Securing an Interconnected World: Exclusive Interview with Tobias Whitney of EPRI - [an Energy Central Power Perspectives™ Interview]

Posted to Energy Central in the Digital Utility Group
image credit: Tobias Whitney
Matt Chester's picture
Energy Analyst Chester Energy and Policy

Official Energy Central Community Manager of Generation and Energy Management Networks. Matt is an energy analyst in Orlando FL (by way of Washington DC) working as an independent energy...

  • Member since 2018
  • 10,753 items added with 1,488,445 views
  • Oct 7, 2019

Everywhere you look, the world is getting more digital and, as such, more interconnected. This transformation has continued to unlock countless exciting opportunities across industries, with the electric utility industry undoubtedly standing right at the center. Smart grids and meters; distributed energy resources; demand response capabilities: these are just some of the newly interconnected aspects taking over the traditional power grid. While there are many reasons to be eager to see what these and other technologies can unlock, this increasingly digital and interconnected world is also one that has opened up many new areas for vulnerabilities.

Your access to Member Features is limited.

Cybersecurity is now one of the top priorities of utility executives, and with good reason. This interconnected world only works when the systems attached to it is safe, reliable, and secure from outside threats. The need to secure this interconnected world is largely to focus of the upcoming CyberCon: Power & Utilities Cyber Security Conference and one of its presenters: Tobias Whitney, a Technical Executive in Cyber Security for the Electric Power Research Institute (EPRI). At the upcoming conference, Tobias is going to share his insights in a presentation entitled “Securing an Interconnected World.”

But you don’t have to wait until CyberCon this November to hear some powerful bits of wisdom from Tobias, because he agreed to share a preview of his talk in an interview to share with the Energy Central community (and keep reading to the end for a special offer exclusive to Energy Central readers for CyberCon!):

Matt Chester: To get started, can you tell me a little about yourself and what your background in cybersecurity in the utility sector is? How is this a topic you got involved with?

Tobias Whitney: I work at the EPRI, the Electric Power Research Institute, as a Technical Executive in the cybersecurity area, so a lot of what I do is I engage with other leaders within the industry to identify, address, and help resolve challenges as it relates to cybersecurity, specifically in the electric industry.  My focus is really on the innovative side of that.  What's influx?  What anticipated changes do we see?  How does that affect how utilities make decisions as it relates to technology and security, especially given the emerging technologies that we're seeing in the space.

I’ve led the CIP standards compliance efforts at NERC for the last six years D. C. and Atlanta.  That gave me a very interesting perspective on how regulatory policy impacts technology and the choices that utilities tend to make about how they implement security and the resources that they apply to it.  I work with a ton of utilities across the country as it relates to CIP, or Critical Infrastructure Protection, standards.  Before that, I spent many years as a consultant and engineer in the product and services areas around control systems and data security within Burns & McDonald, PWC, and GE. This area of the grid security, control system security that's really been the focal point of my career. 


MC: You’re going to be speaking on the panel about how individual parts of an increasingly interconnected grid structure must be protected from cyber threats to enhance overall grid security. How do these challenges compare with threats to the grid of yesterday? What’s the biggest difference that you’re having to tackle moving forward?

TW: If you look back 15 years ago, the industry was really just getting a handle on recognizing that grid security and control system security was going to be a big deal.  They already had reliability standards for transmission and operations at the grid.  All of that was old hat at the time, but even before we had the CIP standards, there was an initial concern that we were starting to see more and more interoperable technologies and platforms being used in our control centers such as maybe Windows XP or Windows NT. People were just starting to get that understanding that the more we use these not-so-proprietary products and systems, we're starting to have bigger and bigger exposure to this new area of risk in cybersecurity.

So, then there were developments developed to create the CIP standards, and I think that did a lot to standardize how the industry addresses cybersecurity for the grid. But if you look over the last 15 years, there's been quite a bit of change.  Just look at how your cell phone has changed in 15 years.  While the grid hasn't changed quite at that same rate, a lot of the technologies behind the scenes have gone through a tremendous change, and one of those changes that we're seeing now is the advent of Cloud technology and Cloud service providers.  I would say that's probably one of the bigger, sweeping changes that has happened within the general technology sector.

Frankly, though, within the electric sector, there hasn't been a tremendous amount of adoption of Cloud infrastructure as of yet.  But the interest is high.  People are wondering how can I lower my technology costs?  How can I leverage some of these capabilities that Cloud service providers provide in terms of advance computational power and storage and resiliency and all these benefits, but how do we do it in the framework that we must work in?  So, that's a lot of where my research is and the research that EPRI is doing now is helping provide what the future footprint of the grid may look like potentially if there are additional investment and Cloud service providers and understanding security ramifications of that. 

MC: Many consumers might find that increasing amounts of their data in the hands of utility and additional potential points for attack mean they are less secure than they used to be, while many in the industry see cloud computing as a great cyber solution and see opportunities to become even more secure. How has the relative security changed over the years, and importantly if you’re getting more secure how are you able to assure customers that that is the case? Or is the customer perception even that big of a consideration?

TW: I think the utilities are definitely very concerned about the potential risk of Cloud service providers from a security perspective.  They have all heard various issues about other Cloud issues when you're using non-critical data infrastructure in the cloud, so they don't want to be in that circumstance.  I think they're extremely sensitive to it. But they are investigating various approaches now.  One of the bigger initiatives the industry is working on is understanding this: if I wanted to use a Cloud service provider to help me manage my workflow automation or backup and recovery functions or being able to access information from various places within their network, how can they better leverage it?  A lot of the discussion is: if you're managing sensitive data, who has the keys?  Who has the ability to access that information?  If the Cloud provider is providing a function for you, do they even need to have access to the content of that data?  They don't need to have access to the content of that data.  If they don't need to have content attached to it, then there are various ways that you can encrypt sensitive data using effective key management where the utility "keeps the keys," if you will, and the Cloud providers simply provide the functionality and the capability in the Cloud.

I would say the other area that's more challenging, though, is if you move from the data storage model I just discussed to a scenario where a utility is now providing some limited operational function to be managed through a Cloud service provider.  That's where we're seeing some challenges, right?  Now, the third party, the Cloud service provider, may have some impact to the operations of the grid, and in terms of our model, in terms of how we recognize utilities, whether they be transmission operators or generation owner-operators or independent system operators and all those different forms, we haven't really put together the format of having a Cloud service provider or a third party having direct operational control over the grid. That's why we're having some initial challenges in figuring out what is the role of the Cloud service provider.  If they have the ability to operate various aspects of the grid, are they any different than your average utility at that point?  There are many challenges there, but the big one is, like I said, if we start moving things from an operations perspective, not just data but performing command-and-control functions, there's a lot of work to be done there to really make sure there's a clear path. 


MC: Given that there are threats to each stage of the energy supply chain and different entities typically control different parts of that chain (from generation to transmission to distribution and all the ancillary services), how can whole energy supply cybersecurity be achieved? How collaborative must that process be and what’s the level of interaction and information sharing that’s happening today?

TW: I think a big piece of that is making sure that there's a clear set of standards, specifically a clear set of functions that give industry a standard way that they communicate between the utility and the Cloud service provider, between the functions of the Cloud service provider and the various formats of the utility and understanding how the technologies are being managed within both environments.  That's a pretty significant effort because if you look at EE standards, work standards, or any other standards, there always tends to be people in the room that have those requisite skills that represent those appropriate organizations to make a standard.

Over the last few years, what I've seen is a greater collaboration between utilities and the Cloud service providers so that they can better understand each other's environments. They are getting there.  I wouldn't say that we've reached the finish line yet between understanding fully the capabilities of the Cloud and the same security methods and approaches and contrasting that back over the utility, but that's starting to happen. 

MC: Lastly, these conferences are always great opportunities to not only share your ideas and insights but also to learn from others. Are there any specific topics that you’re looking forward to learning about at CyberCon or talks/panels you have circled in your agenda?

TW: The other topic I’m interested in is on the supply chain side of the equation.  I know we talked a lot about Cloud so far, but that's, to me, another form of a supplier.  It's a different type of a supplier, not necessarily a product supplier, but they are definitely part of the supply chain ecosystem.  One of the challenges with the supply chain notion is that industry, at least the electric power industry, has been very dependent on a set of some pretty well-known suppliers.  I think if you talk with any utility, they know who the top several product and system suppliers are that provide systems to them.  The question is, given our reliance on those vendors, how much can industry negotiate?  How much transparency is really going to be provided from the utility to the vendor about understanding those supplier processes and those controls that the vendor has in place to help ensure that whatever product they use on the grid is secure because the insider threat is real. 

The ability to perform background checks on people that have access to sensitive systems, that risk and challenge is real, and having visibility and transparency into those processes and those supplier processes, understanding each step of the way, is one of the bigger challenges given the criticality of the grid and the ubiquitousness of all these technologies that utilities are dependent on.  That's a really big challenge.  We're working on some research in this area to help hopefully create some economies of scale here where we're not reinventing the wheel, but we can leverage various best practices in a centralized manner to kind of help streamline the process of understanding what those vendor controls are so that the end-users have as much visibility into that process as possible. 


MC: Any last thoughts you want to share with our readers?

TW: I would say also another thing to put on the radar screen is recognizing that as the grid gets smarter and as the consumers get smarter, whether that be rooftop PVs and electric vehicles, we're starting to see more and more intelligence being utilized at the grid edge. With more technology and two-way communications and interoperable systems at the edge, that creates more opportunities for risk, and that's more potential access points into things that we may deem critical.

So, the last point I'm trying to make here is that while we're focusing on various types of ways to engage renewable energy resources, things that are beyond and behind the meter which are typically not within the jurisdiction of the utility, that we continue to have some due diligence and focus around those systems as well.  There's a big supplier risk there.  There's a big challenge around Cloud service providers in that area as well.  We will be leveraging best practices that come out of those fields of study, but the focal point should also be on the grid's edge. 

If you're interested in learning more about these types of cybersecurity practices, then don’t miss Tobias Whitney’s presentation on the topic at the CyberCon Power & Utilities Cybersecurity Conference in November. You can learn more about the agenda and register for the conference here. Special offer for Energy Central readers: You can get $500 off the conference registration fees by using the code 'ENC500' at check out!


Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
Richard Brooks's picture
Richard Brooks on Oct 7, 2019

This statement in particular "The ability to perform background checks on people that have access to sensitive systems," is profound. The same should be said of the software objects that are installed in critical systems, they should also undergo a thorough background check, on an on-going basis, to ensure there are no newly reported vulnerabilities, or compromises of the supply chain entities that imapct its trustworthiness. Consider that software can be more dangerous than people because it's so much easier for software to operate in secret over long periods,  cause rapid destruction and can clean up its tracks very effectively, whereas people are constrained by human performance and more prone to leave trace elements of their activities.  A thorough software background check performed immediately before software installation can be the key that saves a company from installing a bad actor and lots of headaches that can have severe financial consequences.

Is EPRI considering any initiatives to improve software background checks? I know that NIST is working on a new Zero Trust Architecture that may include guidance in this emerging area.

Tobias Whitney's picture
Tobias Whitney on Oct 8, 2019

Yes - EPRI has several efforts underway to help address supply chain issues with regard to system and software related vulnerabilities.  Our Technology Assessment Methodology (TAM) is geared to addressing various security challenges to ensure the grid products and software are meet risk-informed design standards and approach to mitigate software vulnerabilities prior to being introduced to the grid asset.  In July 2018, we posted a report to NERC with several key recommendations to address supply chain vulnerabilities.  Software security and integrity was a big component of the risk equation.  In addition, I am leading an effort to create a centralized portal that will streamline how vendors and industry exchange information about vendor security practices and product security features.  We plan to release a "beta" version of the portal in Jan 2020.  For now, feel free to visit and search supply chain to learn more.

Richard Brooks's picture
Richard Brooks on Oct 8, 2019

Thank you, Tobias. I look forward to beta testing the new portal.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »