As the largest natural gas-fired, combined-cycle, electricity and steam generating plant in the U.S., Midland Cogeneration Venture (MCV) in Midland, Mich., has always taken cybersecurity seriously. Its 1,633-megawatt (MW) combined-cycle power plant produces up to 1.5 million pounds per hour of bulk process steam for nearby chemical companies. The plant runs 12 ABB GT11N gas turbines, 12 CE heat recovery steam generators, two GE condensing steam turbines, and one ABB Stahl non-condensing steam turbine.
Because of North American Electric Reliability Corp. (NERC) Critical Infrastructure Protection (CIP), Version 6, standards that went into effect in July 2016, MCV had to comply with CIP standard 2 through 11. This meant that a formal, documented process for patch management, configuration management, security event monitoring and more was needed. However, with only two staffers responsible for control systems on more than 12 operating units at MCV, meeting those obligations would be difficult. In fact, a cybersecurity program using homegrown tools and tracking sheets would require the two-person team to manually patch 70 control system-related workstations, which was unmanageable because this monthly task would actually take 45 days to complete. This initial plan also didn't include patching workstations on other plant networks or the team’s responsibility to manage malware protection, annual vulnerability assessments, configuration management and daily distributed control system (DCS) operations.
"After reviewing several options, the most comprehensive cybersecurity proposal came from our DCS supplier, Emerson Automation Solutions, which already knew us, our plant and our systems well," says Scott Woodby, engineering manager, MCV. "Its customizable cybersecurity suite integrates hardware and virtualized software modules to provide security management functions, not only for Emerson's Ovation system, but also for controls from other suppliers."
As a result, Emerson’s patch management module was installed to push patches out to Microsoft Windows workstations and servers once a month. A centralized, automated patch management process proved more manageable, taking about 7-11 days to complete—nearly 30 days faster than the previous manual process. Added cybersecurity modules were also deployed, including security incident and event management, backup and restore, configuration management and malware prevention.
After successful implementation of the cybersecurity modules, responsibilities of MCV’s two-person team expanded beyond managing the security of the primary DCS system to include all plant networks and equipment affiliated with plant operations including turbines, CEMS and plant LAN assets—nearly doubling their scope of responsibility to 140 workstations and servers.
In addition, NERC CIP regulations require medium-impact assets like MCV to conduct a vulnerability assessment once every 15 months. In early 2016, Emerson was contracted to perform a comprehensive cybersecurity evaluation that included scanning the entire system, verifying asset inventory, looking for vulnerabilities and identifying mitigating options. The resulting assessment report contained specific recommendations separated into immediate, short-term and long-term actions geared towards improving the plant’s security posture and meeting NERC CIP obligations. Emerson recommendations were further segregated into nine categories, in which each finding in those categories were ranked by severity level representing the relative security, compliance and reliability risks to MCV’s systems. About 52% of the findings fell into the critical/high-priority categories, and the remaining 48% into the medium or low-priority categories. Within 12 months, MCV resolved all the initial, high-priority findings, while proactively budgeting for and scheduling implementation of the remaining, lower-priority findings.
Overall, MCV overcame the challenges of having to secure a large system with very limited resources by implementing a custom approach with the help of Emerson. MCV now has a solid cybersecurity program that not only helps them meet compliance obligations, but also focuses on best practices to ensure reliable plant operation—all without needing added personnel.
