IPERC’s GridMaster® Microgrid Control System and Cyber Security Services for Operators, Utilities and Integrators
The MITRE Corporation has just delivered its “Deliver Uncompromised” report, which addresses a holistic approach to Department of Defense (DoD) Supply Chain Management. In the report, a recommended course of action is to make security “the “4th pillar” of DoD acquisition planning equal in emphasis to cost, schedule and performance.” This certainly holds true in microgrid acquisitions and is not specific to the government and DoD but applies to commercial and private microgrid deployments as well.
While reading through the report, I found myself nodding at several supporting points that addressed the importance of cyber security. I reflected upon what it takes to deliver secure, resilient microgrids and considered the role IPERC plays in cyber security, resiliency, and risk management as a microgrid control system provider. We wear several hats through microgrid project phases from proposal and design through commissioning, authorization and continuous monitoring. These hats include microgrid system design, controls integration, customer organizational risk management, microgrid control commissioning and testing, and of course technical cyber security mitigations and capabilities.
Microgrids are a “system of systems.” Though microgrid components such as renewables or controllers may be configured securely and offer security features, Prime Integrators need support in ensuring that the comprehensive system is secured, risk is reduced as much as possible, and the interconnected, multi-vendor system is resilient. The control system is the “brains” of the microgrid that connects to, monitors, and controls the other components.
IPERC leverages their role as the controls provider to develop a holistic microgrid security plan, working in tandem with customer security teams, component vendors and the Integrator. We design, implement, assess and document cyber security and risk management using the required formats and standards (e.g., DoD Risk Management Framework, NIST, NERC CIP). We also provide security package development and submission support through the entire approval chain, on-site support of 3rd party assessments, and mitigations of any findings (i.e., Plan of Action & Milestone items).
Our experience in authorizing GridMaster® enables us to cover security skill gaps of microgrid endpoint vendors. Included in this is Integrator and Vendor support in Supply Chain Risk Management compliance (i.e., DFARS 252.204-7012, NIST 800-171) through self-assessment and reporting of supplier organizational security practices. Our cyber security and risk management services fully support Integrator’s focus on the other three pillars of cost, schedule, and performance.
Organizational Risk Management
Microgrid customers, especially in the federal space, often do not have existing organizational security policies and procedures that apply to their systems. Standard IT security policies do not extend to energy and other “industrial” systems, and often don’t translate to these environments. IT personnel may administer network devices in the control system environment, but don’t typically manage SCADA, controllers, HMIs, etc. IPERC assists microgrid owners in the development of these important security policies and procedures.
Therefore, there is only one set of organizational policies to provide necessary security at this level for the microgrid and any other systems in the customer’s area of responsibility. This includes security controls such as personnel and physical security. We help draft agreements with IT staff or other external parties that participate in system security processes. It is paramount to ensure that there are processes in place. System owners must understand what they need to do and when to do it to maintain the system’s security posture and guarantee successful security assessments. These efforts also feed into our support of the Prime Integrator to remove the lack of organizational security policies and procedures as an obstacle to system authorization. Customers realize many benefits from our Integrator Support described above.
I would be remiss not to point out the technical security capabilities of microgrid control systems. At IPERC, we have always labored under the idea that security should be integrated into a system at its inception. GridMaster® Intelligent Power Controllers (IPCs) come with strong host-based security so that if when the network is breached, the control system is resilient to attacks. This security includes network traffic whitelisting, FIPS-approved encryption of control communications, role-based access control, and more.
We have applied DoD security configuration guidelines to all our components, thereby ensuring “defense-in-depth.” We can send security audit logs to the customer’s log server or provide a log server for this collection. We perform network and security design of the microgrid communications and include technical configuration as a component of owner/operator training.
There are many complexities with microgrid deployments. Cyber security and risk management doesn’t have to be one of them.