Power Perspectives™ Interview: Security by Design BLUES, an Interview with Dragomir Vatkov of Innogy
image credit: Dragomir Vatkov
- Mar 11, 2020 2:15 pm GMTMar 9, 2020 6:49 pm GMT
- 1363 views
In today’s climate, the utility industry recognizes that cybersecurity must be a pillar of any policies and strategies it implements as a business. Generation, transmission, and distribution can all be rendered helpless if malicious cyberattacks are allowed to undercut the grid’s reliability and if customers can’t trust on cybersecurity measures within utilities to keep the lights on. As such, it’s no surprise that one of the hottest conference topics in the world of energy is cybersecurity, including at the upcoming Smart Grid Cybersecurity 2020 conference this October in Berlin.
Within the cybersecurity realm, there are further countless topics that are critical to discuss and share. A key presentation at this conference, though, will be coming from Dragomir Vatkov, a Senior Cybersecurity Architect at Innogy SE. At this conference, Dragomir will share his presentation “Security by Design BLUES (Business Led Unified Enterprise Security ) – Delivering optimal cybersecurity with a comprehensive design process supported with an inclusive testing and validation programme to increase grid reliability.” In case you’re weighing whether or not to catch this crucial talk on a critical topic, Dragomir agreed to share an exclusive Q&A interview for the Energy Central Digital Utility Community ahead of the conference as a part of our Power Perspective™ Interview Series:
Matt Chester: To kick things off, can you give a little background about your experience in the utility space and how you got involved with issues of cybersecurity in energy?
Dragomir Vatkov: I am actively working in the cybersecurity space for more than 20 years now. For the time being, I had the opportunity to gain experience in various digital and digital-assisted industries and in various operational, development, architectural, and management roles. I gained my first hands-on experience in the energy industry back in 2006 by working for Siemens in its Energy division. As a software developer and later as a component architect and sub-project manager, I was responsible for the implementation and continuous improvement of the basic components and services of an Energy Management System in the context of middle and high voltage energy transmission and distribution networks. These included encryption, authentication, authorization, logging and monitoring services that were adopted all the way from the field RTUs, through SCADA and up to the various power transmission and distribution applications.
Since August 2018, I have been part of a team of leading cybersecurity experts at innogy SE. Daily we support the innogy business segments both in the IT and OT space, such as Grid, eMobility, Smart Cities, Retail, etc., by providing cybersecurity technical, solution, and enterprise architectural assistance and guidance to projects and initiatives.
MC: IoT in the energy market has opened up new worlds of possibilities in technologies and programs, but obviously it also led to an increase in cybersecurity concerns—both quantity if risks and new types of risks. In your opinion, has the utility industry done a good job in addressing these potential risks as they come up or do you see it more often the case where utilities are playing catchup to add in cybersecurity measures after the fact?
DV: In the past 15 years, IoT and IIoT brought extremely important benefits to the energy business in terms of increasing the grid reliability by improving its efficiency and stability. The ongoing digitalization and cloudification opened amazing new world of business opportunities based on the provisioning of value-added digital/smart services. The result is seen in the continuously converging IT and OT spaces to support these emerging business opportunities. In other words, the attack surface is steadily increasing by introducing significant number and a great variety of new devices into the energy ecosystem. In parallel to the increasing attack surface, especially legacy parts of the ecosystem were not always carefully prepared (in terms of people, processes, and technology capabilities) for the new requirements, derived from new digital business ideas that are going far through the protected perimeters.
Speaking about the cybersecurity maturity of the utility industry, there are for sure good and not so good examples. Companies like innogy, who heavily invest in their cyber security capabilities, knowhow, continuous improvement of their cyber resilience, and compliance with relevant regulations are better prepared to meet the challenges of a steadily changing threat landscape; especially if cybersecurity is seen as a competitive advantage and security by design principles are considered through all stages of a product/service/system lifecycle. However, it is utopic to believe that 100% secure digital environment can be achieved. Therefore, it is all about working towards an optimal balance between business needs, customer expectations, potential cyber risks and threats, risk appetite, and appropriate countermeasures by enabling the business to explore emerging opportunities.
MC: In your presentation, you highlight the four main goals and objectives on cybersecurity by design as 1) increase ease of use, 2) reduce threats and enable opportunities, 3) speed up time-to-market, and 4) reduce application and system lifecycle costs. Do any one of these four goals stand out as the hardest to capture or the one that’s most lacking across the utility industry today?
DV: The four main goals of security by design that I am going to discuss in my talk at SmartGrid Cybersecurity 2020 are strongly interdependent. When applying security by design principles through the software development and system integration lifecycles, a reduction of application and system lifecycle costs is a natural consequence. For instance, every issue identified in the design phase will require less effort to be fixed compared with the efforts required to fix it or its symptoms in the rollout or in the maintenance phase of the application and system lifecycles. Furthermore, reduction of cybersecurity flaws in production frees resources for building new things. Thus, speeds up the time-to-market.
The most challenging goal is to reduce threats and enable opportunities. At the same time, this is the goal, where Security by Design BLUES (Business Led Unified Enterprise Security) Toolkit has its unique strengths. By considering specific business needs and requirements, the risk appetite of the business owners, business relevant cyber threats and risks, the BLUES Framework builds solid prioritization and decision-making platform. In this way, the business and product owners as well as development and operation teams focus on relevant cyber security capabilities and countermeasures that minimize the potential cyber risk to an appropriate level below their risk appetite. Through such tailored risk mitigation approach, the Security by Design BLUES generate greater space and higher flexibility for the business to explore emerging opportunities - cyber security is not anymore seen as an obstacle, but becomes competitive advantage.
Finally, the goal of increasing the ease of use, is probably the most overseen topic in the industry. Especially, when it is related to cyber security goals and objectives. However, the utility industry has a very strong focus on the customer. Therefore, applying Security by Design BLUES to achieve this goal is adding the most of its value for the business.
MC: Some organizations implement cybersecurity simply to be in compliance with relevant requirements, while others go the full way to implement the measures beyond compliance that are needed for actual cybersecurity protection at the highest level. As you look at the utility sector, where do more organizations fall, and why do you think that is?
DV: In spite of the fact that we are working in highly regulated markets, compliance is a key expertise for success. However, due to the digitalization and variety of interesting digital business opportunities, most of the organizations cannot be seen anymore as pure utility businesses. Through topics such as eMobility and power transmission and distribution in the context of highly distributed power generation, we are positioning ourselves as technology vendors, early adopters and innovators. Especially in these roles living Security by Design becomes crucial.
MC: As you prepare to attend the Smart Grid Cybersecurity 2020 event, what are the main topics or specific presentations (other than yours, of course!) that you’re most looking forward to learning about or discussing with your industry peers?
DV: There are several Talks that I do not want to miss:
- Ivo Maritz talk on IT OT Convergence - Progressing IT OT convergence through new organizational structures that support closer collaboration between IT and OT colleagues to achieve seamless cybersecurity
- The talk of my good old friend Chaitanya Bisale on the Security by Design technology innovation panel
- Ivan Dragnev talk on Advanced Prevention Techniques – Implementing next generation prevention solutions to guard against an evolving landscape in a more dynamic digital grid
- The talk of my colleague Alexander Harsch on Advanced Response Strategies – Optimizing your response strategy by ensuring a speedy and complete recovery at minimal disruption to grid operations
Additionally, I am looking forward to having productive discussion with the participants and visitors of the conference on the Security by Design topic.
If you’re interested in hearing more about Dragomir’s insights into cybersecurity in the utility industry, be sure to check out his presentation at the Smart Grid Cybersecurity 2020 conference from October 6 to 8 in Berlin, Germany. You can check out the agenda and register for the conference here.