It’s not easy to protect something you don’t know you have. And yet, many power utilities have been attempting to do just that for years.

The fact is, it’s not unusual for utilities to be unaware of potential risks to their generation, transmission and distribution networks. Old systems that have been deactivated, for example, might still reside on a network and be vulnerable to exploitation.

Unidentified traffic, including everyone from disgruntled employees to nation-states, may be lurking, looking for opportunities to take control of and wreak havoc on the grid.

What utilities don’t know about their networks, in other words, can hurt them. That’s why the key to effective cybersecurity planning is visibility.

Visibility means knowing what is normally present on a network so you can recognize when an anomaly occurs. Once a utility takes a deep dive to identify its assets and the traffic that should be accessing them, it becomes easier to design cybersecurity measures that help protect, detect and respond to weaknesses and threats.

A Two-Pronged Approach

To be effective, a power utility’s security measures should include both vulnerability assessment and monitoring tools, each of which plays a distinct role in minimizing the risk of a breach.

Vulnerability assessments shine a light onto potential problems in a network or device at a specific moment in time. These assessments can take two forms. Most common are passive vulnerability assessments, paper-based tests that analyze how a system is configured and review its outputs against benchmarks.

Active vulnerability assessments involve sophisticated software that scans a device or network, looking for weaknesses that could result in a security breach. Active vulnerability assessments carry more risk than passive ones because they have the potential to negatively impact a system. But they also provide a broader picture of system vulnerability.

Because conditions constantly change, it takes more than a periodic vulnerability assessment to protect the grid. It also requires continuous monitoring of system behavior, so a utility can be alerted if an abnormality occurs.

Security information and event management (SIEM) software provides real-time insights into who is on a network and what they are doing. Intrusion prevention systems (IPS) complement SIEM by monitoring network or system activities, looking for patterns of behavior or anomalies that suggest malicious intent.

Deciding which of these security tools to implement depends on the device or network’s criticality to the grid and the potential risks it poses. That’s why asset identification is the first step toward cybersecurity.

John Biasi is a solution architect in the Governance, Risk, Cybersecurity and Compliance Group at Burns & McDonnell. He is also an adjunct professor at the Oklahoma State University Institute of Technology. His primary focus is on protecting critical infrastructure by focusing on risk management in the context of cybersecurity and regulatory compliance. He has extensive experience directing a broad range of IT security initiatives in planning, analysis and implementation of solutions, and he has hands-on experience leading all aspects of network design on high-profile projects. He is an active participant in the NERC Security Integration and Technology Enablement Subcommittee (SITES), Smart Electric Power Alliance (SEPA) and the Utilities Technology Council (UTC), focusing on grid modernization cybersecurity and compliance. John has a bachelor's degree in information technology and a Master of Business Administration in cybersecurity management from Excelsior University.