3

Strategies to Increase Resilience

A second set of panels focused on addressing the challenges faced by the grid through concrete steps to increase resilience. These panels addressed technological means to improve cybersecurity as well as the cultural, business, and policy contexts of implementing those technologies. Speakers also addressed ways to speed the path from solution development to deployment in order to keep pace with a rapidly evolving threat landscape.

TECHNOLOGICAL CAPABILITIES

• The electricity subsector has taken many steps to improve cybersecurity practices, but risk can never be totally eliminated and there remains much to do.
• Grid security is affected by both utility-owned operational communications networks and commercially owned enterprise communications networks, along with the interactions between these networks.
• Existing and emerging security mechanisms offer promise, but their development and adoption are affected by complex business and regulatory contexts.

Jeffery Dagle, Pacific Northwest National Laboratory (PNNL), moderated a panel exploring how technologies can be used to improve security and resiliency. While complexity is the enemy of security, adding security measures to electric infrastructure is anything but simple, Dagle said. Utilities and the country as a whole are challenged to determine when and

where cybersecurity should be incorporated into electric power systems, whether these efforts should be centralized or distributed, and which players should be responsible for what. Speakers included Joy Ditto, Utilities Technologies Council (UTC); Mark Adamiak, Adamiak Consulting; Samara Moore, Amazon Web Services; and Tim Roxey, formerly of the Electricity Information Sharing and Analysis Center (E-ISAC).

Joy Ditto, Utilities Technologies Council

Joy Ditto, president and chief executive officer of UTC, described how the relationship between the electric power system and the U.S. telecommunications infrastructure has evolved over the decades.

After World War II, the U.S. electric power infrastructure was identified as critical to the nation’s security and economic well-being. Utilities recognized the importance of reliable communications to support the electric grid, but existing telecommunications carriers were unable to provide the level of service they needed at a reasonable price. This, Ditto explained, drove the electric utilities to build their own private communications networks, based on a combination of copper wire lines and microwave wireless components. These networks supported reliable voice communication within operations centers and between personnel in the field.

In the 1980s, utilities began layering digital communications technologies over these existing networks, gradually replacing copper wire lines with fiber where feasible. This digital layer broadened communications beyond voice to include data collection, enabling supervisory control and data acquisition (SCADA) systems, sensors, and other technologies providing granular situational awareness on grid operations. In addition to these utility-owned networks, some utilities also use commercial telecommunications services for purposes other than critical operations support, such as for corporate telephones and external-facing websites.

Ditto argued that operational digital communications technologies, built on the backbone of the utilities’ private communications networks, are crucial to enabling integration of renewables and energy storage technology into today’s grid and will likely be key to enabling advanced distribution technologies in the future. Utility-owned networks are more reliable, better hardened against damage, and more resilient than commercial carriers, Ditto asserted, noting that utilities were able to help telecommunications companies recover after Hurricane Katrina.

Despite their benefits, the digitization of these networks also introduced vulnerabilities, which were largely overlooked until the late 1990s. Because cybersecurity protections were not built in from the beginning, Ditto said that strengthening security for these systems requires a combination of adding security measures to existing infrastructure while also

building protections into any new components. She urged a closer look at how the vulnerabilities within these private networks, and their coexistence with commercial networks, affect grid security.

Mark Adamiak, Adamiak Consulting

Mark Adamiak, principal at Adamiak Consulting, discussed cybersecurity in the context of utilities’ private operations communications networks and the commercial telecommunications services they also use.

As Ditto noted, utilities often use a private network for critical operations controls (the operations network) and commercial telecommunications services to access the Internet and communicate with customers (the enterprise network). While most utilities keep these networks completely separate, with air gaps to help ensure that operations networks are not in any way connected to the Internet, Adamiak said that some utilities connect them through a jump box. The jump box creates a highly regulated path by which approved information can flow from the enterprise network into the operations network—for example, to allow an engineer to update relay settings. Utilities have less control over the enterprise network, so it is more difficult to secure. Common protections include firewalls and external access controls, but the sheer number of attack attempts suggests stronger mechanisms may be warranted, Adamiak noted.

Operations networks, for their part, have various defensive protections built in, some of which are mandated by North American Electric Reliability Corporation (NERC) guidelines. Common mechanisms today include nonroutable IP addresses, firewalls, air gaps, cryptographic accelerators, and role-based access control. In addition, many utilities are adopting new cybersecurity mechanisms for their operations networks. Examples include trusted platform modules for SCADA remote terminal units; password management systems and key distribution centers that take the human element out of password protections; and the use of secure communication protocols such as Secure File Transfer Protocol, Secure Shell, virtual private networks, PUSH mechanisms such as data diodes, the industry’s own protocol IEC 61850, and routable Generic Object-Oriented Substation Event (GOOSE). Adamiak noted that securing operational communications will be particularly essential as grids transition to microgrids.

Samara Moore, Amazon Web Services

Samara Moore, security assurance and energy specialist at Amazon Web Services, discussed electric utilities’ increased adoption of cloud services for enterprise information technology (IT).

Cloud services provide on-demand delivery of IT services over the Internet under a pay-as-you-go model with strong security and resiliency features, Moore said. She asserted that cloud services could help utilities be more agile and elastic, especially in times of crisis, by allowing them to increase or decrease IT resources rapidly; save on IT costs—for example, by reducing the resources needed to maintain infrastructure and data centers; and drive innovation through access to advanced services, tools, and automation capabilities. She suggested that cloud services could be especially beneficial for smaller utilities without a large IT staff, for whom the security mechanisms and advanced tools offered by cloud services might be otherwise unattainable.

Moore expressed her view that cloud services can support utilities’ security objectives, including those related to regulatory requirements. Cloud infrastructure is built to meet very secure standards, is tested on multiple frameworks to meet multiple global requirements, and supports government, academia, and large enterprise customers. In addition, cloud service companies are constantly innovating to anticipate future needs and develop technologies to address them, allowing their customers to take advantage of the latest innovations without having to make large IT investments in-house.

Tim Roxey, Electricity Information Sharing and Analysis Center (Retired)

Tim Roxey, who previously held roles at E-ISAC and NERC, argued that the electric power system is reaching the limits of defensibility.

In massively complex systems such as electric power infrastructure, Roxey argued that we have accepted heightened dependence on automation technologies without fully understanding how the Industrial Control System (ICS) and power elements interact and without an appreciation for the consequences of their failure. As a result, he posited that we have arrived at a place where reliability, safety, and security are all uncertain.

Asset owners tend to overestimate their ability to defend these systems and underestimate the extent to which they have become almost entirely dependent on them, Roxey said, raising the question: How do you defend a complex system when you don’t even understand its contents? Comprehensive, current, and accurate asset inventories are rare and fleeting. Furthermore, he argued that it is no longer possible to fully understand our systems of systems; thus, they can no longer be fully defended. We are stymied by the massive complexity of aggregate systems as well as by the overly complex software-centric components they comprise.

Roxey characterized the ICS field’s current tack on cybersecurity as an incremental approach in which small changes are made over time to ICS and its components that offer more functions or implement new technologies. Many times, new security methods are even implemented. Over time, the individual elements of the ICS become more advanced—for example, incorporating Internet of Things (IoT), artificial intelligence (AI), and 5G elements—and the collective system they form becomes ever more complex.

A far more effective approach, he argued, would be a transformational overhaul in which legacy vulnerabilities are eliminated by re-creating and recompiling systems from the fundamental physics on up. He acknowledged that this path is difficult but asserted that it is nevertheless possible, and clearly necessary if we are to continue to operate with confidence in a cyber world that former Navy Secretary Richard Danzig has characterized as “continuously contested.”

As an example of the weaknesses of existing systems, Roxey detailed a vulnerability known as Aurora, which targets motors and generators, rotating AC machines. When the digital protective control devices (DPCDs) that protect motors and generators are manipulated by remote adversaries to open and close rapidly, the associated motor or generator can be damaged or destroyed. The vendor community stepped up to address this vulnerability by changing the programs (software logic) inside the DPCDs. This incrementalistic solution does indeed address the specific vulnerability that was found, but the essential vulnerability remains. It is indeed the actual DPCD device that can be discovered and reached over the networks and then controlled to perform the rapid open-close sequence that is the issue.

A transformational approach would implement Aurora protection using the basic grid physics of rotating AC machines and do so in a manner not dependent on modern, highly networked ICS devices.

Discussion

Panelists and participants discussed the effectiveness of existing defense mechanisms, policy and regulatory issues, and system-level solutions.

The Effectiveness of Existing Defense Mechanisms

Dagle and Granger Morgan, Carnegie Mellon University, asked panelists to elaborate on the use and effectiveness of existing defense mechanisms such as air gaps and firewalls. Ditto noted that while air gaps are currently effective, adversaries may eventually find a way around them.

When it comes to firewalls, Roxey agreed with Dagle that firewalls are far more porous and less secure than is generally assumed, making them another example of how network configurations are often too complex to be fully understood, leading to vulnerabilities.

In the face of imperfect protections, Ditto posited that it is key to at least be able to detect any breaches that occur. “I think it comes back to how much situational awareness do you have around your network, and if you know that you are going to have vulnerabilities but you can limit them or you can at least be aware when those vulnerabilities are being exploited, that is a good place to be,” she said. To achieve that awareness, she stressed the importance of collaborating internally across departments so that involved personnel know what protections are in the network and how reliable they are.

In the context of cloud services, Moore noted that customers inherit the security controls for the cloud infrastructure but still must secure their own resources and data flows in the cloud. David Batz, Edison Electric Institute, expressed concern that some utilities may feel forced to use cloud services, and Anjan Bose, Washington State University, asked how utilities could reconcile cloud services with their culture of owning physical systems. Moore answered that it is best for utilities to collaborate with cloud service providers and regulators to identify specific challenges, create implementation guidance, and revise existing standards to clarify how utilities can use cloud services.

Adamiak noted that utilities own and manage the communications infrastructure for the transmission side but that this is not necessarily true of the distribution networks, which more often use off-the-shelf broadband networks. Ditto pointed out that even where utilities use private networks, they still buy their communications equipment from vendors, which creates supply chain concerns and underscores the importance of careful vendor evaluation.

Policy and Regulatory Issues

Ditto noted that the Federal Communications Commission (FCC) governs commercial communications networks. However, although the electric system relies on the commercial telecommunications infrastructure, FCC policies do not differentiate between the reliability needs of electric system critical infrastructure and the commercial telecommunications sector. This can sometimes undercut the ability for grid operational networks to ensure reliability and resiliency, she said.

Cynthia Hsu, National Rural Electric Cooperative Association (NRECA), asked about cybersecurity and reliability requirements for the hybrid of public and private communications networks. Ditto responded

that the utilities that UTC represents seem to be trending toward deploying their own networks into distribution grids instead of depending on corporate carriers. Utilities do not always have that option, and some are forced to rely on commercial carriers, but better collaboration among critical infrastructure owners and operators, the government, and the commercial carriers could improve mutual understanding, she said.

System-Level Solutions

Sanders asked panelists to suggest system-level solutions to improve both the cyber infrastructure and the grid itself. Adamiak proposed increased use of air gapping and secure jump boxes, as well as continuing the adoption of multiprotocol label switching, which improves the ability to switch paths. Ditto suggested that perhaps the utilities’ individual private networks be treated en masse as one large network that could share wireless networks within a designated spectrum band, allowing utilities to work together to protect the use of that designated band.

Roxey reiterated that electricity grid systems have become too complex to understand and defend. “We are getting close to the limits of defensibility mostly because we are at the limits of detectability,” he said. “Things occur and we don’t even know that they happened.” He added that “the performance of today’s cybersecurity solutions cannot be evaluated with any deterministic methods that definitively show they are working.”

CULTURE CHANGE

• A culture of security will be vital to effectively countering threats to the U.S. electric grid. Security is not limited to protection and defense but also encompasses preparedness, response, and resilience.
• Standards and regulations provide an important foundation but are not sufficient to ensure grid security. Best practices are necessary to protect the most critical infrastructure.
• All parties benefit when the relationship between industry and government is collaborative rather than adversarial.

Cynthia Hsu, National Rural Electric Cooperative Association (NRECA), moderated a panel focused on creating an ingrained culture of cybersecurity within the electric utility workforce. She emphasized that it takes a combination of people, process, and technology to achieve such a culture and urged participants to focus not on elucidating the challenges but on integrating lessons learned to inform tangible action. The speakers

were Marc Child, Great River Energy; Joe McClelland, Federal Energy Regulatory Commission (FERC); and Scott Aaronson, Edison Electric Institute. Hsu moderated an open discussion following their remarks.

Marc Child, Great River Energy

Marc Child, information security program manager at Great River Energy and chair of NERC Critical Infrastructure Protection (CIP) Committee, shared perspectives on NERC’s CIP regulatory standards, enacted after the 2003 blackout in the Northeast United States.

NERC’s CIP standards have had both positive and negative impacts, Child said. A key downside is that the standards ushered in a culture of compliance in which utility personnel grew to fear auditors more than actual attackers. “We have to get past that,” Child urged. Also, the standards led to a homogenization of security features across utilities, which undermines security overall. “We shouldn’t all have the same type of fence or lock,” Child explained. “Why should we have the same cyber defenses?”

On the positive side, the standards did succeed in elevating all utilities to a minimum level of security by establishing a baseline set of requirements, Child said. The phased rollout of requirements also made it feasible for utilities with different levels of resources and security needs to build their security protections up to the appropriate level over time. In addition, he credited NERC’s CIP standards with opening a dialogue and a more collaborative relationship between utilities and vendors around cybersecurity.

Despite these valuable impacts, there are limits to what NERC standards can or should reach, Child said. He expressed his view that regulation for today’s intelligent, distributed, digital network and new grid regimes such as distributed energy resources should reflect the ongoing innovation in that area, and drive meaningful change in security as opposed to a focus on compliance. While these developments have vastly expanded the attack surface for the grid overall, he suggested that these new vulnerabilities are beyond the scope of CIP and best addressed through collaborations among utilities, vendors, national laboratories, and research organizations, which he felt would yield results faster than waiting for NERC to update standards.

Building on this point, Child suggested several ways in which he thinks utilities and the grid overall would benefit from greater freedom from mandatory standards. He urged utilities to empower their engineers to invest in effective—not merely compliant—technologies such as software-defined networks and decoy networks, and to base their decisions on timely and actionable intelligence. He recognized the CIP

standards as a necessary minimum baseline but suggested that their scope should be capped and that utilities should be free to address new threats through means other than mandatory standards. In addition, to replace today’s “gotcha” environment with a culture of cooperation based on a shared mission between utilities and auditors, he proposed eliminating financial penalties for CIP noncompliance and replacing them with binding recommendations for improvements.

Closing, Child pointed to a need for greater collaboration among research and trade groups around cybersecurity; enhanced partnerships with Canadian stakeholder organizations, such as by including them in classified Department of Energy (DOE) briefings; and the reduction of barriers for participating in the DOE Cyber Risk Information Sharing Program (CRISP). CRISP enables utilities and intelligence agencies to share real-time data about cyberattacks, but the program is relatively expensive and therefore typically implemented only at larger utilities.

Joe McClelland, Federal Energy Regulatory Commission

Joe McClelland, FERC director of the Office of Energy Infrastructure Security, discussed FERC’s approach to utility security. Just as the electric power system comprises several interdependent infrastructures, FERC’s purview intersects with the authority of several other government agencies. While their responsibilities vary—for example, FERC sets standards for hydroelectric facilities and the bulk power system while other agencies cover oil and natural gas facilities and security standards—McClelland said FERC works in partnership with these other agencies to identify threats, vulnerabilities, and mitigations.

Whether industry’s motivation to ensure security stems from the threats themselves or from a motivation to comply with standards and regulations, McClelland stressed that the threats are real. He quoted from a 2017 Department of Defense (DoD) report¹ whose findings he described as “sobering”:

___________________

¹ Defense Science Board Task Force on Cyber Deterrence, 2017, Report for the Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics, U.S. Department of Defense, Washington, D.C., https://www.armed-services.senate.gov/imo/media/doc/DSB%20CD%20Report%202017-02-27-17_v18_Final-Cleared%20Security%20Review.pdf, accessed February 20, 2020.

He also quoted a 2019 statement,² referenced earlier by Stockton, in which Director of National Intelligence Daniel Coates asserted that China has the ability to disrupt U.S. natural gas pipelines through cyberattacks:

The assessment also concludes that:

In light of these and other threats, FERC recommends a dual approach to security comprising both baseline standards and best practices. McClelland described NERC’s CIP standards as the base of a pyramid—foundational, solid, and broad. While these are valuable and should be considered virtually everywhere within a system, they are not sufficient alone: Adversaries can read the standards, too, and work to find ways around them. Best practices are the pinnacle of the pyramid and they should be used with foundational standards as necessary to stop nation-state adversaries, putting them in place in the most critical facilities.

McClelland said success will require that owners and operators of the nation’s most critical facilities be able answer three questions: Are you fully informed of an adversary’s capabilities? Do you know what best practices can stop them? Have you identified which critical facilities should be protected by these best practices? FERC’s experts are focused on those questions and aim to help facility owners and operators improve

___________________

² D.R. Coates, 2019, Worldwide Threat Assessment of the U.S. Intelligence Community. Statement for the Senate Select Committee on Intelligence, https://www.dni.gov/files/ODNI/documents/2019-ATA-SFR–SSCI.pdf, accessed February 20, 2020.

their awareness and capabilities to put the right protections in the right places.

Scott Aaronson, Edison Electric Institute

Scott Aaronson, vice president of security and preparedness at the Edison Electric Institute, discussed the importance of moving toward a culture of security that encompasses both protection and preparedness. While it is important to secure our infrastructure, inevitably attacks will occur; the defender must be effective 100 percent of the time, but an adversary has to be effective only once in order to cause significant impacts. In this context, Aaronson stressed that it is crucial to be prepared to respond and recover from attacks in order to protect national security, the economy, and the life, health, and safety of utility customers.

Aaronson described security as a three-legged stool supported by standards that provide the necessary (though insufficient) foundation; partnerships across industry and government; and preparedness, which encompasses response, recovery, and resilience. While standards are valuable for ensuring reliability of operations under normal conditions, he stressed that preparedness is essential for true resilience when conditions become abnormal. “Reliability assumes blue skies,” Aaronson said. “Resilience is the ability to take a punch.”

Aaronson outlined strategies to increase preparedness by leveraging the grid’s inherent redundancy and resilience. These include mutual assistance capabilities, in which utilities contribute resources to respond when one fails; supplemental operating strategies that provide backup when normal operations are degraded; and inventorying spare assets that could be utilized after an attack.

When Iran struck down a U.S. drone in June 2019, the United States implemented what Aaronson considered an appropriate response: a cyberattack targeting military infrastructure. This response, in his view, demonstrated U.S. cyber capabilities to Iran and other adversaries like China, Russia, North Korea, and criminal networks while, importantly, stopping short of using those capabilities against civilian or critical infrastructure. However, he cautioned that our adversaries cannot be depended on to follow the same rules of war, underscoring the critical importance of staying prepared for an attack that does target critical civilian infrastructure.

Discussion

Participants discussed the role and appropriate scope of standards, along with what steps could be taken to create a culture of security.

The Role and Scope of Standards

Jeffery Dagle, PNNL, asked if standards compliance may be unintentionally inhibiting the adoption of new technology. He pointed to synchrophasors, which support situational awareness, as an example of a technology that has been deployed less widely than it otherwise might be due to utilities’ fears of running afoul of auditors. Child argued that emerging technologies must be secured, and if utilities do not adopt new technology because they fear an audit, that auditor-utility relationship is the problem, not the standards. Aaronson agreed, and noted that the question underscores the broader point that security is not a binary feature wherein standards compliance is equated with complete security. Recognizing that standards evolve too slowly to keep up with fast-moving security threats, he suggested new technology could be covered by best practices instead. McClelland added that standards are open to public comment and can be updated if they present unnecessary impediments to improvement. He also cautioned that helpful tools can open new vulnerabilities: Even a single insecure node, however insubstantial, can be used by an adversary to gain entry to the larger system.

Cynthia Hsu, NRECA, asked whether there were lessons learned from how the NERC CIP standards have or have not worked that can inform conversations on extending it beyond its current base of covered entities. McClelland pointed out that the electricity subsector is very mature and capable, in part due to standards, but also because of longstanding exchange between government and industry. He suggested that conversation could be extended to other sectors, bearing in mind each sector’s focus, maturity, and role in critical infrastructure.

Adamiak asked if FERC was creating standards specifically for EMP events. McClelland acknowledged that EMP was a major concern, and noted that FERC is working closely with other relevant agencies to create a coordinated industry-outreach effort that will likely be a best practice, and not a standard at this time. Aaronson stated that EMP was not ready for a standard, but noted that it is possible to better understand EMP impacts and prepare for the consequences.

Creating a Culture of Security

Cynthia Hsu, NRECA, and Morgan both asked what steps panelists recommend in order to create a culture of security against today’s threat landscape. Child highlighted the value of collaborating on and sharing vulnerability assessments, lessons learned, and mitigation strategies. The specific threat is unimportant, he said; what matters is system resilience and consequence management.

McClelland emphasized the value of partnerships between government and industry. Bringing government expertise together with operational experience can help both parties to create security assessments, refine best practices, and understand adversarial activities. He highlighted FERC’s one-on-one work with utilities to provide information, assess practices, and recommend mitigations. While attacks targeting a key facility may be very difficult to stop, a valuable way to counter these threats is to identify, prioritize, and protect military-critical and society-critical skeletal services.

Aaronson added that CEO leadership was very important to creating a culture of security, as CEOs set priorities and direct resources throughout an organization. Self-assessment tools can also help leaders determine where to direct energy and identify problem areas, such as supply chain security, that go beyond the organization itself.

TRANSLATIONAL R&D

• Government, academia, and the private sector generate innovations that are valuable for advancing grid security.
• Innovations are developed and deployed within the broader context of standards and regulation, which can either complement or, at times, impede, their adoption.
• Stakeholders can benefit from identifying opportunities to share information and optimize resource allocation in order to speed progress.

Anjan Bose, Washington State University, moderated a panel focused on how technology can quickly move from the lab into practice. The panelists were Kevin Stine, Information Technology Laboratory, National Institute of Standards and Technology (NIST); Yair Amir, Johns Hopkins University; and Carol Hawk, U.S. Department of Energy (DOE). An open discussion followed the speakers’ remarks.

Kevin Stine, National Institute of Standards and Technology

Kevin Stine, leader of applied cybersecurity within the NIST Information Technology Laboratory, described how NIST helps organizations apply standards, guides, and practices in order to better understand and manage cybersecurity risks.

NIST is a nonregulatory agency, so its standards are voluntary and consensus-based, not mandatory. NIST experts conduct early-stage foundational research as well as facilitate its transition into active practice. While its activities span a broad range of areas, NIST’s cybersecurity activities are aimed at advancing standards, technology, and measurement science to cultivate trust in information and systems.

One of its primary tools in this area, the NIST Cybersecurity Framework,³ provides organizations with a common language for cybersecurity activities and outcomes, enabling them to bridge communication gaps both within and between organizations, Stine said. The Framework has three key focuses: the alignment of an organization’s business processes with its cybersecurity capabilities and technologies; recognition of interdependencies among organizations, sectors, and shared infrastructures; and the imperative to increase resilience, which is defined as post-attack response and recovery mechanisms that best position an organization to continue critical operations.

In addition to its cybersecurity expertise, NIST supports standards and tools for energy sector operations, including smart grid technologies. Energy cybersecurity, which lies at the intersection of those two areas, can be approached through two lenses, Stine said. The first focuses on the cybersecurity of organizations, guiding what utility owners and operators do to prioritize and implement cybersecurity activities. The second considers the cybersecurity of the grid architecture as a whole, with particular focus on the interfaces between different grid components.

To facilitate the application of standards and technologies to address today’s cybersecurity needs, NIST’s National Cybersecurity Center of Excellence⁴ provides blueprints, developed in collaboration with the broader electricity subsector community, that show how utilities can implement the latest tools. For example, the center offers insights on tools and technologies that maintain appropriate identity verification and access management when transitioning between IT and operational technology (OT) infrastructures. It also offers guidance on architectures to support situational awareness, asset management, and security for connected grid technology within the “industrial Internet of Things.”

Yair Amir, Johns Hopkins University

Yair Amir, professor of computer science at Johns Hopkins University, discussed how system-level changes can improve utilities’ security and resiliency. He described Spire, an open-source, intrusion-tolerant SCADA operations system that Amir’s research group created, as an example of this type of change.

___________________

³ For more information on the NIST Cybersecurity Framework, see NIST, “Cybersecurity Framework,” https://www.nist.gov/cyberframework, accessed February 20, 2020.

⁴ For more information on the NIST National Cybersecurity Center of Excellence, see NIST, “National Cybersecurity Center of Excellence,” https://www.nccoe.nist.gov/, accessed February 20, 2020.

The Defense Advanced Research Projects Agency (DARPA) provided seed funding for transitioning intrusion-tolerant capabilities employing resilient clouds to the power grid. In a follow-up 2017 DoD project, experts from Sandia National Laboratories posing as adversaries were able to penetrate and damage a best-practices-compliant commercial test grid within hours, but a Spire-protected test grid withstood their attempts for 3 days. The next year, Spire performed similarly well in a test conducted at an operating electric utility.

Since then, several utilities have expressed interest in adopting Spire, but Amir noted that structural barriers, including financial and legal barriers, limit how quickly (or if at all) new innovations are accepted and deployed. At a basic level, Amir noted that even the question of who is ultimately responsible for dealing with attacks from a nation-state actor—the utility or the government—remains, to some extent, unanswered.

Carol Hawk, U.S. Department of Energy

Carol Hawk is a program manager within the Cybersecurity for Energy Delivery Systems (CEDS) division of the DOE Office of Cybersecurity, Energy Security, and Emergency Response (CESER). Recognizing that standards and regulations move at a slower pace than both the threat landscape and technological innovations, Hawk posited that these different time scales are complementary, not conflicting. She said that while standards and regulation provide a baseline but not an anchor, innovations enable the field to move from a reactive to a resilient posture.

As the industry works to increase the capacities, reliability, and efficiency of energy delivery systems, Hawk stressed that innovation remains critical to addressing emerging threats. She described how the 2011 standards-based Roadmap to Achieve Energy Delivery Systems Cybersecurity⁵ helped inspire new technologies to help utilities withstand a cyber incident. She emphasized the importance of grounding innovations in utilities’ control, operational, and energy delivery systems in order to enable attack recognition and “self-healing” capabilities whereby a utility can sustain critical functions even if compromised. “It is essential that innovation takes into consideration and uses the operational characteristics of that system,” Hawk said, describing the ideal system as being able to recognize an attack and then adapt the way it is operating in order to continue delivering energy while the attack is being contained and eradicated.

___________________

⁵ Energy Sector Control Systems Working Group, 2011, Roadmap to Achieve Energy Delivery Systems Cybersecurity, U.S. Department of Energy, Washington, D.C.

Hawk noted that some attacks can be sufficiently defended by standards that regulate good cyber hygiene, such as efforts to reduce the attack surface. However, as threats evolve rapidly, an ecosystem of continued innovation—comprising experts from suppliers, utilities, academia, and the government—is also necessary, she said.

Discussion

Participants and panelists discussed product security and regulation, how security can be better incorporated into educational and training programs, and opportunities to speed progress through information sharing.

Product Security and Regulation

Noting the perennial tension between building a product fast and building a product that is secure, Michael Howard, EPRI, asked if there should be mechanisms to hold liable vendors that sell insecure products. Stine suggested that incentives, rather than regulation, might be the best way to encourage companies to prioritize product security over speed, although the success of such incentives also depends on customers recognizing the importance of security. Establishing a repository for trusted code, complementary to the National Vulnerability Database that inventories known software vulnerabilities, could also help, he added. Hawk noted that DOE’s research into secure development life cycles for operational technology systems could also play a role. Amir pointed out that regulation in this area could have the unintended consequence of undermining the use of open source code to help secure the power grid, which could be detrimental.

Morgan noted that product security is an even bigger problem in the IoT space, where installed devices are never patched, leading to persistent vulnerabilities. Stine added that NIST recently closed a public comment period that addresses the IoT-cybersecurity intersection and will soon issue baseline recommendations. Morgan pointed out, and others agreed, that efforts in this area are undermined by a lack of clarity with regard to which agency has regulatory control over IoT devices.

Bose added that electric power systems are comprised of many layers of equipment, with devices constantly being added at the grid edge, and that each additional layer increases the attack surface. Hawk agreed that grid-edge IoT activity requires close attention and noted that DOE is actively working to address needs at the grid edge through generation, transmission, and distribution, including in the IoT realm, but reiterated that DOE is not a regulatory agency and that she could not comment on the potential for standards and regulations in this area.

Adamiak noted that Russia recently announced that it was able to sever its connections to the global Internet as a mechanism to prevent remote access to its assets, and asked if the United States was considering a similar capability. Gavin Donohue, Independent Power Producers of New York, Inc., replied that the Internet, the U.S. economy, and the global economy are too entwined for the United States to pursue such a model. He also expressed skepticism regarding Russia’s claim and the effectiveness of such an approach.

Bringing Security into Education and Training

An attendee from Oak Ridge National Laboratory raised the need to better incorporate security awareness and expertise into relevant educational programs. Amir agreed, and noted that the computer science field does not consistently teach basic security skills. Participants discussed how requiring security courses as part of degree programs in computer science and electrical engineering programs could improve security for electric utilities and their cyber infrastructure. Hawk suggested taking a cross-disciplinary approach combining power systems engineering with cybersecurity.

Information Sharing to Accelerate Progress

Dagle brought up the imbalance in the time scales on which defenders and attackers operate. He pointed out that there is a necessary lag between identifying vulnerabilities and deploying patches to address them: Defenders must test their solutions sufficiently to ensure that patches do not create new vulnerabilities. A related issue is the degree to which different stakeholders on the defender’s side are permitted access to information about known vulnerabilities. The desire to keep such information from falling into an adversary’s hands is understandable, he said, but it nonetheless creates a barrier that slows the defender’s ability to solve the problem. Attackers, on the other hand, can freely share information among themselves and innovate quickly. Would it be possible, he asked, for defensive systems to work at a similar speed?

Amir answered that moving from enterprise to cloud-based solutions could help to address this on the industry side. Cloud services support rapid deployment of innovations and benefit from a concentration of talent that better positions them to keep pace with the threat landscape, he said. Alternatively, another approach would be essentially the opposite, to completely separate everything so that one attack cannot take out the whole grid. While possible, Amir suggested that this approach is likely to be more expensive. Stine added that collaboration across the diverse and complex electric power community is important and suggested that increased automation could also help close the time scale gap.

This page intentionally left blank.