Protecting Digital Substations from Cyber Threats: Exclusive Interview with Armando Temporal of CHESF
- March 7, 2019
- 263 views
Companhia Hidroeletrica do Sao Francisco (CHESF) is a hydroelectric power producer in Brazil that serves several cities in the northeast of the country. An electrical engineer with CHESF, Armando Temporal, is set to present at this month's SGTech conference, specifically on his work on cyber security at digital substations and how to protect against such attacks.
As Armando prepares to deliver his presentation, titled "Digital Substation Security: Implementing effective cyber-security solutions into digital substation systems that are effectively integrated into legacy infrastructures and enable the constant monitoring of all critical substation devices" he was kind enough to carve out some time to discuss with Energy Central the topic of cybersecurity and the ever-present nature of digital threats to utilities.
Matt Chester: Thank you so much for sharing with me and our readers a preview of your presentation. At SGTech, you're going to be covering cyber security initiatives, specifically identifying and closing vulnerabilities that open utilities and the grid as a whole to risks. Can you tell me a bit about what the common vulnerabilities are out there today that are putting the grid at risk-- ones that may be discussed more often and any that are less known and flying under the radar?
Armando Temporal: We can look for vulnerabilities among four main asset types: technology, processes, physical environment, and human resource. The most important thing to do first is to identify them, so you can act. Some actions to be performed are low-cost but need sponsorship and hard work, as a cultural change. Usually, people are aware of the subject of security and agree to spend an amount of money on security technology, but they lack actually changing behavior. The growth of IoT (Internet of Things) and such connected devices suggests increasing complexity to the grid and a grade of uncertainty.
MC: Overall, how would you grade the world's electric grids on being adequately prepared for cyber security? Are they passing but with low marks or are they actually failing?
AT: There are two things the grid needs to deal with: legacy systems and who pays for the investment on the grid to be updated. The growth of renewable technology is an opportunity to have new connected devices to be protected, but it is not easy to replace older ones. The technology available is always on track of what is being explored from weak points, and I think the grid is in a middle position in terms of security preparedness.
MC: Regarding closing up the relevant cyber vulnerabilities on the grid, how would you say responsibility lies among different stakeholders? What falls under the purview of the government vs. the utility companies vs. other relevant entities?
AT: There is a shared responsibility on cyber security. The government is responsible for industry regulation and governance, enforcing the combat against cyber crime, with the commitment to be responsible and transparent. Government needs to be seen as a confident partner.
Utility companies must have a compliance policy, invest in tools and technology, implement controls to reduce risk, monitor environment and audit systems. They also need an incident response plan and transparency for the public. It's better to be proactive than reactive.
The community needs to be aware of government actions for the balance of security and privacy, demand transparency from the companies, and contribute in discussions of the subject in the interest of the whole society.
MC: One of the difficulties you're going to be discussing in your presentation is less technical-- the human part of the challenge. How does human behavior impact the overall issues related to grid security? Are there parts of the equation that cannot be automated or replaced with AI, so the human element presents unavoidable challenges?
AT: Human behavior plays an important role for security. One can have advanced technology systems and state-of-the-art devices, but if someone shares a password then everything can be bypassed. Some procedures must be followed by workers, and it represents quite the comfort zone. Clearing a room after a meeting and removing classified documents from the tabletop are examples. It is an educational process. Step by step technology and AI can replace some issues (a password can be replaced by biometric authentication), but legacy systems need time to be replaced.
MC: Of these human behavior challenges you mention, how do we address them? Are the solutions to human behavior easier or more difficult to address than the technological challenges?
AT: Security must be discussed under the strategic board, and not limited to ITC level. IT governance is crucial, but it is not only a question high-tech solutions. Communication and education are very important, and it is difficult for IT departments to address those issues alone.
One way is to have the role of a Security Officer at the company, and this role can be viewed as an auditor from the strategic board. Initiatives to deal with security must be sponsored and well-supported from the organizational perspective.
MC: Pulling back to big picture, are there any common misconceptions about cyber security threats to the grid that need clearing up?
AT: I can point to one main misconception I consider of high importance: cyber security threats are not always external, and maybe most of them actually originate internally from a company individual-- whether intentionally or unintentionally. While outsider threats are extensively monitored, insider threats are harder to detect, as workers need access to internal systems with sensitive information. Once the user assumes the IT department has the best tools against the threats, one can compromise a network system even with its own smart or wearable device.
MC: If you could leave those reading this interview with one final thought, whether an important aspect of cyber security that you don't get to discuss enough or something to look forward to in your SGTech presentation, what would it be?
AT: I would say each person reading should simply ask themselves: What are my individual responsibilities, as w worker or even as a citizen, regarding the whole of cyber security?
Interviewer's Note: Armando will be discussing these issues and more during his presentation at SGTech Europe 2019, taking place in Amsterdam from March 26 to March 28. As mentioned, this presentation is titled "Digital Substation Security: Implementing effective cyber-security solutions into digital substation systems that are effectively integrated into legacy infrastructures and enable the constant monitoring of all critical substation devices."