As cyberattacks become more prevalent and sophisticated, EPRI provides training to close the skills gap utilities face in protecting generation assets.
The electric power system is under near-constant attack by cybercriminals. Over the last several years, cyberattacks have resulted in the disablement of remote controls for wind farms and data breaches involving utility customers’ personal and financial information. The number of hacking attempts targeted at the California Independent System Operator (CAISO) number in the millions per day. According to Verizon’s 2023 Data Breach Investigations report, nearly three-quarters of attacks involve a human element in the form of error, stolen security credentials, and social engineering.
While some cyberattacks go unreported, the International Energy Agency (IEA) reports there is an abundance of evidence that attacks have been on a dramatic upswing since 2018. The IEA believes that the increasing number of cyberattacks is due to a combination of factors, including the increased use of digital technologies to manage grids and power plants and the accelerating influx of distributed energy resources (DER) that provide power system entry points that criminals can exploit.
Why Workforce Development Matters
EPRI has also conducted extensive research and collaborated with members and industry stakeholders on identifying cyber vulnerabilities and developing tools to address them. This has included a broad range of activities, including a series of educational and training videos on topics such as the use of artificial intelligence (AI) in electric sector cyber security as well as videos detailing cyber security first principles. EPRI also conducted surveys and research to identify cyber security knowledge gaps training should address.
While improved standards and technologies are critical to protecting the power system from cyber criminals, even the most innovative and impactful solutions will fall short if the industry lacks the trained personnel to detect and respond to attacks. “Cyber security training is such an important topic because of the risk associated with it and because most cyber incidents include some sort of human component,” said Soomin Militello, an EPRI technical leader specializing in cyber security.
The human component of cyber security has many aspects, including staff who unwittingly aid a cyberattack by handing over sensitive information or information technology (IT) or operational technology (OT) access to criminals. “The talent acquisition and development in this space is challenging because you have to find people who know about cyber security as well as the utility industry and the operation of our plants,” Militello said. “Those are very special skills.”
The reality is that virtually all industries are struggling to find cyber security talent. A recent report by ISC2, a member association for cyber security professionals, found that the global workforce of cyber security professionals reached 5.5 million in 2023, an increase of nearly 10 percent over 2022. While the workforce is growing, its expansion is not nearly rapid enough to keep up with demand. According to the ISC2, an additional four million workers are needed to fill open cyber security positions worldwide.
The wide gap between available and well-trained cyber security professionals and the demand for their skills comes at a perilous time. Indeed, 75 percent of cyber security professionals surveyed by ISC2 said the current threat landscape is the most challenging it has been in five years, which is hardly a surprise given the rapid advances made by artificial intelligence (AI). AI could make attacks more difficult to defend against, provide tools to defend against cyberattacks, or some combination of both.
A Holistic Approach to Training Generation Staff
EPRI member companies understand that there are cyber security and talent acquisition challenges. In response, EPRI has developed a holistic set of training courses designed to bolster the skills of staff responsible for generation cyber defenses and to raise awareness of threats across the entire utility workforce.
In many ways, the utility industry starts from a position of understanding the seriousness of cyber security. “Our industry protects its systems rigorously not only because regulations require it but also because it concerns people’s safety and the critical infrastructure,” Militello said. “Cyber security is taken seriously. Workforce development is always challenging because you can have the perfect cyber security program, but it serves little purpose if nobody’s following it.”
Utility-specific training also must consider some unique industry factors, particularly the need to prioritize the availability of electricity. “You really can’t take a power plant offline just because you want to update a system,” Militello said. “All cyber security practices are going to depend on prioritizing availability.”
EPRI’s generation sector cyber security training addresses three areas. They are:
Cyber security staff training: Training courses for utility cyber security staff are designed to provide the specific education and skills necessary to perform their jobs.
This includes specific programs for security analysts who are charged with identifying cyber threats and developing mitigation strategies. Courses also equip network engineers and IT and OT specialists with the knowledge to harden IT and OT infrastructure, hardware, software, and network assets. Also covered are network defense and operations and cyber program management, which includes governance and training in making risk-informed decisions.
Organizational partner training: Beyond dedicated cyber security staff, specific roles have a significant impact on a utility’s ability to prevent, detect, and respond to an attack. To that end, training is role-dependent. “One of the gaps we identified with existing training was that it was too generic and not specialized and specific to various roles,” Militello said. In generation, that includes power plant operators, instrumentation and control technicians, procurement, and IT/OT staffers. “There are specific groups that have a more direct impact on cyber security than others,” Militello said. “While power plant operators are mainly responsible for running a plant, they could also be the first to identify any indication of a cyberattack, and we want to make sure they have the training needed to respond quickly and effectively.”
Training to build a cyber security culture: One of the main lessons from successful cyberattacks is that robust security requires everyone in an organization to understand the threats and identify common strategies attackers use. Attackers use deception and social engineering techniques to trick people into handing over sensitive information. One common technique is when a criminal poses as a vendor, company colleague, or leader in an email and requests information—a tactic known as phishing. EPRI’s training seeks to build a strong cyber security culture by providing examples of recent attacks, describing scenarios that should raise alarms about cyberattacks, and common vulnerabilities that relate to non-security utility employees.
Currently, the training is computer-based, allowing learners to access courses at times and locations of their choosing. In response to member feedback, EPRI is also developing more hands-on training to take advantage of its cyber laboratory in Charlotte, North Carolina. “We have different devices from different vendors that people can tear apart without worrying about breaking their system and benefit from more active learning experiences,” Militello said. “We want to be the industry’s shared laboratory.”
EPRI Technical Expert:
Soomin Militello
For more information, contact techexpert@eprijournal.com.