NOVEMBER 20248IN MY OPINIONBy Julian Kaufmann, Senior Vice President, CAMSTHE GROWING DIGITAL VULNERABILITIES OF THE POWER GENERATION SECTORIntroductionDigitalization and the internet of things (IoT) have increased productivity and improved energy companies' safety and environmental performance, particularly in the power generation sector. (While in college, I worked at a municipal utility that convert edits power plant's pneumatic controls to digital versions. I now am a dinosaur, or at least I am old enough to have seen them roam the earth). Today's power plants are controlled by complex digital systems that monitor and adjust using algorithms and predictive routines. More of our electricity is generated by large solar and wind farms, often not supported by on-site personnel.Meanwhile, as a society, we crucially depend on a reliable electric system. With this dependency, we have become vulnerable to any disturbances in the availability of electric power supply. As we rely more on the electric grid, the power plants that anchor the critical network have increasingly come under attack by bad actors seeking to wreak havoc and extort payments in exchange for returning the affected plant to service. While the importance of our electrical grid has increased, the nature of cyber-attacks has become less sophisticated, less costly to perpetrate, all the while seeking to exploit larger attack surfaces. In response to this situation, the Department of Energy asked Congress for a $201 million budget request to address digital vulnerabilities after multiple cyber-attacks this year. A Tale of Two Networks and Renewable Generation RisksThe two types of networks that support today's power plants are classified as either business or operations. Business networks are networks where everyday productivity and collaboration applications run ­your MS Office, email, internet, etc. These networks are directly connected to the external environment ­ the world wide web. On the other hand, operations networks are internal networks where control systems, for example, those that directly affect the power plant, are managed and run. Ideally, these two systems should be "air-gaped," meaning there are no physical connections between the two. This separation is designed to ensure that any malware or bad actors on the business network can't worm-hole their way into the critical control networks. While these two systems are distinct, they both utilize digital networks and are both vulnerable to attack. Why Bad Actors AttackThe following are some of the reasons and motivations behind attempts to attack our electric grid:State-Sponsored Terrorism ­ Anti-American nations seek to attack the power grid to debilitate the U.S. economy. In our electrically dependent world, any widespread and prolonged power outage would create catastrophic damage ­ to lives and our economy. Given the international attackers' location, and time difference to the U.S., these attackers are often wide Julian Kaufmann
< Page 7 | Page 9 >