AutoGrid builds enterprise software that enables a smarter distributed energy world. The company’s suite of flexibility management applications allows utilities, electricity retailers, renewable energy project developers, and energy service providers to deliver clean, affordable, and reliable energy by managing networked distributed energy resources (DERs) in real time, at scale through different value streams. AutoGrid has contracted more than 5,000 megawatts of DERs and works with more than 50 leading energy companies around the world, including Schneider Electric,CLP, Shell, CPS Energy, Eneres, and Total.
With the evolution of connected grid assets, technologies and relevant constituents such as AMI (advanced metering infrastructure), DERMS (Distributed Energy Resource Management Systems), PEVs (Plug-in Electric Vehicles), HANs (Home Area Network Gateways), smart EMS (Energy Management System), smart ISO/RTO (Independent System Operators, Regional Transmission Organizations wholesale market), smart DROMS/DRMS (Demand Response Management System), and more, there came a need for aggregation software like AutoGrid Flex.
An interconnected grid system will add new cybersecurity threat vectors and challenges that may impact grid resiliency by triggering risks around data security, availability, and safety aspects as legacy devices resided in an unconnected environment and relied heavily on physical security controls. Security shortcomings that arise out of transforming from a physical security to a digital data security model can result in significant threats. This is especially impactful for organizations that rely on the connected grid to monitor critical components.
Cybersecurity for Utilities and Energy Companies
North American Electric Reliability Corporation (NERC) is a regulatory body that enforces security standards for Critical Infrastructure Protection (CIP) in protecting the energy industry from cyber-attacks. Often AutoGrid encounters customers who require meeting NERC CIP standards even in a non-BES environment. These customers seek assurances that vendor’s systems are secure. To solve this problem, AutoGrid decided to get a NERC CIP attestation using a third-party auditor. The attestation gives AutoGrid customers the confidence that AutoGrid Flex security posture meets their requirements.
Note: Customers operating Bulk Electric Systems (BES) are wholly responsible for ensuring their own compliance with NERC CIP standards. Neither AutoGrid nor AWS constitute as a BES or BES Cyber Asset.
Vendors offering connected grid products face this unique challenge where they need to make sure that products are interoperable in order to fit in the modern grid ecosystem, with capabilities in cybersecurity that aligns with or exceeds existing grid security requirements. Vendors need to make sure that their products do not increase the risk profile of the grid, in other words the new assets (read products) added to the grid should not add new attack surfaces such as unauthorized access, insecure configurations, outdated software, unknown vendor back-end access and unnecessary open ports and must have security capabilities to protect their systems and the grid.
CISOs and CIOs of generation and transmission entities are always concerned about integration of new external assets to the connected grid without proper verification for NERC CIP security controls readiness. Cybersecurity controls for connected grid assets can be well described by referencing data flow between the grid assets with the Purdue reference architecture for industrial control systems.
|Purdue Level||Connect Grid Assest||Data Flow to Cloud Application|
|Level 5: Enterprise Zone||Planning, Asset Management, Engineering, Accounting, etc.||AutoGrid's Flex and DERMS solution processes moderate risk data in Cloud based SaaS application on AWS infrastructure and empowers and Utilities and Energy Companies with a real time dashboard for dispatch management, load balancing, availability status, measurement and verification.|
|Level 4: Intranet Zone||Email, Intranet, Collaboration tools, Design Documentation, etc.|
|Level 3: Manufacturing Zone||Site Operation management, remote access server, transmission and distribution system, etc.,||Data ingestion and analysis activities for dispatch management, load balancing, availability status, measurement and verification.|
|Level 2: Manufacturing Zone||SCADA servers, Communication front end, Inter Control Communication Protocol (ICCP), Information Model Manager etc.||Selective SCADA datais acquired for processing.|
|Level 1: Basic Control Zone||RTU/PLC/Protocol Gateway, Log Servers, Input / Outputs (I/Os) etc.||Selective time series data is acquired for processing|
|Level 0: Process Zone||Meters, protective relays, Wired Input / Outputs (I/Os), Intelligent Electronic Devices (IEDs) etc.||Selective process data is acquired for processing.|
It is extremely important for the grid vendors to develop their products with security baked in to ensure no increased risk to the grid. The best way to achieve that is to continuously perform threat modeling on their products keeping both the micro-level attack surface and the macro-level attack surface of the connected grid landscape in context. Threat modeling is a well-known technique in the software development lifecycle to detect and mitigate threats. Such a threat modeling methodology can discover real threats that can be faced by connected grid assets in isolation in addition to the threats that are introduced because of the addition of a new asset from a vendor in the grid ecosystem.
In addition to threat modeling other phases of a secure product development lifecycle include continuous security assessment (automated and manual) and remediation. Grid vendors also need to use technologies that are reliable, resilient, supported by a large community of users, audited, and certified by various security and compliance agencies.
For Flex, AutoGrid chose AWS as the cloud service provider (CSP). With AWS, AutoGrid has a CSP that meets several global compliance requirements and a vast range of services and features that we use to secure Flex and demonstrate security standards. With Amazon VPC Flex is hosted into a secure logical network access to that is limited to known and required ports from known IPs using security groups and network access control lists. We use AWS Identity and Access Management (IAM) for fine-grained, API-level control of remote access for administration of cloud assets. The Flex software itself runs on a highly scalable and resilient Kubernetes architecture on Amazon Elastic Kubernetes Service (Amazon EKS) within the protection of an Amazon VPC. All data volumes and data in Amazon Simple Storage Service (Amazon S3) are encrypted with keys managed by the AWS Key Management Service (AWS KMS) that implements FIPS 140-2 compliant modules and uses AWS IAM to control access to keys. For logging and monitoring, Flex uses AWS CloudTrail and Amazon CloudWatch for alarms and notifications that help with incident response. For network intrusion detection, AutoGrid implemented Amazon GuardDuty.
At AutoGrid, we practice cybersecurity from the ground up and build our grid products baked in with cybersecurity capabilities and controls. The security challenges mentioned above as well as demonstrating compliance requirements are addressed by appropriate security controls implemented by AutoGrid in collaboration with AWS cloud infrastructure. Moreover, these security controls are verified and attested by an independent third-party auditor. We’re making sure that we are setting the example for the connected grid vendor community by taking the lead in cybersecurity practices for smart grid so that we can deliver clean and safe energy while keeping the grid safe.
At AWS, security is job one and AWS is committed to meeting the needs of the power and utility industry. For more information, read the AWS User Guide to Support Compliance with NERC CIP Standards, and visit AutoGrid or AWS for Power and Utilities.
This blog post was co-authored by Ranjan Banerji.
Ranjan Banerji is a Partner Solutions Architect at AWS focused on the power and utilities vertical. Ranjan has been at AWS for 4 years, first on the department of defense (DoD) team helping the branches of the DoD migrate and/or build new systems on AWS ensuring security and compliance requirements and now supporting the power and utilities team. Ranjan’s expertize ranges from server less architecture to security and compliance for regulated industries. Ranjan has over 25 years of experience building and designing systems for the DoD, federal agencies, energy, and financial industry.