Six steps to achieve cyber resilience for electric utilities

A core set of six key principles are recommended to build a cyber-resilient grid infrastructure and overcome the constraints of the modern energy market.

As the world grapples with rising energy demands, the push for renewable energy, and the growing threats of climate change, electric utilities around the globe are rushing to modernise their grid infrastructures.

Building modern control networks is critical to supporting decentralised energy sources, balancing grid loads, and ensuring uninterrupted power delivery to everyone. It isn’t just about keeping the lights on; it’s a matter of public safety and economic resilience.

But as the world connects power substations, distribution automation equipment, and renewable energy facilities together, the attack surface increases, driving up the risk of cyberattacks.

Modernising the grid requires technologies that can not only simplify network operations at scale but also help protect electric utilities from cyber threats and ensure compliance to rigorous cybersecurity regulations, such as NERC CIP in North America and NIS2 in Europe.

For more than 20 years, Cisco has been helping utility companies securely digitise their operations. As we’ve helped so many utilities build their initial grid infrastructures, we have a privileged seat to watch them face new networking constraints and cybersecurity threats.

Through our discussions, we have identified six key steps required to build cyber-resilient power grids.

Step 1: Advanced networking is critical to ensuring grid reliability

Connecting tens of thousands of smart grid systems across both urban and rural areas requires enterprise-grade performance, security and industrial-strength reliability. High-performance ruggedised switches and cellular routers are essential to meet the needs of the geographically dispersed utility network.

To accommodate different types of cellular connectivity across the network, it’s crucial to have the capability to modify WAN interfaces on routers without needing to replace the entire device. This ensures that the routers can adapt as needs and technologies evolve, from private LTE to private 5G and beyond. And as they provide access to the network, routers also need to be firewalls to protect critical utility infrastructure.

Key capabilities include:

• Next-generation firewall (NGFW) with application awareness to filter traffic in real time and identify and control applications.
• Intrusion detection and prevention (IDS/IPS) to identify and block known threats and malicious activities.
• Advanced malware protection to identify and block both known and unknown threats from malicious files.
• URL filtering to block or allow users to access URLs based on allowed or block lists, reputation or web categories.
• DNS security to prevent infected assets from contacting malicious servers.
• Centralised management to unify security policies and simplify securing smart grid equipment at scale.

The specific constraints of grid operations require purpose-built switches and routers offering features such as:

• IEC 61850-3 and IEEE 1613 certification for safe deployment in utility infrastructures.
• DIN-rail and rackmount options with the ability to connect both fibre and copper IEDs.
• High-precision timing source for synchronised operations and grid stability.
• Easily scalable for increasing port density with simpler management.
• Power over ethernet (POE) to power assets in space-constricted areas.

Step 2: Know what’s connected to your grid infrastructure

As important as it is to secure outside connections to your grid operations, it is equally necessary to guard against threats from connected assets. One of the biggest challenges is knowing what is connected to the local network and monitoring communication activities.

Regulations often require utilities to have comprehensive visibility into their asset inventory to reduce the attack surface and detect anomalous behaviours.

A continuously updated inventory is also crucial for developing effective security policies. This inventory should include details like device types, vendor information, serial numbers, and software versions. The technology to automate the process of collecting this information is available today. Deep packet inspection (DPI) extracts data from communication flows to avoid the labour-intensive and error-prone nature of manual updates.

However, most visibility solutions require you to install dedicated appliances in every site or to duplicate network traffic to send it to a central appliance for analysis. This can quickly become too costly and complex to deploy and manage. In grid networks, this can be just impractical as there is sometimes no space available to install additional in small remote sites, or the WAN connectivity is often based on costly backhaul networks such as satellite or cellular links.

As you evaluate grid security solutions, be aware of their architectural implications. Embedding visibility capabilities into network equipment is the best option to simplify deployment, make it scalable and enable you to see more. Look for industrial switches and routers with computing capabilities capable of doing DPI of grid protocols.

Step 3: Adopt a zero-trust strategy

Securing every port of your field networking equipment is key. Zero-trust is an essential security principle in enterprise IT and is also applicable to the realm of connected smart grid equipment. This security approach ensures that no device is granted network access by default, regardless of whether it originates from within or outside an organization. Every device must undergo verification before connecting to the network.

Access to the smart grid network should be restricted to specific, authorised devices, with all others denied access by default. This strategy effectively prevents unauthorised access and must be integrated into networking equipment to safeguard infrastructure.

In Europe, NIS2 is making zero-trust a key regulatory requirement. Furthermore, zero-trust principles encompass the continuous monitoring of communications to verify trust and isolate compromised equipment.

Step 4: Use network segmentation to reduce risks

Once a device is granted access, utility operators must ensure it communicates only with the necessary resources to perform its functions, reducing the risk if the system is compromised.

Network segmentation plays a crucial role in managing traffic flow between different parts of the network. For instance, it can separate video surveillance systems from power distribution controllers and prevent communications between them.

This approach helps stop malicious traffic from spreading between systems, thereby minimising the impact of a breach.

Step 5: Provide secure remote access that is easy to use

Enabling remote access to highly distributed substations, distribution and renewable production sites is key to reducing operational costs and the knock-on effects of outages on service reliability and safety. Gateways installed by vendors or contractors make it very difficult to control who is connecting and what they can access. VPN-based solutions can be quite complex to manage at scale.

Whether operations teams need to grant access to third parties or make it simple for their technicians to manage connected equipment, they need a remote access solution that’s easy to implement and highly secure.

Utility operators are starting to deploy Zero Trust Network Access (ZTNA) solutions to simplify the remote access workflow. Remote users log into a single portal where access policies are defined and enforced for the entire infrastructure, making it easy to control access and define credentials to address emergencies. The portal communicates with routers and switches in the infrastructure to ensure that remote users are only granted access to the equipment they need to configure, not to the entire network.

Step 6: Don’t go it alone, use validated network blueprints

As you are planning to strengthen the security of your utility network, be sure to use reference designs to streamline implementation and unlock the benefits of the latest cybersecurity technologies.

Cisco offers design and implementation guides that are tested and validated for grid security, distribution automation, renewables and substation automation. These validated designs offer proven reliability and reduced deployment risk with their extensive testing – giving you flexibility and scale.

And they are designed and written with security as a networking foundation.

Build a cyber-resilient grid infrastructure

As we have explored in this article, key steps to building a cyber-resilient grid infrastructure and overcome the constraints of the modern energy market come down to adhering to a core set of key principles:

• Securely connect your smart grid equipment with high-performance, resilient connectivity, including firewall protection.
• Maintain an up-to-date inventory of all connected devices to monitor your security posture and build granular security policies.
• Implement zero-trust policies to block unverified devices from accessing your network.
• Segment your network to restrict communications between assets and prevent attacks from spreading and disrupting power production and distribution.
• Deploy least-privilege remote access, allowing trusted individuals to connect only to the devices they need to troubleshoot or upgrade.
• Use centralised management for scalable control of security policies across the network.

With our market-leading portfolio of purpose-built networking equipment integrated tightly together with our comprehensive suite of grid security solutions, Cisco is ready to help you build the modern and cyber-resilient grid infrastructure you need. Hear our experts discuss this topic in our upcoming webinar on 10 December at 16h00 GMT.

Check out our latest State of Industrial Networking Report for Utilities and discover key insights into how global utility firms are enhancing security, boosting efficiency, and driving innovation with their industrial networking strategy.

Curious about more details on how Cisco is helping utilities digitise critical infrastructure? Visit our webpage.