The work of NETL-funded research and development efforts conducted by the Electrical Power Research Institute (EPRI) has seen cyber security improvements adopted at major energy facilities across the United States.

Changing market conditions are forcing power generation facility owners and operators to adopt new advanced digital technologies to generate operational flexibility, maintenance efficiencies and meet the needs of a transitioning workforce. However, such technologies can increase the potential for a cyber security attack by using more software and interconnected assets.

That’s why NETL and EPRI, along with Idaho National Laboratory and Southern Engineering Services, collaborated with industry to develop a holistic cyber security risk reduction framework for power generation facilities. The Lifecycle Risk Reduction Framework (LRRF) provides a scalable, three step process for implementing a right-sized cyber strategy to protect industrial control systems.

The first phase of the LRRF begins with assessing how cyber risk changes across facility life cycles, including plant, system, vendor, and business life cycles. In the second phase, the framework then addresses how to identify critical components and high consequence events. By focusing on high consequence events, plant owners are now able to employ a graded, risk-informed approach to prioritize security efforts more efficiently. The final phase of the framework identifies potential attack vulnerabilities on plant assets, including sensors and instrumentation and control equipment. After the vulnerabilities are identified, the owner selects mitigating cyber security control measures (or countermeasures) based on the risk analysis from the previous phases.

The result of this LRRF collaboration was a new approach that leverages existing best practices for vulnerability identification and mitigation embraced by industry, including EPRI’s cyber security Technical Assessment Methodology (TAM). 

These framework best practices are being adopted in industry to secure industrial control systems for critical infrastructure. Consolidated Edison and Duke Energy have applied elements of the LRRF and TAM to evaluate the cybersecurity of their equipment and systems and to identify security controls to harden the systems. By applying the framework best practices, stations can implement an efficient approach that addresses the identified cyber security risk to control systems.

The EPRI risk reduction framework for enhanced cybersecurity was funded by the Crosscutting Research Sensors, Controls, and Novel Concepts program at the National Energy Technology Laboratory within the U.S. Department of Energy’s Office of Fossil Energy.

NETL develops and commercializes advanced technologies that provide clean, secure energy while safeguarding the environment. The Lab’s work supports DOE’s mission to ensure America’s security and prosperity by addressing its energy and environmental challenges through transformative science and technology solutions.