This group brings together the best thinkers on energy and climate. Join us for smart, insightful posts and conversations about where the energy industry is and where it is going.

Richard Brooks's picture
Co-Founder and Lead Software Engineer Reliable Energy Analytics LLC

Inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software and SAGScore™...

  • Member since 2018
  • 1,482 items added with 630,487 views
  • Aug 15, 2020
  • 4501 views

The NCGR recently published an informative report containing 9 recommendations to Congress to improve grid resilience. The following excerpt offers plenty of motive for what needs to change from today's posture:

standards can even pose a risk of perverse incentives for security initiatives: when IT personnel are more afraid of auditors than they are of adversaries, cybersecurity operations can become complacent and performative, a series of box-ticking exercises rather than the vigilant defense of systems against motivated and clever adversaries. In such cases, collaborative approaches to standards as tools to improve coordination and best practices—the model used by the National Institute for Standards and Technology (NIST), which promulgates voluntary standards through consensus-based processes— can be a preferable approach.

I agree with the NCGR report and look forward to supporting their efforts through active engagement.

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
Discussions
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
Matt Chester's picture
Matt Chester on Aug 17, 2020

when IT personnel are more afraid of auditors than they are of adversaries, cybersecurity operations can become complacent and performative, a series of box-ticking exercises rather than the vigilant defense of systems against motivated and clever adversaries

This is a scary reality. That type of assessment should be enough to send a shiver down the spine of utility executives and motivate a true shakeup of how things are done. Cybersecurity needs to be in the fiber of every action being undertaken, not an add-on or isolated silo of a department within the enterprise

Richard Brooks's picture
Richard Brooks on Aug 17, 2020

FERC and DOE seem to be nudging the industry away from a "compliance" mindset to focusing on real risk management to prevent cyber attacks. I like the way the NCGR authors describe the current posture "when IT personnel are more afraid of auditors than they are of adversaries, cybersecurity operations can become complacent and performative, a series of box-ticking exercises rather than the vigilant defense of systems against motivated and clever adversaries"

Just one point of clarification on this NCGR statement: it's not the IT personnel making this decision - that decision is being made at a much higher C level position. The IT people are just doing what they are directed to do; trust me - many of the security practitioners in IT that I know personally would rather be securing the grid using effective methods and stop filling out compliance spreadsheets.

Peter Kelly-Detwiler's picture
Peter Kelly-Detwiler on Nov 2, 2020

Thanks for posting this.  I hadn't seen this in Energy Central until just now when I was searching for a link to the report.  I was one of the authors of that effort (I wrote the first draft, and then they improved the heck out of it), and the thing that struck me was how there is no central entity in charge of overseeeing all the pieces with the repsonsibility for developing a comprehensive view, especially as related to interdependencies.  Grid Ex and Liberty Eclipse exercises are a good start, but just pieces of a larger whole.  

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »