Senior decision-makers come together to connect around strategies and business trends affecting utilities.

Richard Brooks's picture
Co-Founder and Lead Software Engineer Reliable Energy Analytics LLC

Inventor of patent pending (16/933161) technology: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™)...

  • Member since 2018
  • 1,424 items added with 584,396 views
  • Nov 16, 2021
  • 317 views

Are you a PSIE's ("primary systemically important entities”).

I find it encouraging that CISA is working to provide a baseline set of cybersecurity practices that will apply across PSIEs within critical infrastructure. The inter-dependencies across critical infrastructure are well known. Every critical infrastructure operation requires electricity and electricity is dependent on fuel supplies that are transported by pipelines, trucks, trains and ships. Communications are also critical for proper operation of the electric grid. We must protect all critical infrastructure PSIEs at a baseline cybersecurity level in order to prevent a domino effect type of failure.

Some say that we have NERC CIP for this purpose. I disagree, NERC CIP only applies to a fragment of the electric grid, i.e. the bulk power system, and does not cover the entire electric grid. NERC CIP is also labor intensive and has been designed for compliance, not cybersecurity best practices. For example, consider NERC's 15 minute rule or the guidance that allows a company to install software when it's software supplier cannot be identified, so long as this fact is documented, it will pass a NERC audit. I would never install a software package when a party cannot verify the source supplier (ref NERC RSAW for CIP-010 page 16 Note to Auditor). That is simply bad guidance, if your goal is real cybersecurity protection and preventing harmful software from being installed.

We need to protect the entire electric grid and all critical infrastructure. It's time to put our best cybersecurity team on the field, NIST and CISA, to drive cybersecurity policies and practices across all critical infrastructure and eliminate siloed and inferior approaches to cybersecurity, such as NERC CIP.

Discussions
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
Barry Jones's picture
Barry Jones on Nov 16, 2021

Great comments Richard. The problem with supply chain is that you don't want to put unnecessary costs on business and ratepayers to implement administrative documentation to in essence identify the worker that mined the metal, that forged the part, that packaged the part, that shipped the part, that delivered that part, that installed the part, etc... The missing piece to the puzzle for many security programs is risk. 15 minutes is the risk rule for impacts to the Bulk Electric System (BES). This is highly dependent and the variables not well understood. For example, you can crater an entire set of Control Centers and have no adverse impacts to the BES other than loss of visibility. So where's the risk? Depends. For supply chain the largest risk is software sourcing. As long as companies and cloud providers are willing to accept software sources world-wide, the control over that code should be suspect (to your point). But risk needs to be identified by identifying the key elements at the key interconnections and the key systems that manage those. And as we move to more centralized computing - i.e., cloud - the risk is greater because those are target rich environments (Twitter, ADP, USOPM, etc..., to name a few). It's interesting. We went from centralized mainframe in the 80's and 90s to distributed and now back to centralized.

Richard Brooks's picture
Richard Brooks on Nov 17, 2021

Cloud = Timesharing

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »