Smart Energy International spoke with Tobias Whitney, a technical executive with the Electric Power Research Institute (EPRI), about all things cyber but specifically the supply chain and the increasing interconnectedness of … well … everything.
As the world becomes more and more interconnected, one critical weak point in the entire ecosystem is in the management or lack thereof, of the supply chain itself. According to Whitney, supply chain management is the last step in a process that the power industry has been engaged in for the past 15 years or so. Critical infrastructure protection standards (CIP) exist across a wide range of cybersecurity operations and needs, particularly in the United States and Canada.
This article was originally published in Smart Energy International issue 1-2020. Read the full digimag here or subscribe to receive a print copy here.
“Command and control systems have the most significant
impact on the electrical grid and the biggest responsibility for implementing
those CIP standards. For a long time, the prevailing wisdom in the industry was
that asset owners had to take care of their assets. It is now apparent – given
a lot of vulnerabilities and NERC alerts – that there’s another key part of the
equation. It is the realisation that vendors need to have a seat at the table.
“The dialogue that industry is having with their suppliers
has taken different routes. For some, it’s having an understanding specific to
a product. For others, it’s been running the gamut of the vendor’s security
profile, including understanding their internal control processes,
understanding the provenance of the product, understanding the steps and the
team that creates the supplier, or the product chain of goods and services.”
The involvement of the power industry in having a complete
understanding of who their vendors are and the security implications and risks
that may arise from using vendor products on the grid has shifted. There is a
fundamental increase in stakeholder insistence that when systems or services
are procured, there’s a mutual understanding of who’s responsible for what.
This includes understanding what types of security capabilities are built into
the products and services. There is also longer-term engagement between the
vendor and the utility to understand if, for instance, there’s been a breach or
if there have been some challenges in terms of the supportability of the
product, that there are mutually agreed upon steps to resolve those issues.
“I think it’s pretty exciting,” Whitney says. “The vendor
communities have been offering various types of security capabilities in their
products for many years, and it’s good to see that those security features are
appreciated when they apply to the utility environment.” An obvious example is
the challenges that have plagued the Chinese multinational technology company
Huawei’s relationship with the United States.
“It doesn’t even have to be an obvious, high-profile example
like that,” Whitney says.
“I think it’s more a recognition that there are only so many
companies whose products
are widely used in the electric system. A utility can do
everything to secure its assets but it also needs to have confidence in the
suppliers’ controls, that they follow industry best practices, and that –
whatever the product – there is assurance about the quality from a security
perspective.”
“There’s also recognition that we will not always understand
or know where the next zero-day [a previously unknown system vulnerability]
exploit will be. Having a tighter, stronger, more responsive vendor
relationship helps to the utility environment.” An obvious example is the
challenges that have plagued the Chinese multinational technology company
Huawei’s relationship with the United States.
“It doesn’t even have to be an obvious, high-profile example
like that,” Whitney says.
“I think it’s more a recognition that there are only so many
companies whose products are widely used in the electric system. A utility can
do everything to secure its assets but it also needs to have confidence in the
suppliers’ controls, that they follow industry best practices, and that –
whatever the product – there is an assurance about the quality from a security
perspective.”
“There’s also recognition that we will not always understand
or know where the next zero-day [a previously unknown system vulnerability]
exploit will be. Having a tighter, stronger, more responsive vendor
relationship helps mitigate that risk.”
Breaking into the market
Awareness of the utility market for new vendors means it’s
no longer enough to have a really cool product that has great capabilities or
really significant operational, or reliability benefits.
“There’s a clear recognition that the product and the
relationship that you have as a company will need to be evaluated and managed
through the lifetime of the products used by a utility or system operator.
“This is going to make it harder for new entrants to break
into the market unless they meet best practices and standards.
We’re starting to see requirements that a vendor or supplier
must meet standards in the United States and abroad. A lot of utilities want to
know, among other things, if a supplier is ISO 27000 compliant. There’s more
responsibility for the vendor to demonstrate their security features and how
they’ve been validated by third parties.”
What is the potential knock-on effect in terms of pricing?
As products become certified across several standards, there
may be a knock-on effect on product prices, putting added pressure on utility
budgets. Whitney confirms this is something that his team at EPRI has been
working on with buyers and suppliers in an effort to enable economies of scale.
This is best done through standardisation of mandatory vs other security
requirements, a clear understanding of best practice preferences and distilling
this into a framework that can be used across the industry, providing clarity
for both utilities and vendors.
This also provides vendors with a framework of questions
that need to be asked and answered and prevents “reinventing the wheel” with
every new project that needs to be procured.
As Whitney says: “There are 100 different requirements from
different entities that will impact the same product, but all have the same
concern. How can we leverage these and provide an understanding of the
capabilities of the product from a security perspective to ensure or mitigate
certain cybersecurity risks?
“This is one of EPRI’s active projects, and we’re doing some
pilots to populate data in a manner that doesn’t reveal proprietary information
about the vendor. The idea is to be able to catalogue which cybersecurity
controls the vendor must implement, and then understand how that product can be
secure.
“We want to be able to organise this information in a manner
that can provide quick answers to those questions, hoping that this may create
economies of scale and maybe reduce costs.”
Final words
The security equation cannot be solved by the electric
utility alone. There needs to be direct communication, knowledge sharing, and
partnering of responsibility for security with vendors. For vendors, that
responsibility must come through in terms of demonstrating their capabilities,
as well as understanding and ensuring that their product has the correct types
of security features, so that security can be managed effectively by the
utility. Product capabilities need to be transparent, clear and visible to the
buyer. SEI
About Tobias Whitney
Tobias Whitney is a technical executive for EPRI where he
drives strategy, oversees research studies and guides content development
activities for priority initiatives taking place within the organisation’s
research department.
Whitney was a speaker on the “Securing an Interconnected
World” panel at the CyberCon Power & Utilities Cybersecurity Conference in
Anaheim, CA.
