group of top international experts brought together by the IEC Systems Committee on Smart Energy. Frances Cleveland, who leads the group, presented the report at the recent IEC General Meeting in Shanghai.
The IEC advocates a holistic approach to building cyber resilience, combining best practices with testing and certification. A holistic approach incorporates not only technology and processes, but also and especially people. “People going about their normal operational duties are the biggest threat,” says IEC cyber security expert Frances Cleveland.
“It’s important to realize that even when you have cyber security implemented and training, you still have to worry about the insider and in particular, the disgruntled employee. She or he has knowledge of the company, passwords and critical power system processes.”
The new IEC Technology Report outlines five critical concepts for addressing cyber security. They are: resilience; security by design; the fundamental importance of understanding the difference between information technology (IT) and operational technology (OT); risk assessment, risk mitigation, and continuous update of processes; and the role of international standards.
IEC Technology Report
Protecting our critical infrastructure is essential. Such is our reliance on the efficient and continuous supply of power that any loss of electricity would carry heavy implications for a wide range of vital services. The new IEC report advocates using a risk-based systems approach based on best practices, as well as the ability to demonstrate the effective and efficient implementation of the security measures.
This means combining the right international standards with conformity assessment to assess the components of the system, the competencies of the people designing, operating and maintaining it, and the processes and procedures used to run it. In a world where cyber threats are becoming increasingly common, being able to apply a specific set of international standards combined with a dedicated and worldwide certification programme, is a proven and highly effective approach to ensuring long-term cyber resilience.
It may appear as the third concept in the report but the fundamental advice, which arguably underpins everything else, is that in order to be effective security measures must encompass both IT and OT — information and operational technologies. Cleveland puts it more succinctly: “Cyber is very tightly intertwined with engineering. They shouldn’t be viewed as separate.”
Read more: The five pillars of cyber security
You can download Cyber security and resilience guidelines for the smart energy operational environment here.