Prioritizing electrical safety and cybersecurity for critical networks

Facility managers and control engineers need to learn more about the information technology (IT) side of things. Ensuring electrical safety and reliability is critical and should not be overlooked.

By Anthony Ciccozzi September 3, 2022
To address potential vulnerabilities, critical industries require expertise in power systems engineering and cybersecurity. Courtesy: Eaton

 

Learning Objectives

  • Information technology (IT) and operational technology (OT) systems are converging and this increases cybersecurity risk for systems.
  • Electrical safety is often overlooked, which can be dangerous for IT personnel who are not trained on what to do and not to do.
  • IT and OT personnel should be well-versed in lockout/tagout (LOTO), personal protective equipment (PPE) and more.

Electrical Safety Insights

  • Information technology (IT) and operational technology (OT) converging has been a hot topic, but electrical safety and security doesn’t get as much high-level attention.
  • Engineers, regardless if they’re IT or OT, need to be up to speed on National Fire Protection Association (NFPA) codes and standards, which include electrical safety.
  • To address potential vulnerabilities, critical industries require expertise in power systems engineering and cybersecurity because the need is greater than ever.

Cybersecurity is often associated with data and information technology (IT) personnel, but the traditional responsibilities of IT and operational technology (OT) teams are steadily converging as equipment connectivity and electrification increase in critical environments. This means facility managers and control engineers need to understand more about networking and systems administration, while IT teams must know more about the types of technologies used and uptime requirements.

When defining the responsibility of managing OT cybersecurity, it’s important for organizations to ensure electrical safety and reliability are not an oversight, and the responsibility of managing OT cybersecurity is defined. Engineers can better protect themselves and their facilities.

eaton figure 1

To address potential vulnerabilities, critical industries require expertise in power systems engineering and cybersecurity. Courtesy: Eaton

1. Why is OT cybersecurity an important topic?

When an application is critical, like a hospital, airport, or industrial control system, the supporting electrical infrastructure automatically becomes mission critical. This means cybersecurity measures should be in place to prevent power system disruptions that could impact the uptime of those critical applications.

This also means it is important to employ personnel or trusted third parties who fully understand electrical safety codes and standards in addition to a facility’s technology, connectivity systems, critical processes and cybersecurity risks.

2. What are the electrical safety risks of securing OT?

OT networks monitor and ensure the safety of building and facility infrastructure that operate critical processes, including motor controls, power distribution and protection, fire detection systems, and more. When these systems and components are networked for monitoring, data collection and insights, they can form an attack surface from which cybercriminals can gain access.

An IT security professional who has not completed proper training on handling electrical equipment or been through a facility safety briefing does not have the requisite preparation to make informed decisions when it comes to securing these environments.

Unlike today’s cutting-edge IT networks, OT systems often contain a mix of legacy and modern equipment. In the past, OT equipment was cut off or “air-gapped” from all communications networks to minimize vulnerability. Today, operational technology needs to be connected to broader communication networks to support more informed, real-time decisions. This means cybersecurity professionals may be required to open energized electrical enclosures to capture network traffic or update firmware, which necessitates a strong emphasis on electrical safety codes and standards.

3. What codes and standards are relevant for electrical safety?

Interacting with any energized equipment is high risk, requiring a thorough understanding of electrical safety codes and standards outlined by the National Fire Protection Association (NFPA) in the following documents:

  • NFPA 70: The National Electrical Code (NEC) — provides installation requirements
  • NFPA 70E-2021 — covers the topic of electrical safety in the workplace
  • NFPA 70B — covers electrical equipment maintenance.

NFPA 70E includes requirements for safe work practices to protect personnel by reducing exposure to major electrical hazards, including shock, electrocution, arc flash and arc blast. These requirements rely on proper installation (in accordance with the NEC) and maintenance (performed in accordance with NFPA 70B).

NFPA 70B also covers critical requirements for safely accessing and evaluating many common OT technologies, such as motor controls, automatic transfer switches and more. The code provides guidance on topics such as:

  • Required personal protective equipment (PPE)
  • Safety/hazards assessment
  • Safety instrumented systems
  • Lockout/tagout (LOTO) and safe work procedures
  • Common failure modes for equipment under control.

Newcomers to the electrical industry must take (at minimum) a three-week training program and pass multiple live demonstration tests at Eaton before working on energized equipment under the supervision of a seasoned professional. It typically takes upward of a year of in-person training and support before maintenance professionals are prepared to safely work on or around energized equipment on their own. The same stringent training processes and commitment to electrical safety should apply to professionals tasked with securing OT networks and systems.

4. Why are qualified workers so important?

Traditionally, a trained cybersecurity personnel is well-versed on the system characteristics of confidentiality, integrity and availability, but they are not trained on electrical safety and system reliability operations. This challenge goes both ways. For example, electrical engineers aren’t often trained on cybersecurity, and cybersecurity personnel aren’t often trained on electrical safety.

Addressing cybersecurity on OT networks requires comprehensive cross-functional considerations and typically is not the responsibility of any single discipline or entity within an organization, resulting in distributed or ambiguous ownership.

Specific real-time consideration of the availability, performance, safety and other needs of the system should be considered. Often, given the embedded nature of components in these networks, typical IT methods, tools and policies are either not effective or can damage the system. Scanning a system of laptops and workstations with a tool designed for these assets is different than scanning a network of controllers and other embedded devices. The impact of improper interaction with these systems can range from a device failure or process disruption to random data dumped onto a network.

5. What skillsets are required to secure OT systems?

The essential know-how revolves around advancing safety, reliability and cybersecurity throughout the entire lifecycle of the facility. The ability to safely assess, interact and harden the equipment found in critical power systems help minimize risk to personnel and reduces the likelihood of downtime.

For example, a failure in physical processes used to evaluate the cybersecurity of critical power system architecture can result in a direct failure in the critical application. Extreme efforts are made at the design, build and operational phases to ensure continuous operation and reliability in critical environments. Electrical infrastructure is complex and requires highly qualified personnel to secure it. If an individual is not familiar with the basic principles of electrical safety, accidents are more likely and can result in personal injury and downtime.

Therefore, action items for personnel tasked with the OT cybersecurity of any operation should include the ability to:

  • Inventory all connected hardware, software and dataflows
  • Assess facility OT networks and assets to evaluate the attack surface and discover known vulnerabilities and weaknesses
  • Understand critical processes and how cybersecurity processes could negatively impact uptime
  • Evaluate the electrical safety codes and requirements associated with lifecycle cybersecurity maintenance to support personnel safety, uptime and compliance.

Together, these tasks require comprehensive knowledge of:

  • OT and ICS applications and processes
  • Electrical safety codes and standards
  • Electrical reliability and uptime
  • Industrial network defense
  • Cybersecurity regulation and guidance
  • Cybersecurity assessment and vulnerability detection
  • Defensive technologies and approaches
  • Lifecycle cybersecurity maintenance.

6. What else about power systems, electrical safety and cybersecurity requires mentioning?

Cybersecurity risks to connected systems have never been greater, as malicious threat actors look to exploit system vulnerabilities. To address potential vulnerabilities, critical industries require expertise in power systems engineering and cybersecurity. The goal is to safely assess, interact and secure critical power system networks without risking the safety of personnel or uptime of critical processes. This is complex and requires in-depth training and experience. Sometimes, it is best to bridge this critical knowledge gap by partnering with an experienced third-party organization that understands the risks associated with unique operations. At the end of the day, the most important thing is protecting what matters: personnel, data and critical processes.

Anthony Ciccozzi is lead cybersecurity engineer at Eaton. Edited by Chris Vavra, web content manager, Control Engineering, CFE Media and Technology, cvavra@cfemedia.com.

ONLINE

See additional cybersecurity stories at https://www.controleng.com/cybersecurity/ and Industrial Cybersecurity Pulse: www.industrialcybersecuritypulse.com

CONSIDER THIS

What is your company doing to address cybersecurity and electrical safety at your facility?


Author Bio: Anthony Ciccozzi is lead cybersecurity engineer at Eaton