A major part of grid cloud security is adopting a Zero Trust grid security model. As Matt Yourek puts it: “Zero Trust security really removes all the implicit trust and says, for example, ‘Kristine has an account but maybe her password was compromised. How do we know that it’s actually her anymore? Well, if we inject Zero Trust security methods into that we’d give her a token or some other two-factor authentication and require her to do that.”
In short, the Zero Trust grid security model requires all users, both inside and outside of a network, to be continuously authenticated to limit cybersecurity threats.
But Zero Trust grid security principles are not just for users. It’s also for systems. Which, as Yourek explains, is essential to consider when applying it to the grid. “Historically, some of the [grid] servers are highly available in the same network…but there are processes now where that can be exploited and attackers can use that against our system to actually impact the grid.”
Unfortunately, this has already happened. In December of 2015, Russian hackers compromised Western Ukraine’s energy grid and left over 200,000 residents in the dark for over 6 hours. It happened a second time barely a year later, in 2016.
As Yourek sees it, “[These] two attacks in the Ukraine in 2015 and 2016 used some of those principles of trust, and once they were in the system [the hackers] were able to cause outages.”