Cybersecurity Protections Across the Energy Industry It's Not Just About OT

The energy industry, especially manufacturers of products to the industry have a near obsession to always frame cybersecurity in the context of OT. This is understandable as so much of the cybersecurity discussions revolve around the NERC CIP standards, which are aimed at the Bulk Power System (BPS) and OT assets. It seems a week doesn’t go by that a vendor isn’t promoting the IEC 62443 standard upon the industry, as “the solution” for cybersecurity. Schneider Electric and Hitachi Energy seem to be the most vocal IEC 62443 supporters.  OT cybersecurity is important, but IT cybersecurity is also important. This article focuses on the need for a holistic approach to cybersecurity covering IT, OT and inter-company cybersecurity practices and protections, which IEC 62443 does not address.

There are realities that cannot be ignored. Some successful cybersecurity IT attacks have impacted OT system performance. The Colonial Pipeline incident started with a breach affecting an IT system (Billing), which caused an outage on the systems used to deliver petroleum products across the East Coast. Drivers waited in long lines for gasoline, not because the OT systems were under attack, but because the company was unable to operate without its billing system. Lesson Learned: Cybersecurity protections are a “business issue” that are not confined to internal IT and OT systems, and can even be impacted by an external cybersecurity event affecting a supplier company that can cause business disruptions.

In my opinion, this intense focus on OT cybersecurity is directly related to the OT focus of NERC CIP, BPS protections within an Electronic Security Perimeter (ESP). It’s not surprising that vendors of products used in OT Grid operations would focus on IEC 62443 as their preferred solution, given NERC’s focus. But Energy industry cybersecurity controls need to cover more than simply BPS OT systems. A Settlement/Billing system contains some sensitive financial data, i.e., bank accounts, and is one of the most attractive targets of hackers. HR systems contain personally identifiable information and is another high value target. Neither of these high value systems and applications are covered by NERC CIP or IEC 62443.

Energy industry stakeholders would be better served by following a broader cybersecurity framework and standards that cover the broad array of application and systems found in a Utility Company. The NIST Cybersecurity Framework, and related NIST standards cover IT and OT applications and systems, providing a much broader set of guidelines to protect all of the applications and systems found in a Utility Company. NIST standards cover OT and IT applications and address external, third-party protections for the software supply chain. Some manufacturers are claiming that IEC 62443 covers Software Bill of Materials (SBOM). This is not true, only NIST recommendations contain the specific guidance needed to acquire SBOM’s from vendors, along with NIST Vulnerability Disclosure Reports.

Utility companies operating in the US would be well served by following the NIST cybersecurity framework and the series of NIST standards in order to have a more holistic approach to cybersecurity protections across all company functions and operations, including OT, IT and inter-company software supply chain risks that align with the US National Cybersecurity Strategy and DOE's Vision following the national strategy. I’ll refer to this wise advice from an IEC 62443 vendor, LDRA: “The ideal framework for a particular organization is likely to depend on the industry and its associated regulatory drivers. The NIST standards are usually obligatory for the US public sector”

Parties looking for practical implementation guidance for the NIST Cybersecurity standards may find value in this reference from the Healthcare sector