15 Years, Continuing Journey Securing, and Managing Edge Devices

This presentation details the journey a mid-size utility in the US has taken to securing the OT devices used to monitor and control their Electric grids over the last two decades. For US Electric Utilities this journey began with the North American Electric Reliability Corporation (NERC) 1200 Cyber Security (Urgent Action) published in 2003. The Federal Energy Regulatory Commission (FERC) formally approved updated NERC CIP regulations in 2008 that imposed mandatory critical infrastructure regulations for US Bulk Transmission Electric utilities.

This utility promptly implemented its initial Substation Electronic Security Solution (SESS) in 2008 to support compliance with these regulations. The solution provided secure remote access to substation OT devices as well as supported automated collection of power system fault file data from the grid protection relays.

The paper will detail how this solution was continuously enhanced to meet ever evolving NERC CIP regulations. These enhancements included support for OT Device Password Management, Configuration Management, Baseline Monitoring as well as provide additional non-SCADA data from the large variety of OT grid monitoring and control devices.

Most recently the solution was expanded beyond those mandated by NERC CIP to provide cyber security for the explosive growth of new OT devices this utility will be deploying as part of its Advanced Grid Intelligence and Security (AGIS) program. This effort is part of the utility Distributions ambitious Grid Modernization initiative. This AGIS program will expand the device count to be four time larger than the current transmission system installation. This utility also has plans to deploy the solution to secure other corporate business units such as Supply Wind Generation collector substations and Gas Transmission critical infrastructure as well.

Most other critical infrastructure industries are in earlier stages of their OT cybersecurity efforts and this paper will provide learning, best practices and the various return on investments realized by all of the Utility efforts over the last 20 years.