power grid securityMuch of the eastern United States has been slogging through a hot, humid summer. Places like Burlington, Vermont recently recorded its highest low ever, with the temperature not dropping below 80 degrees at night.

A stifling summer isn’t the time when anyone wants to be dealing with downed power grid. For some, electricity isn’t a luxury, it’s a lifeline. And, of course, businesses don’t want a lack of juice anytime of year. But electricity is delivered by an increasingly complex, and some believe, vulnerable delivery system.

This creates perils for businesses and sweltering people, but potential opportunities for MSPs. As electricity increasingly moves online, power companies are turning to managed service providers to fill the tech gap. How big of an opportunity exists for MSPs depends on who you ask.

Utility companies in need

Global technology consulting firm Wipro recently weighed in with a report detailing the benefits of MSPs entering the utility market, especially when it comes to a company’s Network Operations Center (NOC) where the grid is managed. The Wipro report says succinctly:

“NOC managed services will be attractive to utilities because smart grid communications networks (advanced meter infrastructure, distribution/local/home area networks) are large, complex and use relatively new technology. Utilities will benefit from NOC services to centralize management and 24 x 7 monitoring of critical systems.”

Wipro cites the savings benefits that utility companies, even the largest ones, could reap and the new business for MSPs as a “win for everyone.” Technologies like advanced smart metering are at the forefront in how utilities operate and deliver product to customers, but they also provide more surfaces to attack.

Mike Pearson is the chief information security officer for Atlanta-based Red Clay, a leading technology and energy consultancy. He tells Smarter MSP that the opportunities in electric grid management for MSPs may be more ripe for smaller companies.

“Larger power companies like Southern Power spend 10s of millions a year on cybersecurity. They have their own war room to manage threats. I have yet to see that in more of the smaller community rural electric companies,” Pearson says.

Plus, there is a growing “skills gap” Pearson cites as a reason an electric company may be interested in farming out its IT security to an MSP.  Pearson speculates that gap may be the reason behind a US Department of Energy report published last year recommending that electric companies seek out MSPs.

“There is a skills gap, and the government is probably [asking] utilities to focus on their primary mission, which is providing power. Being able to pay and retain talent is a pretty significant cost now,” Pearson says.

Threats to the grid

Pearson says that at the basic level the networks inside the grid are not that different from ones found in other businesses. “They suffer the same issues and vulnerabilities,” Pearson says. The main difference is that electric companies are often operating on legacy systems that are decades old, and they don’t have the ability to roll out patches quickly.

“It can take six months to a year,” Pearson says. Also, utilities often operate on “single point of failure.” That means when one substation goes down there isn’t an immediate replacement, which makes for quite a bit of exposure.

The biggest threat to the grid, Pearson says, comes from nation-states and international bad actors, and they are active right now.

“They are actively infiltrating the systems. We may not be able identify when they’ve breached,” Pearson says calling their techniques more “specialized” than attacks elsewhere.

“They are not phishing or weaponized attacks. What I am seeing now are more probing attacks to see if systems are vulnerable and sometimes leaving something behind that we don’t know about yet,” Pearson says. Such probes could be inserting obfuscating malware that mimics the current system but with some nasty “surprises” coming down the line.

MSPs and CIP

Any opportunities for MSPs in utilities will mean being CIP compliant. Ever since a software bug at an Akron, Ohio utility company brought down the whole grid in the northeastern USA and Canada, power companies have been deemed Critical Infrastructure Protection by the government (CIP). And, that means adhering to certain security standards and best practices.

“Since electricity is classified as a CIP, the compliance for grid security will have to be met with any of the providers that offer products, solutions, and maintenance, be it MSP or grid operators,” says Nirmal Nair, associate professor of electrical and computer engineering at the University of Auckland in New Zealand. Nair says other countries, like New Zealand, are dealing with the same issues that utilities in the USA are facing.

“These new (technologies) invariably involve digital communications as an enabling backbone. In this space, several MSPs are involved, along with some traditional grid operators,” says Nair.

For Pearson’s part, he doesn’t think enough is being done to protect the power grid, which leaves us vulnerable. And that may leave a larger role for MSPs in keeping the lights on.


Photo: UKRID/Shutterstock.com

Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *