Protecting Critical Assets: Cyber security is a critical priority for electric utilities. How can utilities protect themselves against attack by terrorists and hackers? What can be done to strengthen grid resilience against threats to equipment failures? EPRI’s cyber security experts discuss these threats and how EPRI’s cyber security technologies can protect the utility industry.
United States


00:00:03welcome to every unplug the podcast of the Electric Power Research Institute I'm ready to Crawford what it is one of the most important issues of our time cyber-security today will look at how threats to power generation distribution and utilization what people commonly called grid have real-world implications and what research every is conducting to protect the utility industry today my gas or Michael Falco just in Tebow and Galen Russia all every cyber Security Experts and their areas of research Gate 1 is based in Palo Alto and is joining us by phone welcome everyone and thanks for your time well let's Dive Right In cyber security threats affect all of us last summer computer systems in Ukraine were stroking an international Cyber attack that crippled tens of thousands of machines worldwide ATM stop working workers were forced to manually monitor
00:01:03patient at the old Chernobyl nuclear plant with their computers failed we have also seen many cyber attacks in the US so each of you looking at your areas of research what specific threats are utilities facing and what's the most effective way for them to build a strong defense Michael let's start with you and we'll go to everyone else for brief response and then we'll get more into the weeds will thanks for having me I think it's a good question I think it's important you know I've been focused on the nuclear industry for a while we've been doing cyber security for almost a decade in one of the things that they really embraced is trying to make sure that everything is a process until I think it's important that when we look at the threat that we try to make sure that we have a process that we can improve upon that we can follow to make sure that we're addressing the threats consistently and improve upon him over time I think that's our best effort in our best way of making sure that were successful as an industry
00:02:03your thoughts by the process of nuclear side berries among different utilities depending on the type of generation you have a type of the the size of the generation that you have so it's it's been a challenge in figuring out how to meet all of the the changing business climate that that power generators are finding themselves in and then also to to be secure thank you for that response how would you how is your research helping utilities build a stronger defense
00:02:41over the last 15 years for the overall reliability of the grid so I think we need to look at several security measures that can be designed and implemented to protect against operate a load device in the field across very large geographic region
00:03:22cancel that how they can complement traditional I think which strategy is a lot to consider and Michael going back to you I know you have multiple lines of research in cybersecurity tell me about the research looking at cyber security vulnerabilities in power plant equipment and the results will did the industry in the US has really been focused on implementing the cyber security program steadily for the past 8 to 10 years and a lot of work has been done during that timeframe does segment the architecture to document protect their assets and and really develop strong programs to control their portable median in and mobile devices this past year they have completed their initial Cypress
00:04:22program from a regulatory perspective you know but unfortunately the implementation burn and cost to implement that cyber program is very high and so now we're entering the next phase of the Cyber Security Programs maturity and every cyber security research has been focused on finding efficient processes and methods that will reduce that implementation Burdon and the ongoing program monitoring cost while also improving the technical basis of the overall program in other words were focused on what are members really should do not just what they can do for example every developed a technical assessment methodology that can be used by engineers in cyber security specialist to assess digital components and systems in a very cost-effective and sustainable manner utilities and vendors they can apply this methodology at any point in the assets life cycle you know anyway all the way from the conception through the rest of the assets supply chain including the design implementation and inoperational faces you know not all those are could be
00:05:22hundreds or thousands of potential vulnerabilities for an asset in our research has shown that how those vulnerabilities are exploiting the devices very finite so by looking at the exploit mechanisms and attack Pathways we can analyze these export sequences apply those medications inbound that vulnerability analysis for an asset so any export sequences that don't have mitigations there or we call them residual vulnerabilities this approach effectively mitigate the unbounded universal boner abilities and significantly reduces the overall sensitivity of the changing threat landscape the methodology and you know documents all this information on the way that could be performed by the person who's really most familiar with the device in that could be the vendor the integrator or or even the member of the primary documentation for the methodology is placed on what we call either cybersecurity data sheet or a site-specific allocation sheet feedback from the vendors and utilities who has applied this without methodology
00:06:22well we came out with red zero and the reports out there it was came out in October 2016 and since then we've conducted about 4 different workshops and you know we probably had somewhere in the neighborhood of 30 to 40 different companies come to these workshops and and well over a hundred participants and the feedback been very positive and you know this year we're working on a revision that integrates in the risk informed cyber methodology that will hopefully we'll get a chance to speak about a little later so you up you also produce a cybersecurity data sheet how will this support Utilities in vendors and what can we expect next the concept of providing a standard set of documentation for known hazards in mitigations it's not new the chemical manufacturers have been providing material safety data sheets or MSDS is I think now they're called just safety data sheets they've been providing this for years that's why we call a subset of our documentation to cybersecurity datasheet her at a c s d s
00:07:21the researchers found that in order to provide the most flexibility in value to our members the date of really needed me to split up into two different sets of documents the first set the csds contains all the technical features the capabilities and really the data flow to properly characterizes the attack surface of the device tells you about the the exploits sequences what they are and if there's any residual vulnerabilities and but it doesn't talk about where it's physically located the site specific information for the devices documented separately and that's called the ssas and not splitting it out it provide the few benefits to the members but the first one that's most noticeable is it by having a document that describes the technical features the capabilities separate from where it's located it really becomes a document that can be developed once and it can read be reused a lot of times across your organization and utilities often utilize the same type of device across multiple systems you know the a Rosemont
00:08:21pressure transmitter 3051 comes to mind you know there was a utility at a single site might have hundreds of these devices and having a single document that can utilize as a reference source it really approve the analysis and reduces the amount of documentation overhead on the utility a second benefit is that any really residual vulnerabilities that remain they can be rolled up at the site level so any administrative are operational control methods that you have will they can Indiana lies and applied is appropriate across multiple components at once there's also benefits to members that we should talk about that that's described in the methodology vendors who are the technical Experts of the device I mean they really are the best person for the job to tell you exactly what an ass attack surface is what exploits sequences and mitigation to device provides and most importantly any residual vulnerabilities that need to be addressed because the methodology is regulatory agnostic you know this can be applied to nursing
00:09:21you know from a generation power generation perspective it can be applied to we've been actively talking with the iea from an international perspective you know one set of documentation can be created in a can be used for anyone globally cross-sector and it can help them become more efficient as well as supporting all of their customers that allows vendors and customers to communicate effectively on let's face it it's a very technical and often contentious topic such as I was curious that's just it how was the research that your team is conducting helping thing utility secure power generation about 20 years now if you can contract or time and I remember the first Power Plant I ever walked in giving some unrelated research to cybersecurity but one of the things that I've reflected on in this time is Dad if I were to enter that same power plant it would be safer
00:10:21more cost-effective and actually more efficient than it was 20 years ago all right and the way that that was done was not through just technology but it was also by integrated it into the process and the culture so one of the key things that were doing is focusing on the reliability of the plant and on the cost effectiveness of the plant in realizing that this entire fleet is not only going to have to be safer more reliable and more efficient but it's always going to be more secure and so how do you go about doing that will you go about doing that through looking at Technologies with eyes wide open to find those that that could that could meet specific needs and then also reaching out Beyond just the IT people are the controls people for example of I'll be getting on a flight tonight to go to the work planning users group meeting and where planners aren't necessary
00:11:21are you going to the first person you go to to get your computer fixed okay and it will be it will actually be going through four or five different industrial control system incidents with them and then talking about how does their job affect that because we don't have the same guy I think rigor necessarily in a lot of there in the lot of the regulations and also the best apps are much smaller per megawatt non nuclear generation so a lot of times it requires us to be strategic and all you can say clever one one key example of some research were working on right now is we're looking at an interactive smart card technology that could eliminate a lot of the administration that comes with remote access now remote access can be kind of a scary subject you know you think about you got these big power plants and used to you just cut him off like like it was like a boat you know that was there was no connection well if one of those goes down and you need an expert
00:12:21from an oem or a contractor you don't necessarily want to have to wait for them to get in a plane or get down there or even worse if if if this is because of inclement weather and they just can't make it there do you have to come up with with a with a an effective way for them to reach across now each utility does this a little bit differently than they do in a way to meet regulation but but they all do it in in it in a different manner usually its software base which that that in itself is a is is vulnerability so taking that out of the equation and actually giving someone smartasset in their hand that can that can actually speak across the secure networks is is going to be a leap for us and then bring it be on just a technology what are the things were looking at is the generation cybersecurity framework so the generation cybersecurity framework has what we call a plaid and foundational research example of the foundation research feed the stuff that we're doing the lab with
00:13:21to to utilize this hardware-based remote access technology but also Applied Technologies looking at a defense in depth that follows the nist cybersecurity framework we kind of condense a little bit into protect detect respond and recover so we look at various different topics like we work with that Galen on patch management recently we worked on on configuration Management in cyber hardening with our instrumentation and controls group so really finding ways to make a cybersecurity accessible someone asked me and what is it you do when you wake up and I say I reduce what's in it was fun but fear uncertainty and doubt so a lot of times if you're dealing with a cybersecurity vendor they're going to make you afraid sometimes and then they'll get you interested in in their product because they they want
00:14:21want to do on that area of uncertainty and personally I believe that that we can not only apply this technology not only understand the adversaries that that are wanting to to harm our star system for various different ways but we can do it in a way that is that is accessible and Anna's also cost-effective for our listeners there is no that's available if they want to go when we will meet more about this right right absolutely I was the March April 2017 every Journal so that was that was last year's every journal and it was protect detect responding recover that was the name of it I think when the key takeaways in this is the this is the last bullet on the last slide that I'm giving is bringing one he's working in this area is to do common things uncommonly well there's a lot of areas that maybe have gotten left of the Wayside friends and slight configuration management that almost seemed like eating your vegetables now
00:15:21that is because that is going to become a key point in securing power generation so everyone has a role in here it's it works a lot like safety but I haven't personally I'm I'm optimistic that that we can meet this challenge well how is it that you get everyone involved well that's that's a good question so there's a concept known as itot integration okay so I T is information technology the data that moves in and out of your computer o t is operational technology that's when there's actually something physical going on but for instance win when you turn the key to start your car that is operational technology something is operating but there's it involved in there too because there's data moving throughout software sometimes it's sometimes it's even getting transmitted when you want it to so the of the it portion of this that the security cyber security on the it side has been very well established in
00:16:21and there's a there's a lot of advanced methodologies when you need to get into them here but being able to apply them to the operational technology side while still keeping those systems reliable is quite a challenge so it involves a lot of different stakeholders the one of the things were working lawn is what we call the generation reference architectures so we're working with colleagues in the power delivery side have been working on developing architecture methodologies for smart grid we're taking a lot of their lessons learned and being able to reapply it on the generation side to provide a template for people who are doing us a Securities upgrade I'm sorry controls upgrade or they're applying a new security methodology or they're upgrading their plant in general just adding adding on a new component what were being able to do is not just make this a project that's owned by one stakeholder but being able to simultaneously
00:17:21bring everyone on board and understand everyone's requirements that's where architecture comes in just like when you're building a house you know if you watch those shows and they go through the list of everyone's needs and then there's a there's a poor real estate agent that's got to run around and and I love that should do it in a very methodical way so we're taking a lot of that research and being able to to move that in there very important research very timely especially in a time that we're leaving when we talk about you know cyber bread cyber-attacks to Galen again galen's on the phone he is joining us from Palo Alto Gayland
00:18:05you're involved in work that focuses on cyber security metrics how can the electric power industry measure cyber security risk and the effectiveness of cyber security controls play well closing Thursday risk and the effectiveness of surgery controls it's been a long-standing challenged the industry so why not really actionable or they don't support key business decisions so for example when a company implements and do a new security solution how can the value of the investment really be qualified so I could easily calculate security investments in concrete terms are metrics project has been developing a set of metrics that provide
00:19:05quantifiable information about cybersecurity to support risk management position so they focus on natural security processing and characteristics which provide the reputable method for calculating M track and progress towards cybersecurity goal these metrics also increasing overall accountability for cyber security security practices that need to be addressed as you may have but if not what metrics should be calculated in what data is required to calculate the metrics
00:19:48only broken our security metrics out into three levels operational tactical and strategic air mattress from the lower-level Fitch's operational role to high levels of hierarchy structure at the top of the pyramid in our system are protected by 11 tactical metrics such as spread awareness scores such as the meantime to Discovery Church Apple so they're all so passionately 120 data points that provide a quantitative foundation for the metrics and these tears of Dayton scores I think it helped a broad range of utility stakeholders game prove knowledge about the service tree posture also make informed decisions about specimens and action plans
00:20:482017 with a utility structure and you're the pilot I we had from utilities sample portion of their systems collect data from the samples for your time and then loaded provided a very powerful tool to evaluate existing Solutions and processes what does not so we're hoping the security metrics increases that we can also take another another very valuable hairdresser for overtime so the data metrics accumulated over time when able more statistical analysis and trending for utilities I think I buy this knowledge
00:21:48oil to establish realistic long-term strategies to improve their overall security posture take any way to standardize these metrics
00:22:00we're hoping to standardize down through the overall I adoption of the proposed and we're also look at how we can do more industry Level D aggregation fight the potential utility-scale security recently however I think there been any baskets and Aries get the science of large-scale data collection processing so we're researching security data aggregation utilities Galen if you had to summarize this late in a sentence or to your research is is bringing what to the industry
00:22:52Charlie's to quantify the security posture and make better form decisions on Dish Irish Cream vestment thank you for that and he's doing some very important work I'm very necessary work Michael I want to go back to you and you know us nuclear power plant licensees are currently identify their critical digital assets and apply this cyber security controls that use a variety of regulatory commitments an expert opinions but these on always aligned with the real cyber risk of the researcher conducting shows this can open them up for Risco so how are you helping them mitigate that risk technical assessment methodology you know that we just discussed you know we we take that and we've been doing a lot of research for about 3 years now and in the kind of culminating into a revision of the overall technical assessment methodology and one of the elements that will in particular that were adding to that is
00:23:52expert difficulty measurement and I don't simply allows the assessment to be combined with a separate hazards and consequence analysis to really arrive at a meaningful cyber-risk value you know this can be used to adjust the allocation of resources you know to add to address the exploits it would really have the most consequences to the site this process really links the exploits it firmly links them to the consequences and it really allows your decision makers to have a really clear view of the risk in the benefit trade-offs valuable information again every is research is really going to think for the short-term and long-term provide some valuable insight into cybersecurity I want to talk a little bit about the research that we're doing and how we will continue to support our stakeholders so they let I want to go back to you real quickly if you want to close this out a little bit and just kind of wrap up this research and how it's going to
00:24:52support our members
00:25:04so for the park delivery sector we plan to continue focusing on three general research jeans conversion measurement projects will help utilities developing understanding of the impacts of security Technologies as well as be able to better assess and monitor
00:25:39okay thank you and Justin final words on how we continue to support our stakeholders in the utility industry or we actually gave ins on the every website if your publicly publicly facing a free website if you just type in a generation cybersecurity into the search bar there that you will you will come up with what we call a supplemental project noticed and that actually is an evolution of the work we've been doing over the past decade that data that describes the the framework that I mentioned before with both applied and foundational research and this was actually born from research that we did directly with instrumentation and controls that that project had about I think about 20 different Utilities in it so between the two of those who have more than two dozen utilities who who have been engaged with us
00:26:39in this work and we're progressively expanding the people that were engaging with in utility organizations one of the key challenges with this area as opposed to other areas I've worked with isn't a lot of times it it's hard to find the the one person to talk to you when I when I worked in that maintenance you go to the maintenance manager go to the plant manager but a lot of times of the cybersecurity person they've been either locked out of the plant where there is or there there in the Inc Department are there somewhere i n i t so it's it it's going to be our challenge not just to do the research but also to get it to the appropriate stakeholders so I think that's where that that Frame Works in to come in and like I said people can find out more about if I just searching Our Generation cyber security at the Opry. Com that's great information and Michael finally we know the risk is real threat is real howl are research continue to
00:27:39sport utility the research I've been focused on really is like I mentioned earlier that it's a really about creating a process they can provide a sustainable cybersecurity posture at reasonable cost in you know and we always look forward to getting feedback you know through either are formal user groups or are advisory committees and so while we look forward to continuing to do that thank you all thank you Michael Justin and galyen thanks for your time and and if you'd like to learn more about every research in cybersecurity go to and search cyber security until next time we're Shake in the future of electricity

Transcribed by algorithms. Report Errata
Disclaimer: The podcast and artwork embedded on this page are from EPRI, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.


Thank you for helping to keep the podcast database up to date.