Operations
This is the final post in a three-part series about the cybersecurity deployment process for renewable installations. In the previous posts, we discussed the initial design and development phase and the implementation and construction. In this post, we will discuss the operations phase.
Simply designing and installing a robust cybersecurity program isn’t enough to safeguard any business. The operations phase handles both the recurring activities required to keep the system operating as well as how to maneuver through dynamic events.
CyberSec Awareness
Most users of the systems at a renewable facility are focused on their own job responsibilities. Whether those are operational or administrative, they probably don’t have a strong awareness of cybersecurity issues.
Everyone who comes into contact with the system needs training and regular reminders about security best practices and potential threats. Cybersecurity training is even required by some regulators and insurers.
Lifecycle Management
This is a critical set of processes for maintaining equipment securely and operationally throughout its useful life. It includes tracking assets (hardware and software), monitoring for new information about assets, budgeting for replacements and spares, and disposing of unneeded assets securely and responsibly.
Change Control
Once you implement security controls, change control can help keep them working the way they were designed. This is the process of documenting, approving, and performing modifications to managed assets. By thoroughly reviewing, approving, and documenting all changes, you can ensure your system remains up-to-date and working at the highest quality possible.
Insider Threats
Not all risks originate from outside the organization. Employees, contractors, and other trusted sources can intentionally or unintentionally introduce vulnerabilities or damage equipment. Change controls, separation of duties, least privilege, log reviews, and proctive transient cyber and removable media management programs can limit the risk of these insider threats.
On-Site & Remote Rules
There should be strict rules for access and connection to the network. On-site employees should be required to digitally “sign-in” to the system with even more precautions in place for energized equipment. A VPN should be used for remote system access with adherence to strict guidelines.
Pitfalls
Here are just a few common issues that contribute to operational security breakdowns.
- Loss of Controls — Establishing controls requires a lot of time and effort. When processes are neglected and controls are lost, re-establishing can be challenging.
- Avoid Freelancing — It’s important to avoid temporary fixes to the system or making unilateral changes in interconnected environments.
- Coordination is Key — Users and partners need to be aligned on all new policies so everyone is working toward the same goals. When changes are made, planning and coordinating these together is vital.
Core Principles
The core principles we follow during the operations management phase of deployment include the following.
- Manage to Control — Cybersecurity risks can only be effectively controlled through proper management. This begins with a comprehensive plan and continues through construction. However, operations is an ongoing process.
- Communicate Consistently — Consistent communication is essential to ensure the best possible results. For example, what employees and others learn through training must remain consistent with policies.
- Engage all Stakeholders — Everyone plays a role in ongoing cybersecurity success, particularly in the renewable energy industry. All stakeholders should be engaged in this process.
Complying with NERC standards is a significant undertaking for renewable facilities that fall into the established threshold. Failure to comply with NERC-CIP standards can lead to severe penalties for your business.
Radian Generation can help you manage your renewable energy assets and ensure that your business complies with NERC requirements. NERC’s thresholds are changing, and your business could be affected. If you’re unsure of whether or not your business will fall into the expanding umbrella, reach out to us. We will help you figure it out!