Electrical power is so intrinsic to our daily lives that it is easy to take it for granted. But as digitalization accelerates across all sectors and applications, so too does electrification.
You can’t have digital transformation without electrification. When an application is critical, like an industrial control system, the supporting electrical infrastructure automatically becomes mission critical. This, in turn, means cybersecurity measures should be in place to prevent power system disruptions that could impact the uptime of those critical applications.
When defining the responsibility of managing OT cybersecurity, it is first important for an organization to ensure electrical safety and reliability are not an oversight. This means employing personnel or trusted third parties who fully understand electrical safety codes and standards in addition to a facility’s technology, connectivity systems, critical processes, and cybersecurity risks.
In this article, the importance of electrical safety as it relates to OT cybersecurity will be explained by exploring:
- the electrical safety risks of securing OT
- the essential role of qualified workers
- how to safely manage OT cybersecurity.
What are the electrical safety risks of securing OT?
OT networks monitor and ensure the safety of building and facility infrastructure that operates critical processes, including motor controls, power distribution and projection, fire detection systems, and more. When these systems and components are networked for monitoring, data collection and insights, they can form an attack surface from which cybercriminals can gain access.
An IT security professional who has not completed proper training on handling electrical equipment or been through a facility safety briefing does not have the requisite preparation to make informed decisions when it comes to securing these environments.
Unlike today’s cutting-edge IT networks, OT systems often contain a mix of legacy and modern equipment. In the past, OT equipment was simply cut off or “air-gapped” from all communications networks to minimize vulnerability. Today, operational technology needs to be connected to broader communication networks to support more informed, real-time decisions.
This means cybersecurity professionals can be required to open energized electrical enclosures to capture network traffic or update firmware. Interacting with energized equipment is high risk, requiring a thorough understanding of electrical safety codes and standards outlined by the National Fire Protection Association (NFPA) in the following documents:
- NFPA 70 The National Electrical Code (NEC) — provides installation requirements.
- NFPA 70E-2021 — covers the topic of electrical safety in the workplace.
- NFPA 70B — covers electrical equipment maintenance.
NFPA 70E includes requirements for safe work practices to protect personnel by reducing exposure to major electrical hazards, including shock, electrocution, arc flash, and arc blast. These requirements rely on proper installation (in accordance with the NEC) and maintenance (performed in accordance with NFPA 70B).
NFPA 70B also covers critical requirements for safely accessing and evaluating many common OT technologies, such as motor controls, automatic transfer switches, and more. The code provides guidance on topics such as:
- required personal protective equipment
- safety/hazards assessment
- safety instrumented systems
- lock-out tag-out and safe work procedures
- common failure modes for equipment under control.
At Eaton, newcomers to the electrical industry must take (at minimum) a three-week training program and pass multiple live demonstration tests before working on energized equipment under the supervision of a seasoned professional. It typically takes upward of a year of in-person training and support before maintenance professionals are prepared to safely work on or around energized equipment on their own. I believe the same stringent training processes and commitment to electrical safety should apply to professionals tasked with securing OT networks and systems.
This article is part of our monthly Automation Zone column. Read more from our monthly Automation Zone series.
Why are qualified workers so important?
Traditionally, trained cybersecurity personnel are well-versed on the system characteristics of confidentiality, integrity, and availability, but are not trained to operate with electrical safety and system reliability in mind. This challenge goes both ways. For example, electrical engineers aren’t often taking classes on cybersecurity, and cybersecurity personnel aren’t often trained on electrical safety.
Addressing cybersecurity on OT networks requires comprehensive cross-functional consideration and typically is not the responsibility of any single discipline or entity within an organization, resulting in distributed or ambiguous ownership. Specific real-time consideration of the availability, performance, safety, and other needs of the system should be considered. Often, given the embedded nature of components in these networks, typical IT methods, tools, and policies are either not effective or can damage the system. Scanning a system of laptops and workstations with a tool designed for these assets is different than scanning a network of controllers and other embedded devices.
The impact of improper interaction with these systems can range from a device failure or process disruption to random data dumped onto a network. So how do you address safety and cybersecurity for OT systems?
A solution for safely managing OT cybersecurity
There is an essential need to advance safety, reliability, and cybersecurity throughout the entire lifecycle of the facility. The ability to safely assess, interact, and harden the equipment found in critical power systems helps minimize risk to personnel and reduces likelihood of downtime.
For example, a failure in physical processes used to evaluate the cybersecurity of critical power system architecture can result in a direct failure in the critical application. Extreme efforts are made at the design, build, and operational phases to ensure continuous operation and reliability in critical environments. Electrical infrastructure is complex and requires highly qualified personnel to secure it. If an individual is not familiar with the basic principles of electrical safety, accidents are more likely and can result in personal injury and downtime.
Therefore, action items for personnel tasked with the OT cybersecurity of any operation should include the ability to:
- inventory all connected hardware, software and dataflows
- assess facility OT networks and assets to evaluate the attack surface and discover known vulnerabilities and weaknesses
- understand critical processes and how cybersecurity processes could negatively impact uptime
- evaluate the electrical safety codes and requirements associated with lifecycle cybersecurity maintenance to support personnel safety, uptime and compliance.
Together, these tasks require comprehensive knowledge of:
- OT and ICS applications and processes
- electrical safety codes and standards
- electrical reliability and uptime
- industrial network defense
- cybersecurity regulation and guidance
- cybersecurity assessment and vulnerability detection
- defensive technologies and approaches
- lifecycle cybersecurity maintenance.
Cybersecurity risks to connected systems have never been greater, as malicious threat actors look to exploit system vulnerabilities. These vulnerabilities often exist on electrical system assets with the least cybersecurity oversight.
To address these potential vulnerabilities, critical industries require expertise in power systems engineering and cybersecurity. The goal is to safely assess, interact, and secure critical power system networks without risking the safety of personnel or uptime of critical processes. This is complex and requires in-depth training and experience. Sometimes, it is best to bridge this critical knowledge gap by partnering with an experienced third-party organization that understands the risks associated with unique operations. At the end of the day, the most important thing is protecting what matters: your personnel, data, and critical processes.
This story originally appeared in the September 2022 issue of Plant Services. Subscribe to Plant Services here.