With Critical Systems Under Attack, a New Workplace Culture Could Be the Best Defense

With Critical Systems Under Attack, a New Workplace Culture Could Be the Best Defense

Through Mentoring, Curricula, and Immersive Technology, NREL Is Adapting the Profession of Cybersecurity To Meet the Challenges of an Evolving Grid

What's one service you cannot live without? Water or electricity may come to mind, so it should be worrying that in 2023 the FBI recorded around twice as many ransomware attacks on utilities as the previous year. These stats are even more alarming when considering the rapid shift in reliance on digital technologies and communications to enable advanced grid monitoring and control functions necessary to maintain grid reliability.

Despite their importance, the workforce in critical sectors is short-staffed and undertrained in cybersecurity, especially among small utilities. To address this gap, the U.S. government has taken steps to expand, diversify, and educate the critical infrastructure workforce in cybersecurity, and that agenda is already in action at the U.S. Department of Energy's (DOE's) National Renewable Energy Laboratory (NREL).

Cybersecurity as a Cultural Norm

Physical safety is enshrined wherever workers are asked to weld, grind, cut, or stack. "Can we make cybersecurity a cultural facet in the same way?" asked Gareth Williams, a senior cybersecurity researcher at NREL.

Williams leads NREL's effort in Cyber-Informed Engineering, a strategy developed by DOE and its laboratories to situate cybersecurity as a core engineering skill. Instead of just a course in college or an annual training quiz, cybersecurity would be part of the job.

"There's a tendency to look for a technical solution to cybersecurity because it's a technical domain, but humans design and operate critical systems at all phases of the life cycle," Williams said. "Cyber-informed engineering places the engineers, operators, the executives, the vendors, the suppliers as part of the cybersecurity strategy."

To start spreading the concept, the researchers organized a library of security resources for critical systems. Next, they are developing curricula with engineering schools and direct training for industry executives. As the philosophy takes hold, the hope is that significant consequences of cyber sabotage could eventually be engineered out of critical systems: Security would be so central to design that vulnerabilities all the way up the supply chain and down to the power delivery would be considered.

"Ten years ahead, we'll be seeing more sophisticated attacks. Cyber knowledge will be more advanced, and we can't just build cybersecurity on top. We need systems to be secure from the inside out," said Zoe Dormuth, a cyber engineer at NREL.

"Training and providing resources to the workforce is probably the most important thing we can do to improve cybersecurity," Dormuth said. "People currently aren't aware of energy system security."

To spread cyber-informed engineering principles into critical systems, NREL is designing tools that allow the present workforce to perceive system security intuitively.

Seeing a Career in Energy Security

Cybersecurity has been a natural path for Dormuth: Both parents work in the field, and a DOE-sponsored internship set her on course early into college. But others might need something more to see the appeal or recognize their own talents.

"The coursework is really challenging, so it's important to show the rewards and payoffs early," Dormuth said. "We also want to show that it's a versatile field; people might already have some skills, especially in quantitative fields. You won't know if you like it until you try it."

For electrical engineering student Javier Moscoso, cybersecurity was not on the radar until an NREL internship synced cybersecurity with his drive to improve electricity in Puerto Rico, where he's from. It placed him square within the PR100 study.

"Having the opportunity to see how cybersecurity sustains power systems has been eye opening," Moscoso said.

"Coming from Puerto Rico, we are accustomed to frequent power outages. I feel that at NREL I'm in the best place to get out of my comfort zone and spread learnings from this internship back home. Access to electricity can define the line between life and death, so we need to incorporate cyber principles in grid designs to create more reliable and resilient infrastructure from the start," he said.

Moscoso's internship was supported by the ENRGE consortium: Enabling Native Researchers and Other Minorities Through Graduate Engineering, funded by the National Nuclear Security Administration to create career pathways for diverse students. ENRGE sponsored four interns at NREL in 2024.

Senior researcher Shane McFly sees a certain mindset among students drawn into cybersecurity.

"I think an eager desire to overcome challenges is the most important skill set in cybersecurity or anywhere. A lot of folks hear that there are jobs in cyber, so they come looking for one. But if they don't enjoy being constantly challenged, facing and then overcoming frustration, it might not be a great fit," McFly said.

McFly is a creative force behind cyber education and training at NREL both in and outside of the lab. His lectures at the Colorado School of Mines put a career in cybersecurity for physical systems into focus, helping students realize who cybersecurity experts are and what they do.

Andat industry conferences, McFly and other NREL researchers are introducing tools into trainings that make cybersecurity substantially more intuitive and enjoyable.

New Tools for Cyber Trainings

If cyber trainings were just full-day sessions of reading system logs, the cyber workforce might never grow. Thankfully, companies and industries have turned to team-based activities and competitions since the early days of cybersecurity to imitate the high-stakes collaboration that engineers confront in the field.

One such event is DOE's Liberty EclipseFull-Scale Exercise, which gathers system operators for a week of live training and incident response exercises. Utility and energy sector workers, National Guard units, and other critical operations staff gain practical experience managing cyberattacks together in a technologically furnished facility.

Liberty Eclipse had been helpful for hands-on knowledge, but what happens when a pandemic keeps trainees apart?

For the 2023 Liberty Eclipse event, McFly and team helped design a new interface to connect remote and in-person participants. The team also devised a networking solution that securely connected remote participants to the testing infrastructure and allowed more utilities to participate.

At another industry cyber-training event in 2023, McFly brought a technology that had participants talking: A 3D visualization of network traffic. Another attendee soon connected their gaming controller to the visualization, and people lined up for a turn. Instead of scrolling through illegible system logs, users could navigate their network and interpret data on the fly. This solution makes cybersecurity less arcane and more accessible, which proved successful for the group of mid-career engineers who first piloted it this year.

"The visualization was a total success," McFly said. "Cyber specialists may be able to read 70 log entries in a second, but C-suite-level workers usually can't. With this visualization, now they can see the network dynamics, they can interact with it and participate with greater confidence."

The same visualization tool also supports the ARIES Cyber Range, which researchers and partners use to experiment on complex cyber-physical systems. The cyber range is a direct conduit to NREL's emulated networks and power hardware, allowing students from the CyberForce competition, or engineers in the GridEx exercises, or any other industry partner to intimately comprehend and appreciate a domain that will define critical systems for decades.

Even with some of the most sophisticated cyber-energy solutions and a legacy of innovating cybersecurity technologies, NREL researchers know that present threats require an even greater shift. As McFly reaffirmed: "This is not just an IT problem; it's a human problem. It's up to all of us to create a culture of cybersecurity.

If you are interested in working or interning at NREL in energy security and resilience, visit our recent job openings.

To learn more about Cyber-Informed Engineering and how it can be applied to curricula and certifications, contact [email protected].