Critical Infrastructure Security

Keeping the lights on!

We are all acutely aware of the convergence of operational technology (OT) and information technology (IT). Awareness of the challenge arising from this convergence can be seen in the increasing homeland security efforts on cybersecurity. Especially cyber supply chain security. 

Recently, there has been an increased intensity in scrutiny of the world's electric grids. This scrutiny follows on the heels of a barrage of global news regarding the power industry and cyber resilience. A recent publication expounded on the level of the United States' preparedness, or lack thereof, for an extended operational failure of its grid. An hours-long power outage in Eastern Europe was established to be the first power outage directly tied to cybercrime. In February, researchers at the Kapersky Security Analyst Summit in Spain highlighted a unique vulnerability. They noted that remote manipulation of air conditioner shut off devices could create load surges causing targeted and/or large scale outages. 

How then do we keep the lights on? Together, we must address the risks inherent in converged industrial controls and information technology which not only impacts, but in fact, operates our grids. A key part of addressing this challenge is developing and deploying a comprehensive security strategy.  After all, our global grids truly are examples of complex and interconnected supply chains.

I was privileged to recently present to the Federal Energy Regulatory Commission (FERC) in February at its Technical Workshop on Supply Chain Risk Management. A set of key themes resonated across the statements of regulators, bulk distributors, regional utilities, educators, and private IT and OT providers present. 

Through my lens, I saw a crisp and panoramic picture: only a layered approach that drives prevention, detection and mitigation efforts against threats can be truly effective. 

To undertake a layered approach, we much first align on what our goal is. I propose that nothing short of comprehensive security must be the goal. The outcome of applying layered, comprehensive security across the IT and OT which lies at our grid's operational heart, is resiliency, privacy, data protection and trustworthiness.

A number of foundational elements can form a path to achieving this level of comprehensive security. We must embrace the goal of retaining each member of the grid's flexibility to deploy the right security in the right node of its own supply chain at the right time. The process of deploying the right security in the right node at the right time must be undertaken in a risk-based manner to ensure economic and operational viability. The goal is a meaningfully secure grid that can operate not one that is en route to bankruptcy. 

Further, it is key that we avoid relentless promulgation of new, albeit well-intended, standards, certification or accreditation schemes and guidelines. Leveraging those already in place should allow swifter implementation and broader adoption. 

Finally, weighing the existence and robustness of suppliers' own security and resiliency programs is essential. Flexibly including this as a part of procurement decisions should serve to move the security needle swiftly while retaining the benefit of proprietary innovation that suppliers bring to the table. 

In short, a comprehensive layered approach, deployed collaboratively through public – private partnership can effectively secure the grid, ensuring that we all remain “illuminated.”

Edna Conway

Edna Conway is the CEO of EMC Advisors, a firm that provides board and advisory services to enterprises and governments globally on technology, security, risk management and supply chain resilience. She most recently served as Microsoft’s VP and the Chief Security & Risk Officer for its Cloud Infrastructure program. Edna is responsible for the security and resilience of the cloud infrastructure upon which Microsoft’s Intelligent Cloud business operates. Previously, Conway served as the Chief Security Officer for Cisco’s Global Value Chain. Edna also was a partner in an international private legal practice and served as the Assistant Attorney General for the State of New Hampshire.

Conway is an advisor to numerous capital investment organizations, has served on over a dozen boards and is an inductee into Fortune’s Most Powerful Women. She also serves on the NYU Tandon School of Engineering Cyber Fellows Advisory Council, as a guest lecturer for the Carnegie Mellon University CISO Program and is a Senior Non-resident Fellow at the Carnegie Endowment for International Peace program.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds