DNV has published new guidelines for power transmission and distribution operators and equipment manufacturers on cybersecurity.
This guidance – DNV Recommended Practice DNV-RP-0575 – details 45 risk-reducing measures to improve the cybersecurity of protection devices and digital technologies in power system substations.
It comes as national power grids become increasingly network controlled, with this bringing greater control and efficiency to transmission and distribution systems but also exposing infrastructure to new cyber threats.
DNV made reference to the 2015 attack on a series of Ukraine’s power grid systems, which left a quarter of a million people without power. Indeed, by 2019, over half of utilities had encountered a cyberattack, according to research by Siemens and the Ponemon Institute.
In 2019, Siemens partnered US-based cybersecurity firm Fortinet for the development of a security solution for operational technology networks, with one use to be at substations.
The measures outlined in the DNV Recommended Practice cover people, processes and technology, and apply to organisations involved in operating, managing and securing protection devices and the digital technologies in substations.
They are based on a comprehensive review of current EU and US legislation and a range of applicable standards and guidelines on cybersecurity of operational technologies.
The publication of the Recommended Practice follows a joint research programme between DNV and Nordic transmission system operators Fingrid, Statnett SF and Svenska Kraftnät.
Trond Solberg, managing director of cybersecurity at DNV, said that threats to the cybersecurity of power grid substations are becoming more common, complex and creative.
“However, there is a lack of best practice guidance on how operators, manufacturers and regulatory authorities can build an effective force of defence. DNV’s new Recommended Practice helps to fill that gap,” he said.
Cybersecurity guidance has been developed by the Energy Networks Association, however, in collaboration with the Department for Business, Energy and Industrial Strategy and the National Cyber Security Centre.
Cyberattacks on energy companies in recent years includes People’s Energy, which has since gone bust, npower, European energy giant Energias de Portugal and Elexon.