The District Energy St. Paul control room. Cybersecurity should not stop at the plant floor.
Industrial control systems are often more vulnerable than IT systems once a physical or virtual
barrier is passed. The plant staff plays an important role in helping to enforce policy and report
Courtesy Ever-Green Energy. Photo Dean Riggott Photography.
ality. This allows users to spend less time
signing in to applications and reduces
the number of passwords they need.
From the security perspective, it can also
enable better audit logging and control
of those applications.
In shaping an approach to cybersecurity, decision makers will also need to
consider the unique challenges of managing security for a district energy system
versus another type of utility or business.
In addition, within the industry, there is a
wide range of ownership and operational
models that affect cybersecurity planning.
For example, systems that serve a college
or university campus are likely to function
under the hierarchy of that organization’s
security policies; yet operators of those
systems must also identify and advocate
for customized protocols for the plant and
controls that may not be applicable elsewhere in campus functions.
CAMPUS SYSTEM OPERATORS MUST
ADVOCATE FOR CUSTOMIZED SECURITY
PROTOCOLS THAT MAY NOT BE APPLICABLE
ELSEWHERE IN CAMPUS FUNCTIONS.
Not all district energy systems are
managing private or public customer data,
but those that do may find widely varying
expectations among their customers
about how their data is handled – which
could create challenges with metering or
providing greater access to energy usage
information. This is particularly relevant
as demand for information and connectivity is significantly increasing.
Regulatory governance may also
come into play as a variable affecting any
given system’s cybersecurity program,
with differing expectations in each state
for regulated or unregulated utilities. The
scale of a district energy system’s operations is another factor: A system with five
buildings versus 500 needs to be able to
minimize risk without making cybersecurity its number one budget line item. This
will obviously depend on the complexity
of the system and campus building programming. The demands of a hospital or
research facility carry different risks than
a standard urban center with multifamily
residential and office buildings.
OT VERSUS IT
It is all too common to focus on the
information technology side of cybersecurity efforts (email, Internet, business
systems) and miss the opportunity to
shore up operational technology, including industrial control systems (ICS). There
are a number of reasons for this. First,
many companies believe that their ICS
networks are separate from the Internet.
They are likely not: A recent report from
CyberX (Global ICS & IIo T Risk Report) indicated that 30 percent of ICS systems it
audited had Internet access. Even if there
is no Internet access to those critical ICS
systems, there are likely valid business
needs to get data in and out of the control
systems, like utilizing real-time pricing
information or sending performance data
to an enterprise historian. Second, the IT
staff is usually focused on protecting confidentiality, which can result in reduced
access. The OT staff, such as your ICS staff
and vendors, usually want more system
access and availability, often at the expense of keeping things more secure.
It is also common for the IT and OT
staff to be different personnel, to have
limited interaction and to lack full un-
derstanding of each other’s functional
systems. It is critically important to con-
sider the differing requirements of your
ICS system when developing a cyber-
security program. You may need to in-
volve your vendors in that process and
conduct security cross-training for IT
and OT staff, which will be a necessity as
things become more connected.
BUILDING EVER-GREEN’S PROGRAM
Building a cybersecurity program for
Ever-Green Energy systems has required
careful consideration of all the program
components noted above. Those components have changed over the years as
cybersecurity threats have evolved and
the business has grown. Ten years ago,
Ever-Green was managing two systems of
quite different scale – the nonprofit utility
District Energy St. Paul with 200 customer
buildings, plus the system serving the
St. Paul Port Authority’s Energy Park development with 28 connected buildings.
At that time, the company’s cybersecurity
focus was primarily on such IT security
basics as network permissions, antivirus
software and firewalls.
Around four years ago, however, lacking a formal cybersecurity program, and
with cyberattacks becoming more challenging for all businesses, Ever-Green recognized the need to institute a broader
cybersecurity framework. An IT security audit had been completed, which
returned a laundry list of measures that
could be taken to protect the company’s