We live in a time when much of the workforce saw the rise of the internet, and since then, we have continued to learn about the benefits and threats of online connectivity. Prior to the internet and microelectronics, the electric industry saw nearly half a decade of consistency in development and protection. Our workforce became filled with engineers who mastered their trade and gained decades of experience, yet as the end of their careers approaches, a wave of industry advancements such as microgrids, the Internet of Things (IoT), and cloud computing are revolutionizing the industry. As junior engineers enter the workforce, they are eager to design and implement cutting-edge technology. However, the experience of senior engineers does not align with these new technologies or risks.
The old adage of “if it ain't broke, don't fix it” might come to mind. However, the economic and environmental forces won't be ignored. Today we enjoy the luxuries of instant entertainment via Netflix, money transfers via Venmo, and flexible transportation with companies like Uber. None of these industries would be as socially impactful if they had not embraced a revolution of how service is delivered to customers. Each of these industries also experienced the growing pains of mistakes, such as shared accounts, fraudulent money transfers, and the use of “Greyball” software to avoid jurisdiction regulations. Critical infrastructure, such as electricity, has a much greater potential social impact from cybersecurity risks, so what does that mean for the industry?
Energy policies from over a decade ago stressed the importance of leading through innovation, energy, and security. Former President Obama stated that “nations everywhere are racing to develop new ways to produce and use energy, and the nation that wins this competition will be the nation that leads the global economy.” The Department of Energy led this effort for the United States by developing a large budget to strategically advance these initiatives. We have seen growth in renewable energy deployments, modernization of substation protection equipment, integration of smart grid software, deployment of smart metering systems, and massive advancements in communication infrastructure, to name a few industry changes. For many utilities, these changes were implemented faster than workforce skills developed, resulting in some technical gaps.
While attending a recent tradeshow, I spoke with a university professor about courses they are teaching in artificial intelligence, electric vehicles, and power system protection. I wasn’t too surprised to learn that due to the rate at which information is evolving, only power system protection still uses a traditional textbook. The pandemic also accelerated the capabilities of digital learning. Our next generation of engineers has already survived learning how to apply the perfect Instagram filter, how to utilize VPNs to unlock IPTV, and how to avoid doxxing with better cyber hygiene, and they expect connectivity from anywhere.
Cloud computing, virtualization, centralized protection, and artificial intelligence are knocking at our doors with possibilities for more economical and reliable delivery of electricity. This guarantees our industry will be exciting and full of learning opportunities for decades to come. Cybersecurity will be linked with everything we do and will enable acceleration of the adoption of emerging technology if we design purpose-built solutions and remember the consequences that are at stake. The sandbox was many of our original playground and now represents the fully contained environment that we complete tasks in. As we explore trust or the lack thereof, we gain a better understanding of the cyber-physical attack surface.
I like the philosophy of trust but verify. As a society, we are becoming more comfortable with these layers of trust. For example, when you buy a Tesla with full self-driving capability, you must achieve a safety score of 98 before you are allowed to use this feature; when you lose your phone, you might have to wait ten days to reconnect service to avoid SIM-swapping scams; when you transfer money to a financial account, the financial institution might require microdeposit verification. (Beware of scams.) What might this look like for the electric industry? Will we see a waiting period before transient cyber assets can connect to operational technology (OT) networks? Will radio frequency (RF) signatures become another form of hardware integrity checks? Will augmented reality be used to verify authentication techniques? If young hackers are willing to lead phishing attacks, develop malware, utilize botnets, and create credential-stealing fake websites to get Robux (fake money) for a game called Roblox, I believe our primary focus for the next wave of advancements should be cybersecurity-related.
Contribute to the conversation
We want to hear from you. Send us your questions, thoughts on ICS and OT cybersecurity, and ideas for what we should discuss next.
Discover why it’s critical to understand the cybersecurity context that industrial control system (ICS) devices exist within.