We are all acutely aware of the convergence of operational technology (OT) and information technology (IT). Awareness of the challenge arising from this convergence can be seen in the increasing homeland security efforts on cybersecurity. Especially cyber supply chain security.
Recently, there has been an increased intensity in scrutiny of the world's electric grids. This scrutiny follows on the heels of a barrage of global news regarding the power industry and cyber resilience. A recent publication expounded on the level of the United States' preparedness, or lack thereof, for an extended operational failure of its grid. An hours-long power outage in Eastern Europe was established to be the first power outage directly tied to cybercrime. In February, researchers at the Kapersky Security Analyst Summit in Spain highlighted a unique vulnerability. They noted that remote manipulation of air conditioner shut off devices could create load surges causing targeted and/or large scale outages.
How then do we keep the lights on? Together, we must address the risks inherent in converged industrial controls and information technology which not only impacts, but in fact, operates our grids. A key part of addressing this challenge is developing and deploying a comprehensive security strategy. After all, our global grids truly are examples of complex and interconnected supply chains.
I was privileged to recently present to the Federal Energy Regulatory Commission (FERC) in February at its Technical Workshop on Supply Chain Risk Management. A set of key themes resonated across the statements of regulators, bulk distributors, regional utilities, educators, and private IT and OT providers present.
Through my lens, I saw a crisp and panoramic picture: only a layered approach that drives prevention, detection and mitigation efforts against threats can be truly effective.
To undertake a layered approach, we much first align on what our goal is. I propose that nothing short of comprehensive security must be the goal. The outcome of applying layered, comprehensive security across the IT and OT which lies at our grid's operational heart, is resiliency, privacy, data protection and trustworthiness.
A number of foundational elements can form a path to achieving this level of comprehensive security. We must embrace the goal of retaining each member of the grid's flexibility to deploy the right security in the right node of its own supply chain at the right time. The process of deploying the right security in the right node at the right time must be undertaken in a risk-based manner to ensure economic and operational viability. The goal is a meaningfully secure grid that can operate not one that is en route to bankruptcy.
Further, it is key that we avoid relentless promulgation of new, albeit well-intended, standards, certification or accreditation schemes and guidelines. Leveraging those already in place should allow swifter implementation and broader adoption.
Finally, weighing the existence and robustness of suppliers' own security and resiliency programs is essential. Flexibly including this as a part of procurement decisions should serve to move the security needle swiftly while retaining the benefit of proprietary innovation that suppliers bring to the table.
In short, a comprehensive layered approach, deployed collaboratively through public – private partnership can effectively secure the grid, ensuring that we all remain “illuminated.”