It is exactly three years since the notorious attack on Ukraine's power grid. It was unprecedented, highly sophisticated and sent shockwaves around the international community. Now, as the grid edge becomes more dynamic and the data layer grows, cyber security is in the spotlight once again. We discussed the complexity and cost of cyber security with Roberto Bayetti, Director of Information Security, QA, Model Management and IT Architecture at California ISO.
"We normally have been talking about N Minus One...but with cyber security it could be N Minus Three or N Minus Seven. There could be multiple attacks on the system," says Bayetti.
The problem, as Bayetti points out, is that the expense of N Minus Three is prohibitive (and N Minus Seven unthinkable), so the focus must be on prevention.
According to Bayetti, we are in a "cyber war", yet it's not the individual hackers that keep Bayetti up at night. "What I'm really afraid of is nations."
Proof of concept was the attack on Ukraine.
"They demonstrated it could happen. I want to ensure that we rethink the model."
The rapid cost reduction in sensors and the sheer quantity added to the network creates a potential vulnerability in the grid. "It's unavoidable that we will have more sensors, more equipment, more links and more data exchanges."
"What we are now looking at alot is when our providers send us code, or new information, or updates, we need to look at where the data originates, in transit, and all the way to implementation in our system. It needs to be considered from end to end."
In the IT world, the 'white hat' movement helped harness positive actors. Can that approach be adopted for critical infrastructure?
"We definitely need to exchange the information," Bayetti says, but not to share it outside the industry quite yet.
"What we're trying to do in the US is have an exchange of information that is between the users - one DSO to another, one TSO to another - with Homeland Security or the FBI".
Cyber security costs
As an industry, it could be argued, we don't know half of the complexity that's coming and utilities are trying to get on the front foot. "When we started, we had one guy who was installing antivirus. That was cyber security."
Now, there are 10 in Bayetti's team, with costs of around 15 million dollars per year.
"There are some [utilities] in the US saying they are spending $110 million per year on cyber security," he says.
"As a minimum you need to invest $20 million USD per year," Bayetti concludes.