Smart Energy International spoke with Tobias Whitney, Technical Executive with the Electric Power Research Institute (EPRI), about all things cyber but specifically supply chains and the increasing interconnectedness of…well…everything.
Whitney is a speaker on the “Securing an Interconnected World” panel taking place at the CyberCon Power & Utilities Cybersecurity Conference from November 19-21, 2019 in Anaheim, CA.
As the world becomes more and more interconnected, one key weak point in the entire ecosystem is in the management, or lack thereof, of the supply chain itself.
According to Whitney, supply chain management is the last step in a process that the power industry has been engaged in for the past 15 years or so. Critical infrastructure protection standards (CIP) have been developed across a wide range of cybersecurity operations and needs, particularly in the United States and Canada.
“Command and control systems have the biggest impact on the electrical grid and the biggest responsibility for implementing those CIP standards. For a long time, the prevailing wisdom in the industry was that asset owners had to take care of their assets. It is now apparent — given a lot of vulnerabilities and NERC alerts — that there’s another key part of the equation. It is the realization that vendors need to have a seat at the table.
“The dialogue that industry is having with their suppliers has taken different routes. For some, it’s having an understanding specific for a product. For others, it’s been running the gamut of the vendor’s security profile, including understanding their internal control processes, understanding the provenance of the product, understanding the steps and the team that creates the supplier, or the product chain of goods and services.”
The involvement of the power industry in terms of having a complete understanding of who their vendors are, the security implications and risks that may arise from using vendor products on the grid, and the increasing stakeholder insistence that when systems or services are procured there’s a mutual understanding of who’s responsible for what. This includes understanding what types of security capabilities are built into the products and services. There is also longer-term engagement between the vendor and the utility to understand. If, for instance, there’s been a breach or if there’s been some challenge in terms of the supportability of the product, that there are mutually agreed upon steps to resolve those issues.
“I think it’s pretty exciting,” Whitney says. “The vendor communities have been offering various types of security capabilities in their products for many years and it’s good to see that those security features appreciated when they apply to the utility environment.”
An obvious example here would be the challenges that have plagued the Chinese multinational technology company Huawei’s relationship with the United States.
“It doesn’t even have to be an obvious, high-profile example like that,” Whitney says.
“I think it’s more a recognition that there are only so many companies whose products can be widely used in the electric system. A utility can do everything to secure its assets. It also needs to have confidence in the suppliers’ controls, that they follow industry best practices, and that whatever the product that there is assurance about the quality from a security perspective.”
“There’s also recognition that we will not always understand or know where the next zero-day exploit will be. Having a tighter, stronger, more responsive vendor relationship helps mitigate that risk.”
Breaking into the market
Awareness of the utility market for new vendors means it’s no longer enough to have a really cool product that has great capabilities or really great operational, or reliability benefits.
“There’s a clear recognition that the product and the relationship that you have as a company will need to be evaluated and managed through the lifetime of the products used by a utility or system operator.
“This is going to make it harder for less well-established companies to break into the market unless they meet best practices and standards. We’re starting to see guidance around supply chain that shows a vendor or supplier must meet standards in the United States and abroad. A lot of utilities want to know, among other things, if a supplier is ISO 27000 compliant. There’s more responsibility for the vendor to demonstrate their security features and how it’s been validated by third parties.”
The potential knock-on effect in terms of pricing
As products become certified across a number of standards there may be knock-on-effect on product prices, putting added pressure on utility budgets. Whitney confirms this is something that his team at EPRI have been working on with buyers and suppliers in an effort to enable economies of scale. This is best done through standardization of mandatory vs other security requirements, a clear understanding of best practice preferences and distilling this into a framework that can be used across the industry, providing clarity for both utilities and vendors.
This also provides vendors with a framework of questions that need to be answered and prevents “reinventing the wheel” with every new project that needs to be procured.
As Whitney says: “There are 100 different requirements from different entities that will impact the same product, but all have the same concern. How can we leverage these and provide an understanding of the capabilities of the product from a security perspective to ensure or mitigate certain cybersecurity risks?”
“This is one of EPRI’s active projects, and we’re doing some pilots to populate data in a manner that doesn’t reveal proprietary information about the vendor. The idea is to be able to catalogue which cybersecurity controls the vendor must implement, and then understand how that product can be secure.”
“We want to be able to organize this information in a manner that can provide quick answers to those questions, hoping that this may create economies of scale and maybe reduce costs.”
The security equation cannot be solved by the electric utility alone. There needs to be direct communication, knowledge sharing, and partnering of responsibility for security with vendors. For vendors that responsibility must come through in terms of demonstrating their capabilities, as well as understanding and ensuring that their product has the correct types of security features so that security can be managed effectively by the utility. Product capabilities need to be transparent, clear and visible to the buyer.
If you’re interested in learning more about these types of cybersecurity practices, then don’t miss Tobias Whitney’s presentation on the topic at the CyberCon Power & Utilities Cybersecurity Conference in November. You can learn more about the agenda and register for the conference here. Special offer for Smart Energy Int’l readers: You can get $200 off the conference registration fees by using the code ‘SMART19’ at check out!