cybersecurity

Smart Energy International spoke with Tobias Whitney, a technical executive with the Electric Power Research Institute (EPRI), about all things cyber but specifically the supply chain and the increasing interconnectedness of … well … everything.

As the world becomes more and more interconnected, one critical weak point in the entire ecosystem is in the management or lack thereof, of the supply chain itself. According to Whitney, supply chain management is the last step in a process that the power industry has been engaged in for the past 15 years or so. Critical infrastructure protection standards (CIP) exist across a wide range of cybersecurity operations and needs, particularly in the United States and Canada.

This article was originally published in Smart Energy International issue 1-2020. Read the full digimag here or subscribe to receive a print copy here.

“Command and control systems have the most significant impact on the electrical grid and the biggest responsibility for implementing those CIP standards. For a long time, the prevailing wisdom in the industry was that asset owners had to take care of their assets. It is now apparent – given a lot of vulnerabilities and NERC alerts – that there’s another key part of the equation. It is the realisation that vendors need to have a seat at the table.

“The dialogue that industry is having with their suppliers has taken different routes. For some, it’s having an understanding specific to a product. For others, it’s been running the gamut of the vendor’s security profile, including understanding their internal control processes, understanding the provenance of the product, understanding the steps and the team that creates the supplier, or the product chain of goods and services.”

The involvement of the power industry in having a complete understanding of who their vendors are and the security implications and risks that may arise from using vendor products on the grid has shifted. There is a fundamental increase in stakeholder insistence that when systems or services are procured, there’s a mutual understanding of who’s responsible for what. This includes understanding what types of security capabilities are built into the products and services. There is also longer-term engagement between the vendor and the utility to understand if, for instance, there’s been a breach or if there have been some challenges in terms of the supportability of the product, that there are mutually agreed upon steps to resolve those issues.

“I think it’s pretty exciting,” Whitney says. “The vendor communities have been offering various types of security capabilities in their products for many years, and it’s good to see that those security features are appreciated when they apply to the utility environment.” An obvious example is the challenges that have plagued the Chinese multinational technology company Huawei’s relationship with the United States.

“It doesn’t even have to be an obvious, high-profile example like that,” Whitney says.

“I think it’s more a recognition that there are only so many companies whose products

are widely used in the electric system. A utility can do everything to secure its assets but it also needs to have confidence in the suppliers’ controls, that they follow industry best practices, and that – whatever the product – there is assurance about the quality from a security perspective.”

“There’s also recognition that we will not always understand or know where the next zero-day [a previously unknown system vulnerability] exploit will be. Having a tighter, stronger, more responsive vendor relationship helps to the utility environment.” An obvious example is the challenges that have plagued the Chinese multinational technology company Huawei’s relationship with the United States.

“It doesn’t even have to be an obvious, high-profile example like that,” Whitney says.

“I think it’s more a recognition that there are only so many companies whose products are widely used in the electric system. A utility can do everything to secure its assets but it also needs to have confidence in the suppliers’ controls, that they follow industry best practices, and that – whatever the product – there is an assurance about the quality from a security perspective.”

“There’s also recognition that we will not always understand or know where the next zero-day [a previously unknown system vulnerability] exploit will be. Having a tighter, stronger, more responsive vendor relationship helps mitigate that risk.”

Breaking into the market

Awareness of the utility market for new vendors means it’s no longer enough to have a really cool product that has great capabilities or really significant operational, or reliability benefits.

“There’s a clear recognition that the product and the relationship that you have as a company will need to be evaluated and managed through the lifetime of the products used by a utility or system operator.

“This is going to make it harder for new entrants to break into the market unless they meet best practices and standards.

We’re starting to see requirements that a vendor or supplier must meet standards in the United States and abroad. A lot of utilities want to know, among other things, if a supplier is ISO 27000 compliant. There’s more responsibility for the vendor to demonstrate their security features and how they’ve been validated by third parties.”

What is the potential knock-on effect in terms of pricing?

As products become certified across several standards, there may be a knock-on effect on product prices, putting added pressure on utility budgets. Whitney confirms this is something that his team at EPRI has been working on with buyers and suppliers in an effort to enable economies of scale. This is best done through standardisation of mandatory vs other security requirements, a clear understanding of best practice preferences and distilling this into a framework that can be used across the industry, providing clarity for both utilities and vendors.

This also provides vendors with a framework of questions that need to be asked and answered and prevents “reinventing the wheel” with every new project that needs to be procured.

As Whitney says: “There are 100 different requirements from different entities that will impact the same product, but all have the same concern. How can we leverage these and provide an understanding of the capabilities of the product from a security perspective to ensure or mitigate certain cybersecurity risks?

“This is one of EPRI’s active projects, and we’re doing some pilots to populate data in a manner that doesn’t reveal proprietary information about the vendor. The idea is to be able to catalogue which cybersecurity controls the vendor must implement, and then understand how that product can be secure.

“We want to be able to organise this information in a manner that can provide quick answers to those questions, hoping that this may create economies of scale and maybe reduce costs.”

Final words

The security equation cannot be solved by the electric utility alone. There needs to be direct communication, knowledge sharing, and partnering of responsibility for security with vendors. For vendors, that responsibility must come through in terms of demonstrating their capabilities, as well as understanding and ensuring that their product has the correct types of security features, so that security can be managed effectively by the utility. Product capabilities need to be transparent, clear and visible to the buyer. SEI

About Tobias Whitney

Tobias Whitney is a technical executive for EPRI where he drives strategy, oversees research studies and guides content development activities for priority initiatives taking place within the organisation’s research department.

Whitney was a speaker on the “Securing an Interconnected World” panel at the CyberCon Power & Utilities Cybersecurity Conference in Anaheim, CA.