The Building Blocks of Power Sector Security for Utilities Across the Globe
Cyberattacks to the power sector can impact utilities everywhere—with consequences that range from the cost of ransomware to damaged physical assets that come with the price of repair or replacement. But luckily, there are many guides, standards, and frameworks that can help power-sector organizations improve their cybersecurity, including one approach called the Power Sector Cybersecurity Building Blocks.
To help electric utilities better understand what a full cybersecurity program looks like, the National Renewable Energy Laboratory (NREL) partnered with the U.S. Agency for International Development (USAID) in support of the Resilient Energy Platform, providing assistance to a variety of stakeholders to improve security for the electrical grid. The project grew out of USAID and NREL’s discussions with utilities around the world, as well as past cybersecurity assessments performed by NREL on dozens of utilities and government agencies, with a focus on cybersecurity challenges faced by small and under-resourced utilities.
“Our goal with the building blocks project was to provide accessible guidance to small and under-resourced utilities, specifically those in the Caribbean,” said Maurice Martin, senior cybersecurity researcher at NREL. “We had already done some work looking at cybersecurity challenges faced by smaller utilities in the United States, going all the way back to 2017. This was a chance to build on that work to address the needs of others by partnering with USAID.”
As part of the building blocks project, the USAID-NREL team held an ongoing webinar series, now being led by Deloitte, with the Caribbean Electric Utility Services Corporation (CARILEC). The series offers a deep dive into the many issues utilities face when building a balanced cybersecurity plan to thwart attacks, minimize impacts, and recover quickly after an incident. The series with Caribbean partners launched in June 2020 and has resulted in expanded stakeholder engagement throughout the region, as well as worldwide viewership. Because the basic principles of the USAID-NREL building blocks framework can be applied anywhere, the global reach and impact of the series provide utilities across the globe with decision-making tools to significantly improve organizational cybersecurity.
Part of the webinar’s success can be attributed to the strong level of trust built between the USAID-NREL team and the local stakeholder network in the Caribbean.
“Communities aren’t going to just open their doors to outside perspectives and share information on their own cybersecurity challenges without having that trust and established recognition as an expert and partner,” said Tami Reynolds, NREL cybersecurity project lead. “Through expanded regional participation—and inviting local experts to join as speakers—we were able to really make the information relatable to viewers and earn their trust.”
Common security challenges that Caribbean utilities face are having the staff and resources to support a robust cyber program and handle incidents like ransomware attacks, which are occurring more frequently for small utilities.
The topics covered by the series focused on various aspects of the building blocks framework, such as organizational security policy, governance, awareness training, and incident response. As outlined in a report on the project, the idea behind the building blocks framework is that each “block” defines a cluster of related activities within a balanced cybersecurity program, with references and resources for each area. Because the building blocks correspond to activities, staff time and resources must be allocated to them, just like time and resources would be allocated to noncyber activities, such as accounting. The guidance is designed to support a variety of stakeholders that demonstrate various levels of cybersecurity maturity.
“NREL brings a comprehensive yet simplified framework to power utilities for implementing and maturing cybersecurity,” said Edward Millington, managing director of CariSec Global Inc., a Caribbean-based company that provides cybersecurity and information technology services and consulting. “NREL’s framework will help power utilities build risk-based information security programs, reduce attack surfaces, and improve awareness of cyber threat activities. NREL also understands how to bridge the cultural and social gap in the delivery of its message through regional collaboration with cybersecurity experts. We are therefore happy to have worked with NREL and look forward to future opportunities on such projects.”
In addition to the series, NREL provided technical assistance to partners in the Caribbean, including access to cybersecurity assessment tools and developing road maps to success.
By achieving global viewership, follow-on work for the USAID-NREL partnership will continue, first by presenting the building blocks framework to power sector organizations in India. The team hopes to see even more opportunities for continued work, through webinars, assessments, and technical support that can help other utilities build robust, balanced programs in cybersecurity.
Learn more about the USAID-NREL Power Sector Cybersecurity Building Blocks project, and register for the upcoming Caribbean Energy Sector Cybersecurity Forum, which will be held virtually on May 10–11, 2022. The forum will feature a virtual booth for the USAID-NREL partnership and an NREL-hosted panel. The event is open to anyone who would like to join.