Episode #78: 'How Wholesale Electric Participants Have Adopted North American Energy Standards Board (NAESB) PKI to Fight Cyber-Attacks & Stay FERC Compliant' with Lila Kee, GlobalSign Chief Product Officer [an Energy Central Power Perspectives™ Podcast]

Prefer to Read vs. Listening? Scroll Down to Read Transcript.

Thanks to the sponsor of this episode of the Energy Central Power Perspectives Podcast: GlobalSign 

Key Links

• Lila Kee's Energy Central Profile: https://energycentral.com/member/profile/lila-kee

• Top ten cybersecurity tips for the electric sector: https://energycentral.com/c/iu/top%C2%A0ten%C2%A0cybersecurity-tips-electric-sector

• Did you know? The Energy Central Power Perspectives Podcast has been identified as one of the industry's 'Top 25 Energy Podcasts': blog.feedspot.com/energy_podcasts

TRANSCRIPT

Jason Price: 

Hello, and welcome to this week's episode of the Energy Central Power Perspective Podcast, the show that brings leading minds to discuss the latest challenges and trends transforming and modernizing the energy systems and the utility industry of the future.

Jason Price: 
A quick thank you to GlobalSign for making today's episode possible. Now, let's talk energy.

Jason Price: 
I'm Jason Price, Energy Central podcast host and director with West Monroe, coming to you from New York City, and with me as always from Orlando, Florida, is Energy Central producer and community manager, Matt Chester.

Jason Price: 
Matt, before we bring in today's guest, you did some digging around North American Energy Standards Board, or NAESB, specifically the important work around PKI standards development coming out of the NAESB Cybersecurity Subcommittee, so set the groundwork by giving us a primer on NAESB and PKI.

Matt Chester: 
Happy to, Jason. I've come across the NAESB discussions on Energy Central in the past, but, truthfully, I had never done a deep dive, and so what I learned ahead of this podcast was quite interesting. As you said, NAESB, it stands for the North American Energy Standards Board, and it serves as an industry forum for the development and the promotion of standards which will lead to a seamless marketplace for wholesale and retail natural gas and electricity as recognized by its customers, by the business community, by participants and by regulatory entities.

Matt Chester: 
Among the extensive critical work being done by NAESB is the core pillar of creating a seamless marketplace around cybersecurity and, specifically, the need to authenticate users and entities to often highly sensitive resources. Given the longstanding track record of public key infrastructure, or PKI, to provide encryption, data integrity and authentication to online transactions in a cost-effective and scalable method, NAESB leaders recognized the need for a rigorous standard to meet the specific needs of the wholesale electric sector, and that's why they stepped up to do so providing a critical service in today's increasingly digital industry.

Jason Price: 
Thanks, Matt. That's really insightful and very helpful for sure, and it highlights how crucial of a topic cybersecurity is for the Energy Central community. In today's climate with cyber attacks and vulnerabilities ripe for exploitation, we're seeing increasing focus from utility thought leaders, and it's evident by the SolarWinds hack and the Colonial Pipeline ransomware attack and the recent Log4j vulnerability that impact grid providers, it's come clear that wholesale electric utilities, entities whose core competency is likely not in the area of cybersecurity, need to lean on proven cybersecurity best practice standards and frameworks to secure their operations. As the grid modernizes and more data resides outside the traditional protected perimeter, this need has only exasperated.

Jason Price: 
To help guide us through this technical conversation, we're joined by Lila Kee. Lila is the chief product officer at GlobalSign and where she's helped numerous utility stakeholders embrace these necessary frameworks, as well as spending a number of years as a member of NAESB herself even a few years as a board member. She knows all the ins and outs, and we're excited to hear what she has to share with us to get us up to speed.

Jason Price: 
Lila Kee, welcome to today's episode of Energy Central's Power Perspective's podcast.

Lila Kee: 
It's my pleasure to be here.

Jason Price: 
Lila, you are talking to a knowledgeable Energy Central audience, but they also may come not from a cybersecurity background. To make sure we're all working off the same language, can you provide a high level explanation of what PKI is?

Lila Kee: 
Sure thing, Jason. In short, public key infrastructure, or PKI, is the framework that governs how digital certificates are issued and used to protect sensitive data, identify endpoints, as well as provide secure transmissions using what's called encryption technology.

Lila Kee: 
Certificate authorities', like GlobalSign's, job is to verify the identities reflected in the digital certificate. Hence, in essence, it binds the identity of the public key to the certificate holder. Think about it like a driver's license identifies a person in the physical world. A digital certificate can identify all sorts of endpoints in the cyber world ranging from people, organizations, Web servers and machines. This is especially important as we venture into the world of the smart grid in IoT.

Jason Price: 
Thanks. As we discussed in the intro, NAESB is a key driver of PKI for utilities, so can you explain what exactly is NAESB's role in PKI for the energy sector?

Lila Kee: 
What NAESB has done is it created a three-pillar approach to ensure that the wholesale in retail electric and gas segments have a common framework around securing trusted online transactions used in public key infrastructure.

Lila Kee: 
The first pillar is the authorized certificate authority accreditation requirements. This is a detailed document that describes the requirements that a certificate authority must follow to issue and manage NAESB-compliant digital certificates. It's reviewed annually at minimum by the Cybersecurity Subcommittee and modified as needed to address the current cyber vulnerabilities and, sometimes, to address FERC and NERC compliance updates.

Lila Kee: 
These requirements must be also reflected in the CA certificate practice statement for the benefit of the relying party. In short, the CPS provides information to any person, organization or application relying on a NAESB certificate on the assurance level of the certificate.

Lila Kee: 
The second pillar is the WEQ-012 standard for cybersecurity that governs FERC regulated entities, details their obligations around requesting, using and managing NAESB digital IDs. These entities could be electric or gas generation, transmission or market broker participants that use NAESB certificates to authenticate their users and machines within their applications. It, too, is reviewed annually at minimum.

Lila Kee: 
Finally, the third pillar is the authorized CA certification process for the certificate authorities like GlobalSign to obtain and maintain annual accreditation. This includes paying an annual membership fee, signing an affidavit of compliance and engaging with an external NAESB auditor to ensure independent assessment of compliance. Hence, it's not an insignificant investment to maintain ACA accreditation especially since the standard is always changing to keep up with modern-day security threats. Those CAs who do complete this process successfully are displayed on the NAESB website.

Jason Price: 
All right, so cybersecurity, as I understand it, is an ever moving target where enterprises are working to stay one step ahead of potential bad actors. Part of the journey has been towards a need for PKI. How did the need for PKI standard ultimately evolve?

Lila Kee: 
The PKI standard evolved about the same time as President Obama's February, 2013, Executive Order regarding improving critical infrastructure cybersecurity that basically directed NIST to lead the development of a framework to reduce cyber risk to critical infrastructure, which the energy sector is part of. This framework later became the NIST Cybersecurity Framework.

Lila Kee: 
It was then a handful of cybersecurity thought leaders representing key independent and regional transmission operators, or what folks on this call understand as ISOs and RTOs, decided the current and virtually ignored standard around PKI originally developed in 2006 for the Wholesale Electric Quadrant was not sufficiently rigorous to ward off modern-day cyber threat. Worse yet, many grid participants were using either in-house PKI solutions or commercial solutions with no clear definition around assurance levels.

Lila Kee: 
As a result, the PKI Subcommittee, later renamed the Cybersecurity Subcommittee, was reactivated to revamp the WEQ-012 standard to address the specific needs of the wholesale and gas electric quadrants.

Lila Kee: 
After several lengthy subcommittee meetings and eventual approval by the NAESB executive council and board, NAESB submitted the updated standard to FERC for approval. In 2014, FERC adopted the NAESB WEQ-012 Version 003's Business Practice Standard and has since has created later versions.

Jason Price: 
Thanks for that. It's very thorough. Turning back to NAESB and their role in this area, can you give us a bit more context? For example, who is represented on the committee and what are their stated goals?

Lila Kee: 
Yeah, so the committee includes representation from, first of all, certificate authorities like GlobalSign who have great subject matter expertise on running a secure and highly available CA, as well as cybersecurity professionals from electric utilities in RTOs and ISOs that understand the unique security and regulatory needs of the wholesale electric market. Together, the subcommittee shaped the PKI standards that we have in place today.

Lila Kee: 
The subcommittee has a few goals in mind that govern their approach. It originally focused on securing Wholesale Electric Quadrant applications such as OASIS, E-Tagging, but later expanded to retail and it also included the gas segments. They also wanted to make sure they could leverage open standards like the X.509 standard that governs digital certificates wherever possible for maximum interoperability, and it was really important to them that they used a risk-based framework similar to the NIST Cybersecurity Framework to appropriately size the operational and financial investment of the asset being protected.

Lila Kee: 
Then, finally, knowing that the threat landscape is ever changing, they wanted to make sure that it was a living, breathing document and that the subcommittee met on a regular basis to modify it to keep up with those ever changing threats.

Jason Price: 
Lila, I want to dig a little bit further here. We've had a handful of cybersecurity conversations on this podcast, but, sometimes, they focused on different frameworks and practices. How does NAESB differ, for example, from, say, the NIST Cybersecurity Framework?

Lila Kee: 
Well, like the Cybersecurity and Infrastructure Security Agency, CISA, NAESB provides a bit more prescriptive support than, say, the NIST Cybersecurity Framework. What's missing in the Cybersecurity Framework is really the how-to element. For example, WEQ-012 standard and the ACA accreditation requirements on PKI provides a very detailed and concrete set of requirements for users, relying parties, as well as the authorized CAs themselves on how they must implement to meet the standard.

Jason Price: 
Can you break it down for us? Like I said, the audience knows cybersecurity, but, like me, probably enough to be dangerous. What does the NAESB standard actually cover?

Lila Kee: 
Generally speaking, the WEQ-012 PKI standard covers three main parties. The first party are the end users who wish to apply for a digital certificate to be used to authenticate to FERC regulated and non-FERC regulated applications. Again, like I said before, OASIS and E-Tagging are two great examples.

Lila Kee: 
The next party is the relying parties such as applications on how they must apply access control mechanisms such as checking revocation status, verifying the assurance of the certificate being presented and the validity of the certificate and then, finally, the authorized CAs in terms of accreditation requirements.

Jason Price: 
You've noted that the NAESB takes a risk-based approach to PKI. Can you explain that further?

Lila Kee: 
Sure thing. As in all good security practices, before technology is even applied, a risk assessment based on sound policy should be the starting point to determine the rigor of the security technology and business processes put in place.

Lila Kee: 
NAESB recognized PKI as one of the most scalable and cost-effective methods to add the much needed what we call two-factor authentication to critical resources, but also recognized that not all resources have the same consequence if they are breached. Therefore, the Cybersecurity Subcommittee took a page out of this and classified the requirements into four main assurance levels. They go from low to the highest, starting with rudimentary, basic, medium, and then high assurance.

Jason Price: 
Okay. Great. Why don't we move now from the theoretical to the practice? At the end of the day, it's all about what is in practice, so can you do describe for our audience a key use case that NAESB certificates are used for?

Lila Kee: 
Yes, so, although the NAESB standard supports a variety of use cases that can support authentication, encryption, secure email, code signing, just to name a few, the majority of NAESB certificates in the field today are used for strong authentication of users in systems to applications such as OASIS and E-Tagging. In the case of OASISs and E-Tagging, FERC's NOPR around the inclusion of the NAESB business standard, including WEQ-012, has required NAESB certificates to be used. However, some ISOs and RTOs are used in NAESB certificates as just best practice for market participants to securely access their market portals.

Jason Price: 
I know that there are commercial CA PKIs, but how does that differ from the NAESB PKI standard?

Lila Kee: 
In some respects, commercial CAs do operate with its strict and uniform guidelines as they are all Web trusts audited, to varying degrees, subject to strict root program requirements from Apple, Mozilla, Microsoft, and Chrome. However, most of the governance is around the type of certificates called TLS, which we used to refer to as SSL certificates, and recently secure email and code signing. But given the majority of NAESB certificates are issued as authentication certificates, there's a wide variety of how subscribers are vetted and certificate lifecycle management is implemented. Some great examples of NAESB creating uniformity is around the adoption of stronger key sizes, that's the strength of the certificate, and signature algorithms. They did this before it was even common practice.

Jason Price: 
What are some of the other common cyber threats digital certificates like these can help ward off?

Lila Kee: 
Well, as we saw with the Colonial Pipeline attack, ransomware is becoming one of the greatest cyber threats where bad actors are injecting ransomware into networks that encrypt their data, leaving them in a lurch as they sort out the cost-benefit of either restoring backups versus bringing their operation back online quickly.

Lila Kee: 
Ransomware, like most malware, is often injected via the most mundane of all techniques, that being phishing and spear phishing. Having a digitally signed email from an authorized CA provides the recipients of these emails a assurance level that the identity of the sender can be trusted or not.

Jason Price: 
These are certainly intense conversations and intense topics, so, Lila, I really want to thank you for your time and sharing this wisdom with us. We're going to give you an opportunity you to end on your closing thoughts, but we have in our program something called the lightning round where we step out of our role, our day-to-day job role, and we want to learn a little bit more about you as the person. We have a set of questions that require a single word or phrase response, so are you ready?

Lila Kee: 
Sounds good. It should be fun.

Jason Price: 
Okay. Absolutely. Who is your childhood hero?

Lila Kee: 
Definitely my father. He was the most engaging, loving and inspirational person in my life, always had time no matter how tired he was from work, and we had countless hours of ping-pong and card playing.

Jason Price: 
If you won the lottery, what's your first frivolous purchase?

Lila Kee: 
Well, as an avid all-season hiker living in New England, I would splurge on all new hiking equipment, but, of course, I'd like to buy a Tesla to get me to the hiking trail.

Jason Price: 
What's your go-to movie snack?

Lila Kee: 
Well, I'm a nut-aholic, so I'd have to say cashews.

Jason Price: 
What's the best way to spend a Sunday afternoon?

Lila Kee: 
Definitely morning hiking and then afternoon yoga.

Jason Price: 
What are you most optimistic about?

Lila Kee: 
This is going to start a little geeky. I'm optimistic that folks are now beginning to understand the importance of data privacy and will gravitate to new products that will respect their personal information.

Jason Price: 
Nicely done. Lila, before I let you go and give you the last word, I have to ask how often do you change your password on your computer?

Lila Kee: 
Well, as a security professional, this response might surprise you. Honestly, not as often as you think is needed. A few years back, NIST issued a recommendation that frequent changes in long and complex passwords did not increase security. I suspect it addressed the unintended Jell-O sticky issue that arose when IT administrators required frequent changes. The key is to select a long mixed-character password that you can remember and keep secure in a password manager. Just don't write it down.

Jason Price: 
Perfect. Lila, before we let you go, you have the audience and the floor, and you have their attention. What would be your final thoughts you'd like our audience to take away from this conversation?

Lila Kee: 
My parting thoughts are grid providers should take full advantage of government and industry cybersecurity resources such as NAESB and the Cybersecurity Infrastructure Security Agency, otherwise known as CISA.

Lila Kee: 
In the case of CISA, this agency is superbly equipped to assist grid providers on how to safeguard their cyber assets, including how to deal with realtime threats. This is especially important considering the heightened level of cyber threats facing our nation stemming from the Russian-Ukraine conflict. Although, Russia aside, utility companies must accept that the threat landscape is ever changing and, frankly, impossible for most utility companies to stay on top of.

Lila Kee: 
Leveraging the resources of NAESB and CISA allows CISOs, CTOs and CIOs much needed support in the area that, frankly, is not their core competency. In short, implementing cyber defenses is a never one-and-done, but, instead, an ongoing active diligence around defense hardening.

Jason Price: 
Lila, we appreciate your hard work, and we can certainly tell the passion from how you talked about the work you've been doing. We want to thank you for sharing your thoughts. It was an extremely educational episode, and I certainly walked away with a better understanding of NAESB and the criticalness that we need to address here.

Jason Price: 
We were thrilled to have you on, and we certainly want to bring you back at a future date to learn more about any developments going on in the marketplace and how NAESB is helping people wade through that, but, for now, we want to thank you for your insights and looking forward.

Jason Price: 
To our members in the community, who want to continue the conversation with Lila, you certainly can do that on our platform, energycentral.com.

Jason Price: 
Thank you so much, Lila, for joining.

Lila Kee: 
Thank you, Jason. It was my pleasure.

Jason Price: 
As I said, you can always reach Lila through the Energy Central platform where she welcomes your questions and comments. On behalf of the Energy Central team, thanks to everyone for listening today.

Jason Price: 
Further, we want to thank GlobalSign for making today's episode possible. GlobalSign is a global certificate authority and leading provider of digital signing, identity and security solutions for the Internet-of-Things. GlobalSign is one of the world's most deeply rooted certificate authorities and a leading provider of trusted identity and security solutions enabling businesses, large enterprises, cloud-based service providers and IoT innovators worldwide to conduct secure online communications while managing billions of verified digital identities and automating their authentication and encryption. For more information, visit globalsign.com.

Jason Price: 
Once again, I'm your host Jason Price. Plug in and stay fully charged in the discussion by hopping into the community at energycentral.com, and we'll see you next time at the Energy Central Power Perspective's podcast.

About Energy Central Podcasts

The ‘Energy Central Power Perspectives™ Podcast’ features conversations with thought leaders in the utility sector. At least twice monthly, we connect with an Energy Central Power Industry Network community member to discuss compelling topics that impact professionals who work in the power industry. Some podcasts may be a continuation of thought-provoking posts or discussions started in the community or with an industry leader that is interested in sharing their expertise and doing a deeper dive into hot topics or issues relevant to the industry.

The ‘Energy Central Power Perspectives™ Podcast’ is the premiere podcast series from Energy Central, a Power Industry Network of Communities built specifically for professionals in the electric power industry and a place where professionals can share, learn, and connect in a collaborative environment. Supported by leading industry organizations, our mission is to help global power industry professionals work better. Since 1995, we’ve been a trusted news and information source for professionals working in the power industry, and today our managed communities are a place for lively discussions, debates, and analysis to take place. If you’re not yet a member, visit www.EnergyCentral.com to register for free and join over 200,000 of your peers working in the power industry.

The Energy Central Power Perspectives™ Podcast is hosted by Jason Price, Community Ambassador of Energy Central. Jason is a Business Development Executive at West Monroe, working in the East Coast Energy and Utilities Group. Jason is joined in the podcast booth by the producer of the podcast, Matt Chester, who is also the Community Manager of Energy Central and energy analyst/independent consultant in energy policy, markets, and technology.  

If you want to be a guest on a future episode of the Energy Central Power Perspectives™ Podcast, let us know! We’ll be pulling guests from our community members who submit engaging content that gets our community talking, and perhaps that next guest will be you! Likewise, if you see an article submitted by a fellow Energy Central community member that you’d like to see broken down in more detail in a conversation, feel free to send us a note to nominate them.  For more information, contact us at community@energycentral.com. Podcast interviews are free for Expert Members and professionals who work for a utility.  We have package offers available for solution providers and vendors. 

Happy listening, and stay tuned for our next episode! Like what you hear, have a suggestion for future episodes, or a question for our guest? Leave a note in the comments below.

All new episodes of the Energy Central Power Perspectives™ Podcast will be posted to the relevant Energy Central community group, but you can also subscribe to the podcast at all the major podcast outlets, including:

• Energy Central Power Perspectives™ Podcast on iTunes: https://podcasts.apple.com/us/podcast/energy-central-unnamed-podcast-series/id1488804391

• Energy Central Power Perspectives™ Podcast on Spotify: https://open.spotify.com/show/5jiUn8vzSq1t99WtECLn1j

• Energy Central Power Perspectives™ Podcast on Stitcher: https://www.stitcher.com/podcast/energy-central-tobenamed

• Energy Central Power Perspectives™ Podcast on TuneIn: https://tunein.com/podcasts/Business--Economics-Podcasts/Energy-Central-Podcast-p1274390/

• Energy Central Power Perspectives™ Podcast on SoundCloud: https://soundcloud.com/energycentral

Thanks once again to the sponsor of this episode of the Energy Central Power Perspectives Podcast: GlobalSign