The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 


National Security Memorandum on Critical Infrastructure

Danny Vital's picture
Senior Cybersecurity Engineer XTec

Hi, I've been working in IT for the past two decades. Twelve of these years have been working specifically in the area of cybersecurity. During my work in tech I've played various different roles...

  • Member since 2021
  • 14 items added with 4,802 views
  • Sep 29, 2021

This item is part of the Advances in Utility Digitalization - October 2021 SPECIAL ISSUE, click here for more

In July of this year President Biden issued a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. It directed the Department of Homeland Security to work with the Department of Commerce in developing cybersecurity performance goals to drive adoption of new practices and internal controls.

“The degradation, destruction or malfunction of systems that control this infrastructure could cause significant harm to the national and economic security of the United States.”

The Memorandum was a follow up on Executive Order 14028 which detailed specific cybersecurity objectives for all federal agencies to adopt. In the recently released memo, CISA has detailed nine different areas where all companies within Critical Infrastructure – and specifically energy, communications, transportation, and water – should have both baseline and enhanced implementations.

Your access to Member Features is limited.


Zero Trust Architecture

Both the Executive Order and the National Security Memorandum share many of the same targets. One of these is an overarching goal of implementing a Zero Trust Architecture throughout their organization. Zero trust architecture is not a product that you can buy but rather a collaboration of different organization wide processes. It includes both perimeter defense and interior defense. The goal is to authenticate valid actors and provide them with only the rights that they need to perform their work and nothing else.


Five Pillars of Zero Trust

There are five pillars to zero trust architecture; Identity, Data, Devices, Applications and Systems. Zero trust is a concept of continuous identity authentication and activity authorization based upon the identity of the entity (user or device) and the context of the activity. You should create one digital identity per person and recognize that identity across the enterprise. Multiple factors of authentication need to be used at the application level and least privilege needs to be enforced where it’s possible.



Identity is at the heart of Zero Trust.  Every step of the process calls for an authenticated identity of both people and devices.  In the utility environment, identity is used to grant permissions to both people and devices who need to issue commands in the OT network, access information in traditional IT systems or be granted physical access to an area such as a substation control house.

In order to achieve a high level of confidence that a request is valid, organizations need to use multiple factors of authentication. These include Something You Have, Something You Know and Something You Are. The something that you have is a strong credential such as a smart card or derived mobile credential. The something that you know is a PIN number that you’ve setup for yourself. Lastly the something that you are is a biometric factor like a fingerprint.

Once identity is properly authenticated, then proper access can be granted.  The principle of Least Privilege is a cybersecurity best practice and a fundamental step in protecting authorized access to high-value data, devices, applications and systems. In a proper zero trust environment access is only granted on a per-session basis and all access requests are logged.



Systems and applications deliver critical data that are used to run utilities. Protecting the availability and integrity of this data is paramount to successfully protecting against a cyberattack. Utilities must make decisions based upon trusted and available information. This information must also be accurate since altered or malicious data can impact decision making.



Devices run utility applications across the entirety of the transmission and distribution grid. They depend on secure communications and commands for human to device and device to device interactions. Implementing security on devices throughout the grid is highly important whether those devices are in control houses, substation yards or on a distribution pole remotely located 10 miles away from the nearest substation. If it opens, closes, lowers or increases something – secure it.



Modern utilities run applications across their OT networks. These applications should include the same high security levels of authentication, validation and authorization as enterprise applications if not more so. These applications should use multifactor authentication, enforce least privilege and be properly segmented on the network.



The systems that utilities run on should never be considered an implicit trust zone. All traffic should be encrypted and all connections should be authenticated. Assets on the system may not be owned or configured by the enterprise and you should consider BYOD. Utility systems should maintain a high level of security of trusted assets between levels and within different control systems.


Identity and Access Management

The core tenets of zero trust can be greatly enhanced with a highly secure identity and access management system that can authenticate, validate and authorize both people and devices and the commands that are generated to access the data, devices, applications and systems that make up a utility organization. An IAM system should include access to IT, OT and Physical assets and systems and have a single digital identity that can easily be updated or revoked enterprise wide. 


National Security Memorandum

The memo calls for more than Zero Trust and should be regarded as the building block for all organizations within critical infrastructure as achievable goals and objectives to prevent the next cyberattack from either a nation-state or a malicious actor wanting to hold your utility ransom for a big pay day.


Danny Vital is a senior cybersecurity engineer at XTec, Inc.  To learn more about strong authentication, read his article about the Oldsmar water cyberattack and how it could have been prevented here on Energy Central:

Matt Chester's picture
Matt Chester on Sep 29, 2021

Systems and applications deliver critical data that are used to run utilities. Protecting the availability and integrity of this data is paramount to successfully protecting against a cyberattack. Utilities must make decisions based upon trusted and available information. This information must also be accurate since altered or malicious data can impact decision making.

How regularly are utilities testing/checking data before it's used? I imagine so much of it is used instantaneously, so I guess I'm curious how quickly it would be caught if there was something screwy in that data. 

Steve Lindsay's picture
Steve Lindsay on Sep 29, 2021

Matt, what you are addressing is what is referred to as data integrity. Two likely scenarios that can occur during a cyberattack would involve critical data needed to safely operate the grid.  If an attacker can get access to substation or DER communications, they can spoof data being transmitted to the utility operations team that operations are normal while an attack is taking place. In this cyber-physical attack scenario, real physical damage will occur to real assets. Or an attacker can send back corrupted data that makes it appear as if operations are under attack when in fact they are normal.  In this case, the utility must take action, likely taking power offline. This could cause significant down time while the utility investigates what is actually happening.

In the course of normal operations, devices respond to electric signals nearly instantaneously.  In a substation, if current or voltage levels exceed predetermined levels (such as a sharp spike), the breaker will open the circuit. This type of action requires no response from a utility operator to happen since it must happen in less than a cycle typically. Different circumstances may dictate the need for an operator to control assets on the grid. They may be responding to extreme cold or heat, or a lack of or too much capacitance. In these circumstances, control messages must depend on the availability and integrity of good data as well as strong authentication of the message.

Hope this helps,


Richard Brooks's picture
Richard Brooks on Sep 29, 2021

Also regarding critical infrastructure protections, there is a bill making its way through Congress that will require critical infrastructure operators to report cyber incidents within 72 hours;

The incident reporting bill was led by House Homeland Security Chairman Bennie Thompson (D-Md.) and Ranking Member John Katko (R-N.Y.), as well as Cybersecurity Subcommittee Chairwoman Yvette Clarke (D-N.Y.). It would require critical infrastructure operators to report significant cyber incidents to a new “Cyber Incident Review Office” at CISA within 72 hours.

No doubt about it, the Biden administration is serious about protecting critical infrastructure from cyber threats.

Steve Lindsay's picture
Steve Lindsay on Sep 30, 2021

Richard - our business has been focused on the federal government for most of our history.  We haven't seen this level of attention before and certainly welcome the focus this administration has on cybersecurity. Information sharing (when done properly) like you mention above is critical to thwart similar attacks on different utilities.  We can all learn from each other. The focus on supply chain security and SBOMs is much needed as well.  


Thanks for the input!

Tom Alrich's picture
Tom Alrich on Oct 7, 2021

Good summary, Danny! I found it very helpful.

Jon Watkins's picture
Jon Watkins on Nov 5, 2021

The sooner we all get to a zero trust model, the safer we'll all be. The hindrance to secure operations has been (and will continue to be) a lack of understanding at the board/CEO level of the impact of the threats. So many of these threats are so abstract that many cannot fathom the real impact they have. Until there are  culture shifts, attacks will continue to pose significant risk to organizations who harbor legacy mindsets.


Make the risk real to the shareholders and they will naturally begin to make plans to mitigate it!

Danny Vital's picture
Thank Danny for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »