PTI Local Government Energy Assurance Guidelines - Metropolitan ...
PTI Local Government Energy Assurance Guidelines - Metropolitan ...
PTI Local Government Energy Assurance Guidelines - Metropolitan ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Direct Threats<br />
The most obvious cyber security risks to an energy distribution system are those that, if not mitigated, could result<br />
in an inability to meet customers’ demand for energy. For example, threats to electricity generation have recently<br />
been in the headlines, with new details about the Stuxnet virus coming out regularly. The Stuxnet virus was reported<br />
to have an impact on Siemens control systems and process equipment, which are used in some U.S. electricity<br />
generation infrastructure.<br />
In addition to generation capacity, the transmission and distribution system that routes power from the generator<br />
to the users is potentially vulnerable to cyber attack. Misrouting of power, spoofed reports of power problems, and<br />
other malicious attacks could result in inducing power outages where the system was actually performing properly.<br />
In a worst-case scenario, such an event could trigger a cascading failure where one outage results in a power surge<br />
that triggers a larger outage.<br />
Finally, outages can be triggered directly at customer facilities. In some instances, these outages may be triggered<br />
if vulnerabilities in remote management tools are exploited. This is worth additional consideration in areas where<br />
smart grid technologies are being rolled out. Some early metering technologies have demonstrated vulnerabilities to<br />
computer viruses. While significant resources are being directed to mitigating these direct threats, the possibility of<br />
an outage being triggered at one or more customer facilities due to a cyber security weakness exists, and each direct<br />
threat is worthy of consideration as part of the energy assurance planning process.<br />
Ancillary Threats<br />
While not as immediate in their impacts as the direct threats, ancillary threats are of critical concern. Examples of<br />
ancillary threats include data breaches whereby unauthorized users gain access to personal or other confidential<br />
information, which may include billing and account information or even meter data. Protecting all of these types of<br />
data is essential for maintaining customer confidence in the power distribution system. In recent years, several States<br />
have devised stringent requirements for protecting customer information and for providing notifications of security<br />
breaches.<br />
Mitigating Cyber Security Threats<br />
There are a number of protocols and techniques for mitigating cyber security threats that may be appropriate to adopt<br />
and address in an EAP, many of which are already common in the information technology industry. The first step is<br />
to understand the vulnerabilities. In many cases it may be possible to develop a better understanding of the specific<br />
vulnerabilities a community faces through dialogue with the local energy service provider.<br />
Once threats are identified, some common methods of mitigating them include:<br />
■ ■ Instituting access control policies: Restricting access to key terminals, files, and networks to individuals who<br />
have the training and the need to work with those resources.<br />
■ ■ Adopting security protocols: In some cases, failure to use industry-standard antivirus software and failure to<br />
install security patches and upgrades have resulted in severe consequences.<br />
■ ■ Monitoring systems: Constant monitoring of system usage and assessing abnormal usage patterns on<br />
systems can help identify vulnerabilities and attacks before major problems occur.<br />
<strong>Local</strong> <strong>Government</strong> <strong>Energy</strong> <strong>Assurance</strong> <strong>Guidelines</strong> – Version 2.0 | 27