We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
Complex market forces and various sets of challenges have converged over the last decade, leading to the rapid adoption of new digital solutions in power plants. The growing use of renewables and the digitization of the grid have put competitive pressure on traditional gas-operated power plants to evolve to be more competitive.
The primary challenges driving this change include:
- Multigenerational workforce – the shortage of experienced plant operators and managers is growing, driving a need for more flexible remote work options and training
- Global shift to remote work – uncertainty and social-distancing protocols created by the COVID-19 epidemic hastened the urgency of a new remote operational model.
This second trend is, arguably, the most important.
Power generators are beginning to adopt technologies that enable remote or mobile control procedures to ensure business continuity and optimal staffing flexibility and efficiency. Due to growing uncertainties in plant operations, industrial organizations must build their security stack with the goal of controlling their critical infrastructure from a remote location. Plant managers and technicians need the ability to interface with the plant assets from anywhere, at any time.
Traditionally, power plant operators and technicians have only been able to work in a control room or other nearby environment to access the plant’s human-machine interfaces (HMIs). Even if there was a desire for more flexible solutions for remote operations or a need to access systems remotely for technical support, operators were limited physically to the control room. Power plant operators have long been under immense pressure from operations and maintenance (O&M) to meet key performance indicators (KPIs), and the pandemic has added an urgent need for remote flexibility. Developing and executing contingency plans and changing strategies for minimizing the onsite presence of non-essential personnel have become a critical priority.
There are several reasons such limits have been in place, such as international cyber requirements that prevented mobile or offsite use of these controls. Additionally, there is often a high degree of manual process and procedural limitations when such conditions are in place. Because of this, when remote access becomes necessary at times, it is usually performed through temporary approaches that can put critical infrastructure at risk.
Blending physical security and cybersecurity measures
Looking at the division of plant locations and responsibilities today, those in the industry have a good idea of what solutions are needed based on personal roles and responsibilities. However, those needs don’t always coherently tie to a specific strategy.
The strategies needed to meet the business challenges of today and tomorrow range from having occasional remote technical support to contingency operations to a more complex plan for the centralized (remote) operation of many assets from a command center.
A combination of both on-site and remote power plant operators will be able to respond much more effectively, increasing operational efficiency and public safety. In addition, remote staff can monitor and control onsite HMI systems while still allowing on-site control room staff to have ultimate access control. Depending on plant characteristics, entire remote operations may be possible. Mobile users at the plant or elsewhere benefit from a purpose-built interface that includes safety features.
One example illustrating the cost and need for more adaptable remote operations is the middle-of-the-night call for the local technician, who may be several hours away, to respond to an issue during start preparation. Timing is critical, and the speed of response may make the difference between a failed start, delayed start or a missed load ramp or tollgate – resulting in the potential loss of tens of thousands of dollars for a single instance. The physical response required to call the technician to the site also impacts the team’s overall productivity, as that person invariably misses the following workday. If the technician could instead provide support remotely, it would eliminate many of these issues.
Remote access: Re-orienting the cybersecurity strategy
Industrial businesses and enterprises must rethink their security stack. Rather than building defenses around the office, organizations must enable:
- Collaborate with remote staff and experts
- Increase on-site mobile staff effectiveness and flexibility
- Improve employee health and safety
- Operate reliably with reduced staffing
- Centrally monitor plant operations.
- Diagnose and troubleshoot alarms and issues
- Instruct, guide and dispatch on-site personnel
- Remotely operate, startup and/or shutdown control system assets
Today’s most power plants are equipped with firewall products, which have become standard-issue appliances when needing to secure a network. Today’s next-generation firewalls (NGFW) are more powerful and provide multiple functions such as sandboxing, application-level inspection and intrusion prevention. While NGFWs do a great job at these functions, they are not designed for accessing devices remotely, and there are inherent risks for those who have used them for remote access.
Firewalls can encrypt data streams over a virtual private network (VPN) and tunnel critical information through an untrusted network, such as the internet. However, with today’s technology and the high number of tools and information available to threat actors, it is possible to hack the data communication protocols at the endpoint device where these encrypted data streams are terminated and potentially conduct malicious activities to access critical power plant assets.
Additional areas businesses should consider for their remote security include:
- Organizations must identify all their critical infrastructure. While this may sound intuitive, it’s crucial to account for system interdependencies. For instance, an IT billing system is vital if it is interdependent on operational technology.
- Encrypted browser-based display (VDI) for remote or mobile operator HMI display to desktops, laptops and tablets.
- Multifactor authentication (MFA) is a given. There are many MFA types, but industrial organizations should implement closed-loop, hardware-based token access without cloud access to meet both onsite mobile operator and remote access requirements.
- Moderated secure file transfer provides either bidirectional or uni-directional file transfer capabilities for each system connection.
- Application and system segmentation ensures systems and applications are logically segmented to limit cyberattacks’ blast radius.
- Time-Based access controls limit the time vendors, contractors and plant technicians interact with critical systems.
- HMI access sessions by mobile operators and remote users need to be recorded for forensics and training purposes.
As the power industry adapts to the changes presented by a changing workforce and the convergence of IT and OT, remote user access will become even more essential.
Bill Moore is the CEO of Xona Systems.