Independent energy expert and assurance provider DNV very recently published the “DNV Recommended Practice DNV-RP-0575” containing new guidelines for power system companies planning to improve the cyber security of protection devices and digital technologies. In this backdrop, T&D India got in touch with Trond Solberg, Managing Director, Cyber Security, DNV, to gain insights on the subject of cyber attacks on power grids. Trond asserts that cyber security vulnerabilities will always exist, and it is therefore of paramount importance that grid operators continually work to know what their risk picture looks like. An interview by Venugopal Pillai.
Let us start with a basic question: what could be the far-reaching consequences of a cyber-attack on a power grid, in general?
Such attacks carry the potential of shutting power down for thousands of people, even entire cities, or regions. We have seen this before, during the attack on Ukraine in 2015, and this is something that all states and power networks currently need to be prepared for.
“It is important that power T&D system companies continually work to ensure they know what their risk picture looks like.”
The world is moving to digitalization of the grid. Can we presume that cyber-attacks will always be an inherent threat to the digitalized power grid?
Yes, there will always be cyber security vulnerabilities and risks, no matter how hard we try to protect everything. And if an attack surface is present, there will unfortunately also be cyber criminals to challenge it.
With this in mind, it is important that transmission and distribution system companies continually work to ensure they know what their risk picture looks like. By doing this, it gives them the best chance of eliminating the most severe vulnerabilities to cyber-attacks and prepare properly for the rest. Awareness is key to making informed decisions. We always advise companies to seek professional help with establishing their risk picture.
DNV recently released its “DNV Recommended Practice DNV-RP-0575” to provide guidelines for grid cybersecurity. What was the rationale behind releasing this guide?
Threats to the cyber security of power grid substations are becoming more common, complex and creative. However, there is a lack of best practice guidance on how operators, manufacturers and regulatory authorities can build an effective force of defence. DNV’s new Recommended Practice helps to fill that gap.
Working in partnership with national transmission system operators in Norway, Sweden and Finland, we have outlined 45 practical measures to secure power grid protection devices. We hope to expand this scope in the near future, so that it also covers other parts of the power grid.
“This Recommended Practice started out as a joint R&D project between DNV and the Nordic TSOs.”
Please discuss the role of DNV’s partners to the aforementioned document. We understand that Nordic power grid operators were partners in the study.
In collaboration with industry partners around the world and in many different industries, DNV often facilities, develops and publishes recommended practices, outlining best practice guidelines for technical operations for the benefit of industry at large.
Together, we developed the Recommended Practice, wherein security controls were identified that could have an impact on the security of the protection devices.
To make it easier for the reader to know where to start, it was decided that the measures should be divided by complexity, from cheap and fast controls to the expensive and time-consuming. This will make it possible for all stakeholders in the power grid sector to raise the security of their power grid.
We learn that by 2019, half of the world’s grid operators had experienced a cyber-attack. Please elaborate. What was the broad geographical distribution of these attacks? Did developed nations sustain most of these attacks?
This kind of attack can be used as a political tool, where an attack on the power grid is used when diplomacy fails, but where it’s not yet an armed conflict. The consequences of such attack can be very serious, and with the resources of a nation-state, it will be hard for any grid owner to completely fend it off.
DNV spoke about a major attack on Ukraine’s substations in 2015. What were the immediate consequences? Has Ukraine taken grid cyber-security seriously in the aftermath of the attack? Did DNV offer its services to Ukraine post the attack?
In this then-unprecedented hack, the attackers successfully opened/tripped the breakers via the protection system, which led to a power outage for 230,000 people for 6 hours.
The investigations of the Ukraine attack showed that the power distribution centers that were attacked, had many best practice security measures in place such as well segmented networks. But this was a highly sophisticated attack, planned and carried out over time. Sometimes, even if you are well prepared, if the attacker has enough resources, they are likely to find a way in. Plans for incident response and disaster recovery will determine the final consequences of the attack.
“DNV has cyber experts on all aspects of power grids, spread across the world, from India, to the Netherlands, Norway and the US.”
What is your immediate view on grid security in India, and the subcontinent’s vulnerability to cyberattacks?
Resilience is the key factor. The more resilient an organization can be, the more likely it is that it will be able to handle a serious attack on the grid. Resilience means both being prepared in terms of having measures in place limiting the damage of the attack, but also having plans for incident response and disaster recovery, such that many decisions are already taken, and many cases have been exercised before the moment of crisis.
Please summarize the services offered by DNV in the field of cyber security of power grids. What is DNV’s current involvement with India (in the field of grid cyber security)?
We have cyber experts on all aspects of power grids, spread across the world, from India, to the Netherlands, Norway and the US. DNV has approximately 350 offices in more than 100 countries. Out of the nearly 12,000 people working in DNV, more than 250 work with cyber security in some way.
[To learn more on DNV’s services in cyber security, click here.]
DNV combines specialist knowledge of the power industry with deep engineering expertise and security best practice to keep projects and operations confidently cyber secure.
Our services to the power industry include testing compliance to utility standards, supporting next-generation grid operations and digital substation developments, penetration testing, and security assessment for critical infrastructure, industrial-security strategy developments and certifications.
What has been the early response to DNV-RP-0575? What are your expectations from DNV-RP-0575?
The work has also highlighted the importance of having a shared language when talking about security. It is hard to cooperate and learn from each other if we do not share some common understandings, and this kind of RP helps in creating such common ground.
This RP hopefully also shows that security efforts do not have to be complex and expensive to make a big impact, as security work can often feel overwhelming. If everyone started with such small, quick changes, we would see great improvement in cyber security in general, without thousands of hours and dollars having to be spent
How do you see DNV’s engagement with global grid operators deepening over time, as power grids get increasingly digitalized, complex, and therefore vulnerable to cyber threats?
It is important for operators of all sizes to understand the need for cyber security expertise, and that no one can handle this alone. We see expert help in the early stages of security work as the best investment possible.
Beyond providing cyber security advisory services to the grid sector, DNV will move in the direction of advanced services for security monitoring and response, as well as automated and AI-learning security to cope with an increasingly fast-moving security picture. This will be part of DNV’s offering to grid operators going forward.
