Mitigating Utility Cybersecurity Risks with Enhanced Firmware Monitoring and Compliance

Utilities today are facing an extensive and diverse set of threats, many of which are difficult to control. Increasingly severe weather events challenge grid resilience year-round, and aging infrastructure is in constant need of repair or replacement. At the same time, grids are undergoing fundamental shifts to keep pace with the energy transition, going from individual power plants to distributed energy resources (DER). Amidst all these rapid changes, many companies may not realize how important utility cybersecurity is today — and the role it will play for the foreseeable future.

The more the grid becomes digitized and interconnected, the more cybersecurity for industrial control systems becomes an absolute necessity. As the IEA notes, the average number of weekly cyberattacks against utilities reached 1,101 in 2022, a 118% increase from 2020.

Antivirus programs and software tools do provide protection for operating systems and enterprise networks, but the proliferation of digital systems and sensors in today’s grids provides malicious actors with more opportunities to compromise utility systems. Not only are grids offering more entry points, but they’re also accessed by more endpoint devices than ever before.

The Changing Landscape of Utility Cybersecurity

Field technicians and their digital tools are on the front lines of the continuous battle against cyber criminals. With their laptops, tablets, and endpoint devices, field staff are accessing operational technology (OT) assets, SCADA systems, and data from solar installations, wind farms, batteries, and more. Their critical work is necessary to interface with, diagnose, monitor, and update the power grid’s control systems. The essential nature of this work means the hardware, software, and firmware on their devices must be protected at all times to prevent vulnerabilities from being exploited.

How can utilities counteract this constant and evolving threat from cyber criminals? The first step is to recognize and understand the risks facing their hardware, software, and firmware.

Greater Vulnerability Requires the Best Cybersecurity Solutions

Today’s grids are increasingly decarbonized and decentralized. According to a recent Deloitte analysis, jurisdictions representing about half of U.S. electricity retail sales now have mandatory renewable portfolio standards. As recent legislation drives historic levels of investment in carbon-free power generation, this opportunity to make grids greener and more flexible will continue to spur fundamental changes in how utilities supply power to their customers.

Two utility workers investigate a panel for industrial control systems cybersecurity

Yet the ability to connect numerous assets and shift demand — for example from DERs to batteries to virtual power plants — introduces more points of vulnerability. Utilities recognize these risks, and regulators are also taking steps to address potential weaknesses and improve their industrial control systems cybersecurity.

Regulatory Changes for Improved Utility Cybersecurity

As utilities know, the North American Electric Reliability Corporation (NERC) developed Critical Infrastructure Protection (CIP) standards to guard the bulk electric system (BES) from exactly the types of cyberthreats we’re seeing today. For example, the North American Transmission Forum developed CIP-010-3 R1 part 1.6, which specifically addresses software integrity for high- and medium-impact BES systems.

NERC has also recently updated CIP-003-9 for low-impact BES cyber systems. This order requires responsible entities to address vendor electronic remote access security controls in their utility cybersecurity policies, and they must have methods for detecting and disabling vendor electronic remote access. They’re also required to have methods in place to detect malicious communications for vendor remote access.

It’s not only hardware and software that must stay one step ahead of cyber criminals and attacks; crucial firmware systems must also be protected. To protect these components, the National Institute of Standards and Technology (NIST) has enacted firmware security requirements, including SP 800-53 (Security and Privacy Controls) and SP 800-147 (BIOS Protection Guidelines). These policies specifically identify firmware as a technological component to be protected.

Regulators are acting to counter cyberthreats by establishing frameworks for BES operators, and utilities are under pressure to adopt the tools — and forge the partnerships — that enable better cybersecurity for utilities.

Cybersecurity Solutions for Utilities

Panasonic Connect takes utility cybersecurity very seriously for both hardware and software, and our approach to firmware is no different. Panasonic’s Smart Compliance platform provides the security and visibility that utilities need to monitor the health and safety of the firmware on field service technicians’ endpoint devices. The platform has access to the most comprehensive database of hardware, software, and firmware components, which allows teams to implement 360-degree protections.

For example, utilities can quickly inventory their devices and get granular with the hardware, software, and firmware of each device held by every field technician. Smart Compliance allows them to generate software bills of material (SBOMs) on demand, and utilities can also automate firmware updates for improved security.

A man walking down a corridor with technology secured by utility cybersecurity.

Smart Compliance detects implants and other indicators of compromise with context-rich alerts, and it can validate that assets retain authentic components and haven’t been tampered with. This platform also supports compliance by tracking issues at the hardware and firmware levels, which is vital for NIST 800-53, and it protects against both “software down” and “hardware up” attacks that compromise firmware.

Panasonic Smart Compliance protects endpoint devices such as laptops in the field, and it also protects servers and networks. It lowers hardware costs by avoiding the need to scrap and replace devices that have been compromised, and it reduces the overall supply chain risk for utilities.

Panasonic Connect goes beyond the Smart Compliance platform, however, and offers customers a full suite of professional services to improve vigilance at all times. These tailored services meet the unique needs of utility cybersecurity, and their devices and warranties allow utility organizations to be confident in the endpoint devices they provide for their field technicians. 

Industrial Control Systems Require the Best in Cybersecurity

Cybersecurity threats to critical infrastructure like utilities and power providers won’t diminish anytime soon. The future state of the utility industry will also challenge its leaders to stay one step ahead of cyber criminals — through the use of even more sensors, DERs, connections, and endpoint devices accessing them all.

As a result, companies must prepare for today’s utility cybersecurity environment — but also for tomorrow’s threats. With tools such as Panasonic Smart Compliance and Panasonic Connect’s professional services, utilities can stay flexible and attuned to the shifting landscape of threats they face. They can succeed not just at decarbonizing our grids, but also at making them more secure for future generations.