Energy Central Power Perspectives™: Welcome Tom Alrich, New Expert in the Digital Utility Community
image credit: Energy Central
- Sep 24, 2020 11:45 am GMTSep 24, 2020 11:52 am GMT
- 520 views
As long-time members of Energy Central know, the Network of Experts that we gather for our community are a verified and validated list of your peers who have been vetted for their expertise and have willingly decided to share their time with the Community to provide insights, answer complex questions, and overall raise the level of conversation to be truly invaluable. With this post, I’m happy to welcome Tom Alrich as an Expert in our Digital Utility Group.
Tom is an established industry leader in the world of utility cybersecurity, and specifically NERC CIP standards. His work in this field precedes him, so he certainly didn’t need the Energy Central stamp of approval to be considered an expert, but all the same we’re grateful he’s agreed to join our Expert Network and continually share with the community his insights on the news of the day, assessment of the latest cyber threats and policies, and bring his years of industry knowledge to forefront of Energy Central’s discussions.
If you’re unfamiliar with Tom’s background and work, he’s graciously sat with me for an interview as a part of the official Energy Central Power Perspective ‘Welcome New Expert Interview Series.’ I encourage you to get a sense of his background and look to him for insights in these key digital utility topics:
Matt Chester: We’re so grateful to you for being willing to be a member of Energy Central’s network of experts. To give our community an idea of why that’s the case, can you give a quick background of your history in energy and utilities and what you’re working on these days?
Tom Alrich: In 2008, I was working for a small information security consulting firm when we were pitched on the idea of focusing on compliance with the new NERC CIP standards, which had just been approved by FERC and were going to start coming into effect at the end of 2009. I dived into learning about the electric power industry and about NERC and CIP. That was the first that I’d ever learned much about the industry, but I was really fascinated by it – and continue to be fascinated today.
That company had good success with helping electric utilities and IPPs implement CIP version 1, but in 2010 I decided to move to a larger organization and joined Matrikon, a software and consulting company based in Edmonton, AB - which was acquired by Honeywell soon after I joined them. While at Honeywell, I continued to do NERC CIP consulting and business development as part of a (relatively) large group dedicated to industrial control systems (ICS) security.
In 2010 after joining Honeywell, I attended a meeting in Chicago of the NERC team that was drafting CIP version 4 and decided to write about what I’d learned. This paper was distributed to Honeywell customers. and soon I was writing for Honeywell’s blog (now defunct) on ICS security. I gained a following then, and this helped when I started my own blog in January 2013 (as of today I’ve written 702 posts for it).
The following grew bigger when I started writing about the ups and downs of the development of CIP v5 and the confusion that ensued when FERC approved CIP v4 while v5 was still being balloted by the NERC ballot body. In 2013, FERC approved CIP v5 and “de-approved” v4 (which hadn’t yet been implemented). But immediately a lot of controversies came up regarding the interpretation of the v5 standards, most of which have yet to be resolved.
I moved from Honeywell to Deloitte in 2015 and left after two and a half years to start my own company. I’m happy to say I’m still employed by Tom Alrich LLC! I was pleased to be asked to start writing for Energy Central recently, so I’m now posting my posts on both platforms.
From the time when FERC ordered NERC to develop a supply chain cybersecurity standard in 2016, I’ve been writing about the development and implementation of the CIP-013 standard – and it will finally be implemented on October 1. Since early 2018, my consulting work has been mostly around CIP-013 compliance, although I’m now working with one organization to understand how they can utilize and distribute “software bills of materials” to their clients. I think SBOMs will be a very important component of the cybersecurity landscape in coming years, although getting them standardized, implemented and widely used will require a big effort. This effort is ongoing as we speak, led by the Department of Commerce.
I’m now, along with Steven Briggs, writing a book on supply chain cybersecurity for critical infrastructure which will include (but not be limited to) a discussion of NERC CIP compliance issues. However, it will be aimed at all critical infrastructure industries, not just electric power. I hope it will be published this year, although most likely not until December. Steven and I are spending a lot of time on it, and I hope readers will agree those efforts bore fruit in the book.
MC: A great area of focus for you, and for the industry widely, is on cybersecurity. What makes the challenges that utilities face with regards to cybersecurity unique from other industries? And given those differences, how should those issues be treated differently (by utilities themselves, by governments, by customers, etc.)?
TA: Good question. There are two sides to cybersecurity for the power industry: the IT and the OT side. The IT side isn’t too different from that of almost any other organization, but the OT side is really unique. Like the OT side in other critical infrastructure industries (such as natural gas and petroleum pipelines, oil refineries, and chemical plants), a cyberattack could result in physical damage and even loss of life, which might occur in seconds or less.
However, what’s unique to the electric power industry is that looming over everything is the idea of a cascading outage that would quickly spread over a huge area, like the 2003 Northeast Blackout. That started with various problems – some self-inflicted, some not – experienced by a utility in Northern Ohio. These were at first confined to Ohio, but when they finally spilled beyond its borders, it took just six minutes for 10 million people in Ontario and 45 million in the United States to be without power – as more than 200 generating units shut down. Only six people died as a result of this blackout, but had it been more widespread and/or more prolonged, the toll would have been much worse.
This blackout led, among other things, to the NERC CIP standards, which remain to this day almost the only mandatory standards that apply to industrial control systems, outside of the military or the nuclear power industry.
MC: You often write for your blog on all the topics that you’re focused on, with great success. What do you think draws people to your writing? What voice have you brought to the industry?
TA: The main reason people in the industry follow what I write is that I’m independent of NERC – and in fact, now I’m independent of any organization other than Tom Alrich LLC! With one exception, people who work for NERC or one of the six NERC Regional Entities simply don’t feel free to voice any opinions on what the CIP standards mean, and especially how to implement them – at least, they won’t do this in writing. This isn’t because the leadership won’t allow anyone to be off-message, but because NERC takes an – in my mind – overly restrictive view of what they can say about CIP compliance, given that they’re the organization that audits the standards. And people who work for utilities are usually forbidden to make public statements about anything at all having to do with NERC compliance. So that leaves me – faute de mieux, as the French say.
MC: These days you’re spending a lot of time thinking about and working on NERC CIP standards—why is this an area that’s so important, and what don’t enough people who work in the utility sector know about it?
TA: I think most people who work in the utility sector at least know about the NERC CIP standards – they’re quite a big deal for almost all electric utilities and independent power producers, except the smallest ones. However, I agree that few people working in the sector know them very well, and even fewer people understand them (which includes me). As Richard Feynman said about the most successful physical theory of all time, “Anyone who says they understand quantum mechanics doesn’t understand quantum mechanics.” I feel the same way about NERC CIP.
MC: As you’ve started to get involved with Energy Central, what do you find to be the value that the platform brings to you and to the industry? And how do you hope to bring value to your fellow community members from your expertise and experience?
TA: I really like the fact that Energy Central provides a great platform for people in the electric power industry to talk and freely share ideas. It’s a great way to learn about the broader issues, not just the ones that affect your own narrow silo.
Please join me in thanking Tom Alrich for his time in this interview and for his accepted role as a Digital Utility expert in the Energy Central community. When you see Tom engaging with content around Energy Central, be sure to say hi, ask a question, and make him feel welcome!