Authors: James Fenstermaker, GDS Associates & Darrell Rinehart, Ci-Discern
One notable example of cybersecurity by design comes from a large investor-owned utility that partnered with CI-Discern to develop a cyber-enabled substation automation system modeled in their lab. While not a full digital twin, this system provided a safe yet highly representative environment for evaluating cybersecurity measures. The utility was able to test both brownfield and greenfield deployments of substation automation systems, assessing the impact of virtualization, networking, and cybersecurity enhancements on production systems.
“In one specific case, the utility identified issues with vendor equipment operating on redundant network rails,” explained Darrell Rinehart, Manager of Vulnerability Management Consulting at CI-Discern. “By leveraging the offline system, the utility worked closely with the vendor to troubleshoot and resolve firmware bugs, ultimately improving the reliability and security of the technology stack. This proactive approach highlights the importance of integrating cybersecurity into utility planning and operations from the ground up.”
Similarly, GDS Associates conducted a comprehensive risk assessment for an electric utility, evaluating vulnerabilities across IT, operational technology (OT), and physical security systems. Using the Cyber Security Evaluation Tool (CSET) developed by the Department of Homeland Security (DHS), GDS assessed the utility’s security posture and determined its Security Assurance Level (SAL). This process involved benchmarking the organization’s risk posture against 277 controls across 18 categories, including system integrity, risk assessment, incident response, and personnel security.
“Through this assessment, we were able to identify the organization’s strengths and weaknesses, as well as provide actionable recommendations to improve their cybersecurity posture,” said James Fenstermaker, Project Manager for NERC CIP Compliance at GDS Associates. “The findings not only helped the utility address immediate vulnerabilities but also laid the groundwork for a more resilient and secure infrastructure moving forward.”
The integration of cybersecurity into utility planning and operations is a cornerstone of building cyber resiliency. Utilities must prioritize cybersecurity as a fundamental aspect of their infrastructure, rather than treating it as an afterthought. This requires a shift in mindset, where cybersecurity is embedded into the design and implementation of systems from the outset.
For example, separating the control plane and data plane within utility networks is a critical step toward enhancing security. Historically, legacy equipment has posed challenges for segmentation, often lacking the necessary controls for identity and access management (IAM). However, newer equipment and advanced network capabilities enable utilities to implement zero-trust initiatives, protect management interfaces, and extend cybersecurity controls into field networks without compromising operations. These measures reduce the attack surface and improve the overall resiliency of the power grid.
Based on their extensive experience, CI-Discern and GDS Associates offer the following recommendations for utility providers seeking to enhance their cyber resiliency:
A comprehensive asset management and inventory system is the foundation of a robust cybersecurity program. Utilities must identify and classify critical assets to understand the scope of their cybersecurity needs. This data serves as the basis for risk assessments, vulnerability management, and resource allocation.
Effective detection and monitoring systems are essential for identifying early signs of malicious activity. These systems enable cybersecurity and operational staff to respond quickly to unexpected actions and behaviors, minimizing the impact of potential incidents. Additionally, logs generated by monitoring systems are invaluable for forensic analysis, incident response, and recovery efforts.
“Effective detection and monitoring capabilities are critical to operations,” emphasized Darrell Rinehart. “Some vulnerabilities cannot be remediated in a timely manner due to operational concerns. While preventative controls help manage exposure, they are not perfect. Early detection allows utilities to respond quickly to malicious activity, reducing the potential impact of an incident.”
With limited resources, utilities must strategically prioritize their cybersecurity investments to address the most critical risks. Safety and availability are paramount for operations staff, and risks impacting these areas should be the highest priority. Conducting a comprehensive risk assessment, including an operational impact analysis, can help utilities identify and prioritize their most critical assets and vulnerabilities.
“Prioritization is an enormous opportunity for utilities to focus their limited resources where risk is the greatest,” noted James Fenstermaker. “By measuring and managing the business impact analysis of assets and systems, utilities can address the highest-priority risks. Combining this with vulnerability and threat assessments provides a clear roadmap for cybersecurity investments.”
Adopting a threat-centric model is another effective strategy for prioritization. Utilities should stay informed about the evolving cyber threat landscape, particularly those specific to the energy sector. Collaborations with organizations such as the Department of Energy (DoE), Cybersecurity and Infrastructure Security Agency (CISA), and Electricity Information Sharing and Analysis Center (E-ISAC) can provide valuable insights into emerging threats and best practices.
The experiences of CI-Discern and GDS Associates underscore the importance of a proactive and collaborative approach to cybersecurity in the utility sector. By integrating cybersecurity into planning and operations, utilities can build systems that are resilient to evolving threats. Case studies demonstrate the value of testing and refining systems in controlled environments, while comprehensive risk assessments provide a roadmap for prioritizing investments and improving security posture.
As the utility sector continues to evolve, fostering a culture of cybersecurity awareness and investing in automated tools will be critical. By equipping employees with the knowledge and skills to identify and respond to threats, utilities can address the human factor—the weakest link in cybersecurity. Automation, meanwhile, can enhance efficiency and enable real-time threat detection, freeing up resources for strategic initiatives.
In conclusion, cyber resiliency is not a one-time achievement but an ongoing process. By adopting a proactive risk management framework, prioritizing investments based on critical risks, and fostering collaboration across the industry, utilities can ensure the security and reliability of their systems in the face of ever-changing threats. The lessons learned from real-world projects by CI-Discern and GDS Associates provide a valuable blueprint for utilities striving to enhance their cybersecurity posture and protect critical infrastructure.
For questions or to discuss further, reach out to the GDS Energy Reliability & Security Team and let us know how we can help.