Survey of Cybersecurity Governance, Threats, and Countermeasures for the Power Grid †

: The convergence of Information Technologies and Operational Technology systems in industrial networks presents many challenges related to availability, integrity, and conﬁdentiality. In this paper, we evaluate the various cybersecurity risks in industrial control systems and how they may affect these areas of concern, with a particular focus on energy-sector Operational Technology systems. There are multiple threats and countermeasures that Operational Technology and Information Technology systems share. Since Information Technology cybersecurity is a relatively mature ﬁeld, this paper emphasizes on threats with particular applicability to Operational Technology and their respective countermeasures. We identify regulations, standards, frameworks and typical system architectures associated with this domain. We review relevant challenges, threats, and countermeasures, as well as critical differences in priorities between Information and Operational Technology cybersecurity efforts and implications. These results are then examined against the recommended National Institute of Standards and Technology framework for gap analysis to provide a complete approach to energy sector cybersecurity. We provide analysis of countermeasure implementation to align with the continuous functions recommended for a sound cybersecurity framework.


Introduction
Industrial Control Systems (ICS) entities are increasingly facing greater business demands to operate more efficiently, and in the United States,they are also under greater regulatory pressures as well. The Energy Independence and Security Act of 2007 [1] gave the Federal Energy Regulatory Commission (FERC) and the National Institute of Standards and Technology (NIST) responsibilities to develop smart grid guidelines and standards. Furthermore, FERC has certified that North American Electric Reliability Corporation (NERC) is responsible for developing Critical Infrastructure Protection (CIP) cybersecurity standards [2]. At the time of this writing, NERC has developed 12 CIP standards that are subject to enforcement. Furthermore, nuclear power generation facilities are governed by more laws, regulations, and standards as well. As a result, ICS operators have increasingly integrated Information Technology (IT) solutions with Operations Technology (OT), in order to meet demand. However, this so-called IT/OT convergence has exposed these once air-gapped OT networks to the Internet, where they are vulnerable to cyber attacks. The differences between IT and OT and their convergence are examined in depth by Kayan et al. in [3]. which aims to guide organizations through the process of assessing and furthering their cybersecurity posture.
A survey of primary cybersecurity concepts and principal threat taxonomy in Industrial Cyber-Physical Systems (ICPS) is provided in [3]. The paper broadly focuses on an introduction to cybersecurity concepts as they relate to ICPS, highlights prominent protocols, and presents categories of countermeasures as they relate broadly to ICPS. This focus on ICPS, however, results in a broad, high-level analysis of mostly IT-driven cybersecurity aspects within the ICPS domain. This includes an outline of the convergence of IT and OT systems and the effects on cybersecurity posture explored in academic research. They also identified available research into general testbeds and datasets for evaluation of cybersecurity proposals. However, the work presented in [3] is a broad high-level review without a focus on application domains. Therefore, our focus is specifically on the energy sector-a critical infrastructure sector and a cornerstone of our modern society. In this paper, we identify potential threats, industry guidelines and cybersecurity frameworks that are driven by the unique challenges and opportunities found in this key application domain. These frameworks are not only applicable to the energy sector, but can equally be of benefit in other ICS sectors.
In related works, some broad cybersecurity threads and solutions are given in [9][10][11][12]. In [13], several denial-of-service (DoS) attack taxonomies for the Smart Grid (SG) are defined and some potential solutions are explored. In [14], applications of blockchain for cybersecurity solutions in the smart grid are explored. The various communications architectures, technologies, protocols, cyber threats, and countermeasures are explored in [15][16][17][18][19][20]. In [21], a taxonomy of false data injection attack (FDIA) detection algorithms is presented and evaluated. In [22,23], some cyber threats and countermeasures related to time synchronization of measurement devices are presented.
In this paper, we focus on OT security issues, as the IT security issues are already wellcovered by the IT industry. In particular, we focus on OT security issues in the energy sector, primarily in power generation and distribution systems, while significant research exists on OT cybersecurity, this survey is the first to review existing OT cybersecurity threats, countermeasures, and industry sector guidance to strengthen cybersecurity posture with primary applicability to the North American energy sector. This paper illustrates differences in priority assignment for confidentiality, integrity and availability between IT and OT networks, as a motivator for different cybersecurity approaches between the two domains. We provide an evaluation of known cybersecurity threats and their countermeasures, with a focus on OT specific threats and examine the recommended gap analysis provided by NIST.
The remainder of this paper is organized as follows. In Section 2, a survey of energy sector ICS security governance is provided. In Section 3 we provide some reference network architectures for OT networks. Section 4 presents a survey of security threats for OT networks. In Section 5, we provide a survey of countermeasures proposed in the literature. In Section 6, we analyze the current state of OT network security mitigation strategies (i.e., by assuming the countermeasures in the current literature may be applied), by analyzing how well they will assist entities to further manage cybersecurity risk. Finally, some concluding remarks are provided in Section 7.

Power Grid Cybersecurity Governance
Organizations responsible for the generation, transmission, and distribution of electrical energy are subject to a variety of laws, regulations, policies, standards, and guidelines. Ideally, there can be one universal governance framework for the Energy ICS sector. However, the reality is that each organization must determine its own governance structure based on its culture and existing organizational model. Furthermore, there is no single authority within an organization to determine the correct governance framework. However, the NIST Cybersecurity Framework [24] and the DoE C2M2 [8] are both valuable tools for each organization to strategically develop an appropriate cybersecurity governance and management framework. A list of available governance is outlined in Table 1. The NIST Cybersecurity Framework Core is comprised of four areas: Functions, Categories, Subcategories, and References. The Functions represent a typical cybersecurity lifecycle with the following stages: Identify, Protect, Detect, Respond, and Recover. Each of these Functions are divided into Categories that are the next layer of granularity of each lifecycle stage. Each of the Categories are further divided into another level of granularity called Subcategories. Subcategories provide context to each category with reference to other frameworks such as ISO, ISA, etc.
The NIST CSF also provides a scaled ranking system for organizations to evaluate the degree to which its cybersecurity risk management practices exhibit the characteristics defined in the framework in the following categories: Risk Management Process, Integrated Risk Management Program, and External Participation. The values in the scale are called Tiers and the values range from 1 to 4, 1 being the lowest level of implementation.
Lastly, the NIST CSF Profiles are a method by which organizations evaluate their current cybersecurity posture. These profiles furthermore allow organizations to determine recommended next steps for implementation that would help them to achieve their desired cybersecurity posture. It represents an alignment of the CSF Core with the organization's business requirements, capabilities, and risk appetite. For example, NIST provides a Profile for the Smart Grid in [25].
The C2M2 is a maturity model comprised of a set of common cybersecurity practices that may be used to evaluate, prioritize, and improve an organization's cybersecurity capabilities. It was derived from the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) [8], which was developed in response to the U.S. government's initiative to improve the cybersecurity posture of its critical infrastructure.
In 2005, the United States Energy Policy Act was signed by the Bush administration. It mandates the FERC to certify an Electricity Reliability Organization (ERO) to develop bulk power grid reliability standards to be enforced by FERC. Shortly after, FERC certified the NERC as the ERO. NERC's set of standards for the bulk power system are called the NERC Critical Infrastructure Protection (CIP) standards. At the time of this writing, there are 12 enforceable NERC CIP standards, 11 relating to cybersecurity and 1 relating to physical security [2]. Other than standards relating to nuclear facilities, these are the only set of enforceable standards for the power grid in the United States.
The NERC CIP standards define which entities will materially impact the reliability of the bulk power system if they are compromised. Any entities that meet the inclusion criteria and none of the exclusion criteria defined in CIP-002 are referred to as a Bulk Electric System (BES). The CIP standards require that BES entities identify their critical assets, and to regularly perform risk analysis on them. BES entities are required to establish an Electronic Security Perimeter (ESP) by creating appropriate firewall rules and policies, enforcing IT controls to protect critical assets, and implementing cyber attack monitoring tools. They are also required to regularly patch software and firmware vulnerabilities, use IDS/IPS tools, use antivirus and anti-malware tools, generate alarms on detected cyber events, and use secure account and password management. The standards also define requirements for establishing a cybersecurity policy and program, training personnel, establishing access controls for personnel, establishing an incident reporting and response planning program, and establishing recovery plans for critical assets and data.
The NERC CIP standards are the primary external influence of cybersecurity governance for Bulk Electric Systems. However, nuclear power generation systems are further governed by additional laws, regulations, and standards. These are primarily the Nuclear Regulatory Commission (NRC) regulation 10 CFR, Nuclear Energy Institute (NEI) standards 08-09, 10-04, 10-08, 10-09, and 13-10, and NRC Regulatory Guide 5.71. The US Department of Homeland Security (DHS) guideline titled "Nuclear Sector Cybersecurity Framework Implementation Guidance for U.S. Nuclear Power Reactors" is a useful tool to assist organizations with strategically implementing a cybersecurity program with respect to the applicable laws, regulations, standards and the NIST CSF.
Besides these, the following International Society of Automation (ISA) and International Electrotechnical Commission (IEC) standards are also important for cybersecurity management of the Smart Grid: ISA/IEC 62443, IEC 62351, IEC 62541, IEC 614500-25, IEC 62056-5-3 and ISO/IEC 14543. The IEC standards are available at a cost to organizations and individuals but unlike the NERC CIP standards they are not enforceable. The ISA/IEC 62443 is a framework of standards whose goals are to improve the Confidentiality, Integrity, and Availability of general Industrial Automation and Control systems. The ISA/IEC 62351 are a framework of standards for improving the cybersecurity of communication system protocols used in power systems. IEC 62541, aka the OPC Unified Architecture, is a client-server based Machine-to-Machine (M2M) communication protocol for general Industrial Automation and Control systems.
Furthermore, the following Institute of Electrical and Electronics Engineers (IEEE) standards are also important for cybersecurity management of Smart Grid systems: IEEE 1646, IEEE 1686, IEEE 2030, and IEEE 1402.

Power Grid ICS Network Architectures
ICS Networks should be logically separated into the following zones [26]: As depicted in Figure 1, the OT network resides in Levels 0-2 while the IT network resides in Levels 3-5.
Since IT-OT convergence is a relatively new phenomenon, many Operational Technologies are still insecure by design [4]. IT technologies have evolved alongside the various threats to networking and computing technologies while OT networks were isolated until relatively recently. In [26], CISA recommends various traditional methods to implement a defense-in-depth strategy at the enterprise zone. This differs compared to traditional IT security services, shown in CISA's recommended firewall rule set layer, depicted in Figure 2. In particular, they recommend the use of a DMZ to provide logical separation of the enterprise zone from the Internet; virtual private networks to secure remote access connections; firewalls to restrict connections to trusted entities and content between zones; and various host security controls such as antivirus software, patch management, intrusion detection systems, etc. While the above defense-in-depth strategy is a great start to securing ICS networks, the OT portion of the network may still require additional security controls to improve an organization's overall risk posture. Organizations responsible for power transmission and distribution are responsible for assets distributed over vast geographical areas. Therefore, these systems typically use SCADA technologies to monitor and control these distributed systems. A typical SCADA system is shown in Figure 3. Beyond the transmission and distribution domains in the smart grid, there are also the generation, customer, markets, operations, and service provider domains as defined in the NIST Smart Grid Framework 3.0 [27]. The domains that are of primary concern in this paper are the transmission, distribution, operations and customer domains of the smart grid. The next two sections of this paper will focus on the potential cyber threats to the Smart Grid and potential countermeasures.

Cybersecurity Threats in Energy System OT Networks
Cybersecurity threats in Energy System OT Networks may be categorized by the security services targeted by the attack. From a risk perspective, it is also particularly useful to order these services by priority. In OT networks, systems not only govern critical operational processes, such as manufacturing machinery, power generators and distributions systems, but may also be responsible for the safety of workers or, in the case of smart grids, perform time critical tasks to prevent cascading failures and facilitate a key service on which national security is built. A failure in the power grid not only puts people's lives at risk, but can have disastrous impact on everything from transportation to financial services, defense, and more. Such critical OT operations require quick system responses to perform as intended. The low latency requirements of these systems would therefore rely on constant availability. Even a momentary outage could cause a safety critical system to fail to respond within a defined time -with potentially fatal consequences. For this reason, OT Networks rank availability typically as their highest priority, followed by integrity and confidentiality. Therefore, we categorize attack impacts in terms of security services in the following order of priority: Availability, Integrity, and Confidentiality. This is in contrast to IT networks, where confidentiality and data integrity would be of higher priority than a momentary lapse of availability. In IT networks, data is the important commodity. Hence, protecting that data is more important than a temporary lapse in availability. The focus of IT networks are aimed at an organization's day to day operation, such as the the storage of information or completion of automated processes. Provided that the integrity and confidentiality of the systems are maintained, short outages will have little impact on an organization. Most tasks that would fail due to outages can be completed once systems become available again.
In some cases, an attack may impact more than one security service. In such cases, the attack will only be described in the higher priority service category but the other services that are potentially impacted will be mentioned as well. For instance, although a FDIA is primarily an attack against data integrity, it may potentially impact availability [13]. Since availability is the higher priority category, it will be described in the Availability Threats subsection and not in the Integrity Threats subsection.

Availability Threats
In DoS attacks, the perpetrator seeks to make information or operational technology systems unavailable, either temporarily or indefinitely, to authorized users or other systems in the network. For instance, this may be accomplished in traditional IT by overloading a web service with superfluous requests. In OT systems, there may be unique attack vectors for carrying out DoS attacks compared to IT systems. For instance, perpetrators of DoS attacks may target systems or data that are critical for correct operation of automated control systems. DoS attacks represent significant threats to power systems because the control systems in such systems are sensitive to timing and any disruption to critical information can compromise the entire system's availability.
Jamming attacks are a form of DoS attack, and present a significant threat to the availability of smart grid systems. In jamming attacks, the shared nature of wireless channels is exploited by sending a continuous flow of data to prevent legitimate users from utilizing the channel. The authors in [42] propose a jamming channel attack called Maximum Attacking Strategy using Spoofing and Jamming (MAS-SJ). This attack targets PMUs of the cognitive radio network (CRN) used for providing time-synchronized data of power operating states in a wireless smart grid network (WSGN).
In [32,37], the authors introduce the puppet attack, where a vulnerability in the Advanced Metering Infrastructure (AMI) dynamic source routing protocol is exploited, causing the network bandwidth to become exhausted. In [43], the Time-Delay-Switch (TDS) attack is proposed, where attackers introduce time delays into control loops to cause general instability of the smart grid system. The Time Synchronization Attack (TSA) [40] targets the integrity of the GPS information of Phasor Measurement Units (PMUs) of various smart grid applications, including transmission line fault detection, voltage stability monitoring, and event locationing. In [44], the effects of flooding attacks on time-critical communications of the Smart Grid are explored. Another potential threat against availability and integrity are wormhole attacks, as shown in [45].
Attacks that primarily target data integrity may impact their availability as well. In power grid applications, the false data injection attack [40] is a well-known example of this. In FDIA, the power grid state-estimation systems are targeted in order to distort real energy supply and demand figures, which may cause blackouts, physical damage, or even the loss of human lives [18]. FDIA attacks may also effectively become a denial-of-service attack as they may cause critical services to become unavailable. The research of detection strategies for FDIA is a highly active area, because it carries the potential for large impact and benefits to a very challenging problem. Due to the time-sensitive nature of the communications involved in these state-estimation systems, detection schemes must be very efficient. Some additional attacks that target data integrity that may lead to DoS are presented in [46][47][48].
Some basic attacks may have a large impact on availability as well. Viruses, worms, and trojan horses pose a significant threat to IT and OT systems, not only in terms of availability, but in terms integrity and confidentiality as well. The Stuxnet worm and Duqu malware [37] are two examples of such attacks. These attacks may be able to bypass any existing defense-in-depth strategies, which makes them particularly dangerous. Furthermore, masquerade attacks may be carried out [35] to penetrate a system and/or elevate permissions in order to carry out a larger attack that may compromise the availability of the system.

Integrity Threats
Cyber attacks that affect the integrity of systems within energy OT networks are primarily focused on the transmission and distribution domains of the conceptual model. As mentioned in the previous section, the primary focus of research in this area is on FDIA in state-estimation systems, as these types of attacks not only impact availability and integrity of energy systems, but can cause blackouts, damage to systems, harm and even the loss of lives. However, other types of data tampering attacks may also have serious consequences for the smart grid. In this section, we present a survey of threats to data integrity in energy OT networks.
Since most attacks that impact data integrity in smart grids may also impact availability, most of the survey in this section has already been compiled in the previous section. However, many of those same attacks may have less severe consequences. For instance, a malicious attacker may target the smart metering infrastructure to create financial losses for the utility company. Or, an opportunistic attacker may alter the measurement data to get free power [49]. Attackers may also initiate man-in-the middle or spoofing attacks against AMI via unauthorized data manipulation. These are just a few examples of data integrity threats that may not necessarily impact availability.

Confidentiality Threats
Cyber attacks that affect the confidentiality of users in the power grid are mainly focused on the customer, distribution, and service provider domains of the NIST Smart Grid Conceptual Model [27]. AMIs enable more precise, real-time monitoring of customer energy consumption for more precise billing and to provide feedback to customers about their energy consumption habits. This level of customer feedback necessitates communications of potentially sensitive customer information in the AMI communication networks, presenting a potential threat to customer confidentiality. In addition to customers, intrusions within almost all domains in the conceptual model may reveal sensitive user information (e.g., employees). In this section, we present a survey of threats to confidentiality in energy grid OT networks.
As explained in [49], the primary challenges concerning confidentiality in AMI are customer privacy and operations integrity and availability. Since the latter concerns have been discussed in previous sections, the primary focus in this section concerning confidentiality in AMI is regarding customer privacy. As shown in [50], smart devices may be identified by an attacker by analyzing their energy consumption, and sensitive customer information may be revealed by analyzing meter readings. The main attacks targeting confidentiality are packet capturing for traffic scanning, port scanning directed at specific protocols such as DNP3, and social engineering or password phishing attacks.

Potential Countermeasures to Cybersecurity Threats
Countermeasures to cybersecurity threats in OT networks are also categorized by the security model category, as shown in Section 4. However, the category of attack may affect multiple security model categories. In particular, attacks that affect integrity and confidentiality require network access to be deployed. For this reason, countermeasures for integrity and confidentiality threats have been combined in this section, while countermeasures to availability threats are individually addressed. A summary of the countermeasures outlined in this section can be found in Table 2.

Potential Countermeasures for Availability Threats
Cybersecurity threats that impact availability in the smart grid present major challenges to researchers. As demonstrated in previous sections, many of these threats are related to threats that impact data integrity, including some DoS and FDIA attack vectors. In general, there is no single solution to prevent DoS and DDoS attacks. Consequently, a multitude of different solutions may have to be implemented to successfully limit the effectiveness of such attacks [13]. Furthermore, state-estimation systems in the SG are highly sensitive to time synchronization and latency degradation. Due to the real-time nature of state-estimation systems, research in this area is heavily focused on efficient and effective detection algorithms. As explained in [13], DoS countermeasure strategies may be categorized by non-technical security controls, filtering, Intrusion Detection/Prevention Systems (IDS/IPS), rate limiting, cryptographic authentication, protocol solutions, architectural solutions, honeypots, device solutions, wireless communications-specific solutions, and system-theoretic solutions. Some examples of non-technical security controls are to limit access to critical assets to authorized personnel and implementing an effective and strategic cybersecurity governance and management framework. A brief survey of technical solutions for DoS attacks, organized by category, follows below.
Filtering is the implementation of effective firewall rules to limit incoming traffic to expected network addresses, ports, etc. In [127], the authors present a firewall called smart tracking firewall that is specialized for a wireless mesh network (WMN)-based smart distribution grid (SDG). In their scheme, any nodes that detect a potential intruder are able to notify their neighbors who may then be able to filter the source's traffic from advancing any further in the multihop network. The authors in [128] propose an openflow SDNbased firewall for preventing DDoS attacks in AMI. By connecting the firewall to the SDN controller and the cloud firewall agent, the firewall policies are able to ensure that incoming data is safe and filtering of the traffic occurs at the cloud edge.
Intrusion detection systems (IDS) are devices or software applications that typically exhibit more sophisticated capabilities compared to firewalls, which are primarily configuration-driven to filter harmful traffic. IDS may be developed with specific use cases in mind, such as detection for a specific ICS protocol. They are usually designed to detect more sophisticated intrusion scenarios than firewalls. Intrusion prevention systems add some automated prevention capabilities to an IDS, e.g., automatically block a source address when a certain attack scenario is detected. One key difference between firewalls and IDS is that an IDS can likely decrypt incoming traffic while firewalls likely cannot. Therefore, they may be more useful for detecting sophisticated attack scenarios, while still allowing for the data to be encrypted. IDS systems may be classified as signature-based, anomaly-based, or specification-based.
Signature-based IDSs rely on a rules-based engine of known attack signatures. In [129], a set of signature rules for detecting intrusions in Modbus communications for SCADA applications are presented. The authors in [130] present a set of signature rules for the DNP3 protocol for SCADA. Each of the signature-based IDSs provide rules for preventing DoS attacks.
Anomaly-based IDSs typically rely on machine learning algorithms or other statistical methods. In [131], the authors use a time-series model of process measurements to detect anomalies related to DoS attacks. The authors in [132] develop a deep learning model to detect anomalies in PMU data. In [133], a machine-learning based anomaly detector to detect attacks on load forecasting data. Each of these anomaly-based IDS algorithms are useful for preventing DoS attacks.
Specification-based IDSs rely on manually developed specifications of legitimate behavior. In [134], a specification-based IDS algorithm to monitor AMI C12.22 transmissions for anomalies using device-based, network-based, and application-based constraints. In [135], the authors propose a specification-based network-based cyber intrusion detection system (NIDS) for detection of anomalies in GOOSE and SV multicast messages in substation automation systems. Each of the presented specification-based anomaly detectors are useful for preventing DoS attacks.
Cryptographic authentication refers to the use of cryptographic solutions to prevent the types of data integrity attacks that may lead to a DoS. Some key challenges for the smart grid, however, are the combined use of resource-constrained computing devices and long-lived devices that are typical of power systems. Due to the use of low-power devices, the cryptographic algorithms must be lightweight and due to the use of the long-lived devices, they must also be stable over long periods of time. Furthermore, the scalability of key management approaches is a major concern [136]. In short, the use of cryptography in the SG carries the potential for itself to become a target of DoS attacks [39]. In [137], the authors propose a hybrid solution of combined public and symmetric key techniques.
Protocol-based solutions refer to research related to improving communication protocols used in the SG. The protocols used in the SG carry some unique challenges compared to those used in the Internet. For instance, since many of the devices have a long lifetime, the protocols need to be able to evolve over time. In addition to current standardization efforts to deal with various security requirements, including DoS attacks [138], there is active research to improve SG protocols further. For instance, in [139], a lightweight and efficient authentication scheme using one-time signatures for multicast data is presented.
Architectural solutions refer to the design of network topology to mitigate the effectiveness of certain DoS scenarios. Since the SG is relatively new, there is opportunity to design the architecture from the ground up to address such needs [140]. For instance, a subnetwork may be able to isolate itself in the event of a DoS attack to continue operations until the parent network recovers. This type of architectural design is known as islanding [141]. Islanding can be an effective architectural solution in smart grids [141][142][143].
Honeypots are devices and systems that mimic legitimate network components that are likely targets of attack in a network. They are typically monitored and isolated from the production network so that security operations may detect potential attacks early and potentially block malicious sources before they have a chance to attack the production systems. A recent survey paper explores the use of honeypots and honeynet [144] in the smart grid. They find that Conpot [145,146] is a promising open-source project able to support many smart grid use cases out of the box and may be extensible to support other use cases as well. There is large potential for future research work in this area, particularly with a focus on expanding support for more protocols and devices.
Since Smart Grid applications can have strict delay requirements (on the order of a few milliseconds), DoS attacks against their wireless channels are particularly effective. Countermeasures in this category are primarily concerned with anti-jamming solutions and they may be categorized by (1) efficient and robust detection and (2) DoS-resilience schemes. [36]. In [126], the authors propose a method to detect the jamming channel attacks. In [30], the authors introduce a new metric called message invalidation ratio to analyze the effectiveness of a designed jamming detection system in different attack scenarios.
Perhaps one of the more challenging aspects of securing ICS networks in general is to implement effective countermeasures against malware threats. Some recent high-profile attacks, including Stuxnet and Havex, utilized zero-day exploits and concealment [154]. In [154], the authors propose the use of multi-layered strategies (i.e., defense-in-depth) to mitigate some of these threats, among others. An effective defense perimeter for the OT and IT portions of the network, as shown in Figure 4 may prevent some of these attacks from starting. However, due to misconfigurations, backdoors, etc. this is not a guarantee. The IT side of the network should also use endpoint protection, a SIEM, etc., in order to detect known threats. However, there are also zero-day threats, supply-chain threats, social engineering threats, USB devices with malware, etc. The NERC CIP standards [2] include standards for supply chain management and device patching. All of these are a good place to start to defend against malware threats. However, development of more effective countermeasures for these threats offers a good opportunity for future research into SG and ICS networks in general.

Potential Countermeasures for Integrity and Confidentiality Threats
Cybersecurity threats affecting integrity of ICS communication are often targeted at specific protocols. The Modbus and DNP3 protocols that are compatible with legacy serial devices are especially vulnerable to eavesdropping and alteration. The major cybersecurity threats that impact confidentiality in the smart grid are primarily focused on the Advanced Metering Infrastructure (AMI). The AMI is a system of smart meters, communication networks, and data management systems that enables two-way communication between customers and utilities. This two-way communication enables better monitoring and more accurate billing for utilities and more accurate consumption behavior for customers. However, since more customers use this model, there are increased access points for security attacks.
In both of these cases, encryption is an effective countermeasure for data integrity and confidentiality. The IEEE Secure SCADA Communications Protocol (SSCP) [155] is targeted at employing encryption on serial implementation of protocols. In [156], Ferst et al. employed TLS to the Modbus protocol to produce a significant improvement in secrecy of data. The combination of these countermeasures removes the gap between security of legacy devices to their modern IED counterparts.

Recommended Gap Analysis Strategies for Cybersecurity Assurance in the Energy Sector
While previous sections have identified individual cybersecurity threats and countermeasures for them, a combination of these security services will be required to prevent gaps in protection. NIST recommends that gap analysis be performed on individual company networks and provides a Cybersecurity framework specific for smart grids with five continuous functions [25].
• Identify-Determine assets within the organization and their risk factors for potential Cybersecurity risks. • Protect-Create safeguards to ensure delivery of infrastructure services through access control, awareness and training, data security, and information protection procedures. • Detect-Identify any Cybersecurity events with continuous monitoring. • Respond-Implement predefined procedures for response planning and communications. • Recover-Develop plans to maintain resilience and restore capabilities of services.
The framework provides an in-depth procedure, recommended considerations, and information references to successfully implement each of these five functions to align with DoE's C2M2. All five functions are reliant on each other for proper implementation. For example, a failure in identification can lead to shortcomings in the implementation of protection services. For "identification", categories that are defined include asset management, business environment, governance, risk assessment, risk management strategy, and supply chain risk management. This set of categories is where most variability will appear within different organizations, as assets and protocols used by different devices will have different associated risks. The organization will need to identify critical functions and assets to tailor their profile for effective risk management.
The goal of the "protect" function is to ensure security and resilience of systems, while ensuring all personnel are aware of their roles of cybersecurity within an organization. The protection service is where most of the countermeasures mentioned in the previous sections are implemented, with categories for access control, training, data security, information protection processes and procedures, maintenance, and protective technologies. These categories map directly to the countermeasures for integrity and confidentiality attacks shown in Table 2. Access control can effectively counter man-in-the-middle, replay, and privacy violation attacks. FDIA detection is also the primary detection countermeasure focused on in this paper, with the NIST "detect" function comprised of categories for anomalies and events, continuous monitoring, and detection processes. Implementation of these services should also identify the scope and impact of any events that take place.
The final two categories in the NIST profile are aimed at the occurrence of a cybersecurity event, with "respond" and "recover". Respond is divided into categories of response planning, communications, analysis, mitigation, and improvements, whereas Recovery is divided into planning, improvements and communication. The procedures for these categories should be in place before an attack occurs, as proper response planning and communications will allow for improved response and recovery timelines. With every event, analysis and mitigation is expected to be performed, with any lessons incorporated into future improvements of response planning. After a successful response, recovery procedures will be enacted with future improvements added to procedures for future events.
The goal of the framework is to aid stakeholders of any organization to identify, assess, and manage any risks that may be in their organizational network. Compliance with this framework can look vastly different between different organizations, so NIST also provides steps to implement or improve a Cybersecurity program.
Create a Current Profile 4.
Conduct a Risk Assessment 5.
Create a Target Profile 6.
Implement Action Plan To aid in determination of a target profile, NIST also provides a set of four tiers that an organization can reference for their management goals. There are 4 tiers referenced: partial, risk informed, repeatable, and adaptive. The higher the tier, the more rigorous the protections that are in place within an organization. For example, at tier 1 (partial) there are no formalized policies in place, with the organization addressing each risk individually without an evolving procedure. These tiers expand cybersecurity awareness and risk mitigation up to adaptive, where advanced technologies are implemented and risk management practices evolve to combat current and past cybersecurity threats.

Conclusions
In this paper, we have identified the challenges facing the cybersecurity of ICSs with the convergence of OT and IT systems. By examining the current standards and organizations for power grid cybersecurity governance, we showed recommended architectures and security services specific to the energy sector. We also examined the areas of ICS cybersecurity model of availability, integrity, and confidentiality.
We specifically illustrated the differences in priority assignment for confidentiality, integrity and availability between IT and OT networks, as this difference is a key motivator for different approaches to cybersecurity between these two domains. An evaluation of known cybersecurity threats and their countermeasures was provided in each of these three areas, with a focus on OT specific threats. We provided an examination of NIST's recommended gap analysis strategy for smart grid profiles with recommended continuous functions of identify, protect, detect, respond, and recover. Each of these functions was examined and examples of applicable implementations of presented countermeasures were provided.
From this survey it is apparent that great strides have been made in the OT realm's cybersecurity approaches, while significant work remains, the growing number of tools, specifications, and capabilities show the amount of effort being vested in securing OT operations, many of which are at the core of critical infrastructure sectors, such as the energy grid.  Data Availability Statement: This study did not report any data.

Conflicts of Interest:
The authors declare no conflict of interest.

Abbreviations
The following abbreviations are used in this manuscript: