Post

The Danger to Avert

image credit: GridBright
Stephen Callahan's picture
EVP GridBright

Stephen J. Callahan is Executive Vice President for Grid Modernization and Chief Marketing Officer at GridBright, Inc (https://gridbright.com/). Over his 35 plus year career in industry...

  • Member since 2018
  • 6 items added with 24,352 views
  • Nov 25, 2020
  • 1016 views

In my first post on Secure Grid Data Exchange (SGDX), I outlined that the utility industry is navigating in a world of remarkable convergence. It enters the 21st century at the beginning of integrating two world-changing sectors—electricity and computing. 

One core nexus in this convergence is data—more specifically, the required exchange of grid data among the ever-growing set of energy system actors, be it person to person, machine to person, and machine to machine.

In the early days, available technologies were used to exchange data.  FTP[1]  and Value-Added Networks[2] (VANS) are still technologies being utilized (SFTP has modernized FTP for security). Emails attachments are also widely utilized, unfortunately, frequently inconsistently secured with encryption. Even sneaker nets are used, still, today!

“Convenience and availability can be the enemy of security and compliance”

Convenience and availability can be the enemy of security and compliance.  Many outdated and insecure elements of older technologies contribute to the need to move beyond today's typical data exchange approaches. In short, grid data security threats and risks are expanding, the financial and reputation costs of failing to manage them are escalating significantly, and the arm of regulation is becoming stronger with broader reach amplifying the penalties imposed on businesses and individuals.

The External Technology Extension (IT-OT-XT)

Among industry members, observers, and pundits, the Information Technology – Operations Technology (IT-OT) integration has been a discussion for many years.  Not too long ago, IT and OT were separate, indeed siloed, within utility organizations.  There are a lot of historical reasons for this separation; however, two key elements are particularly important.  First, as it relates to approaches to cybersecurity and data exchange, each silo developed separately, and in many respects different, strategies and philosophies.  Each area had different requirements, technologies, regulations, and objectives, so such divergence is not necessarily unexpected.

The divergence between the two areas was not a big deal until the second element materialized: OT started to do and require more "IT" like things, and IT started to get deeper into "OT" like things.  Thus, the reasons and benefits of separation began to erode.  Accelerating the need for tighter integration was the advent of Automated Metering Infrastructure (AMI) implementations.  AMI, by its nature, has both IT and OT components to its design and implementation.  Multiply these risks as a result that both IT and OT users and applications that are increasingly distributed and remote (potentially intertwined with not-within-the-secure-perimeter personal systems), and this integration quickly rises to both a management and an organizational concern. 


Amplifying the IT-OT interlock dilemma is the broad expansion of "external to the utility enterprise" energy resource operators and market participants desiring and requiring integration with both utility IT and OT systems for their businesses and individual energy use/production—the External Technology (XT) Extension.  This extension introduces an entirely new set of risks and threats (cyber experts call this the threat surface) arising from the massive expansion of ecosystem actors with potential access to utility systems and the more porous security architectures these actors may have in their operations and systems.  

So much for the Castle-and-Moat[3] security perimeter approach that even today pervades cybersecurity regulations of energy systems.

The Clear and Present Threat

As the threat surface expands, the risks become formidable.  Most cybersecurity professionals consider the risks systemic with the majority seeing data privacy, loss, and leakage as top challenges. One study found 88% of enterprises have large numbers of amounts of data open and in the clear.  The risks are not only from the high profile "bad actors." Employee and contractor negligence cause Sixty-three percent of data breaches.  Once again, the "moat" is not working.

The costs of these failures are high, both institutionally and professionally—the cost of mitigating a compliance risk forensically vs. proactively is almost 3x.  One study has found that in the energy sector, the liability cost per breached record is $136. Three actions can reduce this cost by 25 percent—robust encryption, Data Loss Prevention (DLP), and compliance failure prevention. These costs are to the enterprise; however, there are also costs to individuals.  One in three breaches leads to job loss, with over 40% of them non-IT and C Level executives.

Utilities are particular targets for cyber-attacks, especially smaller utilities.  A recent high-profile investigation found that more than a dozen U.S. utilities were targets of a wave of cyber-attacks, especially ones in juxtaposition to other critical infrastructures such as waterways (clearly not a high school science project!). The WSJ concluded (smaller utilities) "often lack big budgets for security measures, are vulnerable, even though experts once believed their low profile afforded them some protection."

The Coming Regulatory Storm

Governments and regulators are not blind to the threat, and most of the industry sees cybersecurity regulation increasing.  It is already a significant expense to enterprises with an estimated $10K cost per year per employee required to manage regulations.   These costs are disproportionally higher in smaller enterprises.  Fines too are rising with a 3x increase in the size of large NERC fines in the last year.  Some of these fines now exceed $10M per incident.

Indeed, there is a flurry in recent times of responsible agencies promulgating or announcing the intent to promulgate regulation and guidance, including NERC[4], FERC[5], DOE[6], and POTUS[7] to name only a few prominent examples. 

In my next post I will give an overview of the foundational capabilities of SGDX and the elements of innovation it embodies.

 


[1] The original specification for the File Transfer Protocol was written by Abhay Bhushan and published as RFC 114 on 16 April 1971 (https://en.wikipedia.org/wiki/File_Transfer_Protocol)

[2] https://www.investopedia.com/terms/v/value-added-network.asp

[3] https://medium.com/@lee2b/a-tale-of-two-enterprise-security-architectures-replacing-a-derelict-castle-and-moat-with-the-fb84158204f3

[4] https://www.nerc.com/_layouts/15/PrintStandard.aspx?standardnumber=CIP-013-1&title=Cyber%20Security%20-%20Supply%20Chain%20Risk%20Management&jurisdiction=United%20States

[5] FERC Notice of Inquiry; Comment Request, 85 Fed Reg 11363 (February 27, 2020), Docket No. RM20-8-000

[6] https://beta.regulations.gov/document/DOE-HQ-2020-0028-0003

[7] https://www.whitehouse.gov/presidential-actions/executive-order-securing-united-states-bulk-power-system/

Connect with GridBright

Fill out this form to receive more information from GridBright.

Discussions

No discussions yet. Start a discussion below.

Stephen Callahan's picture
Thank Stephen for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »