Examining key similarities between operating a power grid and a SOC

by Fernando Guerrero B., OT Security Expert


Electricity is the primary enabler of most businesses, and therefore the foundation of a global development.

The power sector forms part of every country’s infrastructure. When its functionality is endangered, the consequences to society can be serious and even catastrophic.

The sector’s value chain includes the generation, transmission and distribution of electrical energy, and is supported by regulators and government authorities.  At each stage of the value chain, a team operates the electro-mechanical equipment involved with the support of diverse technologies (e.g. systems, networks, electronic devices).  

Each stage is subject to a whole host of risks (e.g. physical, natural, technological and human errors). Thus, the number of threats, their likelihood and their impact on the integrated power system multiplies as new elements like Smart Grids and IIoT devices are implemented.

This increasingly interconnected and complex environment, has led governments and regulators to pass and define requirements by which companies in the power sector must abide. There are several cyber security standards, norms and technical requirements for this industry, like the NIS directive in Europe and the NERC-CIP in the USA. Nowadays, electricity companies are more aware of the need to understand cyber risks, and start taking action to protect their infrastructure to avoid service outages and financial penalties. 

The Operational Analogy

Every electricity company has an Energy Operations Centre where the electrical system is orchestrated in real time. These centres, which can be local, regional or national, are operated 24 hours a day, 365 days a year by specialists working in shifts. The specialists are able to supervise normal operations, as well as maintenance and response to all kinds of incidents in the electrical infrastructure.

These specialists are responsible for ensuring that electricity flow and distribution is uninterrupted, and for avoiding blackouts in the event of a failure or shutdown.  The specialists (often called operators) understand the way the power system works and how it reacts to certain conditions, as well as the architecture of the power network and the locations and devices that are part of it. But most importantly, they know how to respond when there is an issue on the grid.  This is why the operators in the Energy Operations Centres are crucial for ensuring uninterrupted electric service delivery.

The need for a specialist team to monitor the health of infrastructure

SOC NEW e1580127321600

As with energy operations, in cyber security there is also a need for a specialist team to monitor the health of the infrastructure, in a Security Operations Centre (SOC). A SOC consists of a team of professionals who understand the business (its entire value chain), and have specific knowledge of Industrial Control Systems (ICS) or Operation Technology (OT). Their role is to effectively protect those critical systems.

In addition, the SOC ensures that security devices are operational which requires security patches to be installed and updated.  They also look at any anomalies within the network.

The SOC team monitors an entire industrial network from a cyber security point of view on a permanent basis, similar to an Energy Operations Centre. The SOC is in charge of handling security incidents, based on well-established protocols, which can vary depending on the needs of the organisation and the criticality of the incident.  For example responding to a problem in a nuclear power plant is not the same as in a wind generation plant, because each environment is unique.  Also, the potential  consequences of a failure in the former could be of a much greater proportion.

In the case of a power failure caused by a cyber security incident, the SOC team performs forensic analysis, which requires detailed knowledge of the elements that constitute the industrial network. This analysis makes it possible to determine the source of the problem and preventing it from recurring.

Both energy and cyber security operations teams have their own scope of work, technical knowledge and tools.  However, they always complement each other. For instance, the technical knowledge of an asset operator may be required in order to understand the abnormal behaviour of devices (e.g. due to a zero-day attacks), to perform forensic analysis, and to implement solutions within the network (e.g. patching field devices). This is also true the other way around, Energy operators may also profit from timely SOC alerts to prevent the dissemination or escalation of a small problem to the whole power grid.

The consequences of blackouts

Every failure in a network has administrative, economic, and social repercussions. Several hours without energy during winter time would cause significant monetary losses and severe issues for citizens. Imagine what would happen if the population suddenly did not have access to banks, transit networks, or health systems. These types of failures can be caused by natural, technical, or human error, and are handled by electrical operations personnel. Mishandling such incidents can lead to a chain reaction, further blackouts and even cause physical damage. 

Any negative impact to this infrastructure can severely impact a nation’s economy and its ability to defend itself.

The need for regulations to guarantee the service availability

Due to this and other technical reasons, each country has its own regulations to guarantee the availability electricity.  These have evolved into a more “integrated” regulatory environment during the last decade. For example, the NERC standards are a set of requirements that aim to standardise the way the electricity infrastructure is maintained, operated, distributed and protected across North America. The European Union is also heading in the same direction with the introduction of the “Directive on common rules for the internal market for electricity (EU) 2019/944”, the “Regulation on the internal market for electricity (EU) 2019/943”, and the “Regulation on risk preparedness in the electricity sector (EU) 2019/941”. Both the American and European regulations take into account the need to protect an international interconnected supply chain, which essentially means that they acknowledge the interoperability of all systems and their interdependence.

These regulations and standards acknowledge that cyber-attacks orchestrated on critical infrastructure, specialised computer viruses, malware, and other types of cyber-threats. Various regulatory subsets and other norms worldwide that outline the ideal cyber security architecture, requirements and guidelines for the protection of companies and critical assets in the electricity sector.  Some of them are recommended (e.g. IEC 62443, ISO27019, etc.) and others are mandatory (e.g. KRITIS, BSI, NIS Directive, NERC-CIP, NERC-EOP, BSI, NISTIR 7628, etc.).

Fernando Guerrero B., OT Security Expert


“In 2015 more than 200,000 Ukrainian citizens were left without electricity due to a cyber-attack targeting industrial control systems at three national energy companies. Similarly, several other attacks have been performed on utilities around the world in the past decade using phishing techniques and malware (Stuxnet, Duqu, Dragonfly, among many others). These have impacted not only the confidentiality of proprietary information (e.g. project files and network topologies), but the availability of power systems by causing centrifuges to spin out of control. All these examples show that it is very important to work on implementing prevention, protection and response measures in the sector. The adequacy of these protections must be reflected in capabilities, which should be periodically evaluated and improved.”

The inclusion of any cyber security control in the industrial network or across the electricity value chain should not affect the ultra-high availability required for service delivery. At the moment  of installing, updating and protecting infrastructure each element must reach the technical specifications that guarantee operationality, confidentiality and integrity, since any delay in the transmission of information can result in failures to the power system.

The risk of hyper-connectivity

Economic growth, increased population density and industrial has spurred on the growth of electrical infrastructure worldwide. There has also been growth in the interdependence between electrical infrastructure and other industries, e.g. telecommunications, gas, water, logistics, transport and health.  This hyper-connectivity means day-to-day cyber security risk for any of these industries has increased exponentially.  All it takes is for one element of a supply chain to become infected to cause a domino effect, spreading regionally, nationally and even continentally.

The power sector deals with a heterogeneous environment with regards to technology. Devices can last for several decades without being updated, whilst at the same time, new fully-tested devices are installed with the latest security patches that are fully tested. If hackers manage to find an old item, without updates and with vulnerabilities, they could take control of it.  If this device turns out to be critical to the value chain, a blackout could be merely clicks away.

Moving forward

Overall, it’s clear that there are obvious similarities between the operation of a power grid and electricity supply chain and the running of a SOC.  Both deal with a complex infrastructure and  there can be serious consequences when an issue rises.

Within the power sector, it’s also clear that having a SOC adds a good layer of protection to business processes.  However, there are also other safeguards from the security-in-depth approach that all companies should consider implementing. Each layer of cyber security that is added to the infrastructure and to the business overall, needs to be included as part of a well-established strategy that is aligned to regulatory requirements and supported by a risk management approach.  This approach should take into account the criticality that each asset has for the business and the service delivery.  

Airbus CyberSecurity provides several services, which cover all elements of the cyber security life cycle.  Our services help you establish, manage, operate and improve your organisations cyber security for IT and OT platforms.

As part of our ‘security-in-depth’ offering, we provide real-time monitoring of customers’ industrial networks through our SOC 4.0.  This ensures high levels of protection for an organisations most critical assets, as well as increasing its cyber security capabilities. To learn more about this service, download the whitepaper on SOC 4.0.

Back to News & Blogs
Back to top