USEA
In early December, the United States Energy Association hosted an illuminating panel on Cyber Risk Management Through Measurement. This discussion, hosted by Sheila Hollis, Acting Executive Director, U.S. Energy Association, and moderated by Andy Bochman, Senior Grid Strategist, Idaho National Laboratory, picked the brains of some of this industry's leaders, following the success of USEA's fifteen-part series on cybersecurity and digitalization.
As the world increasingly relies upon technology and grounds itself in the internet, cyber risks can threaten organizational security and present challenges even on an individual level. With the growth of the utilities industries intertwining with cybersecurity, it has become paramount to quantify these potential threats. The PUF Staff listened in and here you will find excerpts of what the cyber experts are saying.
Principal Cyber Risk Advisor, Threat Operations Center, Dragos, Jason Christopher: You cannot protect what you do not know. When we talk about the industrial space, the operational technology, the OT part of the equation, that is difficult for a lot of organizations, especially if they're just getting started in measurement or management of that problem.
If you talk to your engineers, they may say, yes, I know what that equipment is, but do they really? If you don't have data, how do you know? If you don't have the visibility, how can you ascertain?
Our platform passively looks at what those assets are. That's important because in IT, they'll talk about active scanning, and a lot of other technologies that don't work in the OT industrial space.
If you run some of those IT tools, you may have a reliability event as a result because this technology is decades old in some cases. It's not used to some of the new technologies or new scanning techniques that are used in IT specific pieces.
Not everybody has the expertise they may need to respond to these types of incidents. A lot of people don't have the classic training that comes with cybersecurity in the industrial space because it is a relatively new niche and new industry.
CTO and Co-Founder, BitSight, Stephen Boyer: About a month ago, the NSA did a rare and unprecedented action where NSA announced twenty-five vulnerabilities they were observing being exploited by nation state actors.
NSA put out that list to warn people, hey, if you have these, you need to remove them, patch, or update those systems, because those systems are at risk. Part of our measurement we do at BitSight is an internet assessment. We call that internet census. We go and communicate with these systems in a non-intrusive way, and try to determine, are they vulnerable to these?
SVP, Strategic Accounts, Axio, Brendan Fitzpatrick: Once you know what is uniquely at risk for your organization, the next step would be to understand how prepared you are to meet that exposure. We conduct cybersecurity program assessments.
Where we are unique from some of our competitors in this space is, we bring in insurance. We're helping organizations understand if they have the financial wherewithal to survive a significant cyber event. After we've looked at what your exposure is, we can compare that to the insurance coverages and determine if you have the right limits and coverages in place. Once you have that information, you can make decisions about how to prioritize what you need to do next to plug gaps.
Technical Director, ICS & SCADA, SANS, Tim Conway: SANS primarily is a cybersecurity training institute, and stands for System Administration Audit and Network Security. While we do cybersecurity training courses, we also have an arm of the organization that does credentialing and certification.
Q&A Session
Senior Grid Strategist, Idaho National Laboratory, Andy Bochman: Utilities and other industrial organizations may already manage risks related to safety or reliability. What's different about cyber risk?
Principal Cyber Risk Advisor, Threat Operations Center, Dragos, Jason Christopher: When we talk through risk, it's a discussion for utilities as to what can impact our operations. That's the thing we care about the most, and why we prioritize reliability, and reliability risk as a construct. There are already measurements and metrics you can do, and that we have been doing for decades.
We've been managing electric operations for over a hundred years. We have not had that same focus on cybersecurity, because it's a relatively new industry.
There are loads of data we have, when we think about the physics of the grid, that we're good at. We're good at balancing things because the physics equation to balance the grid hasn't changed. The physics is not going to change, whereas the cybersecurity questions constantly evolve over time, so it requires people to have more of a pulse on it.
But going back to the first question you posed was, do you know what assets you have? That's from a cybersecurity perspective. Do you know what computers are connected to the relays, to the breakers, to the things that are keeping the grid moving? If you do, do you understand how they're communicating?
Do you understand their cybersecurity problems with it, therefore trying to create the right measurements to link back to the things we're talking about today? The answer is normally no, because the industry is evolving and getting more mature over time, compared to the safety and reliability aspects that we've been doing well over the past hundred years.
Senior Grid Strategist, Idaho National Laboratory, Andy Bochman: It seems like everybody, at least in my world, has been talking about attempting to legislate issues related to supply chain. What are some of the most effective strategies to engage with third party suppliers?
CTO and Co-Founder, BitSight, Stephen Boyer: You need a program that has buy-in at the organizational level, and you have to recognize this as a real risk impacting you. May I suggest some principles around what you might build that program and strategy. One would be partnership and collaboration; you do not want this to be adversarial. You want to be a partner with supply chain suppliers; it could be hardware; it could be all sorts of software services.
Second, that question is around timing, early and often. The earlier you're engaging, the more likely you are to influence changes in behaviors, processes and controls, and often because this world is dynamic.
Issues that didn't exist before, may exist now, or vulnerabilities that hadn't been present before are present now. This is dynamic and changing. It's not a set and forget. Often times people would onboard a vendor or a supply chain partner. They would do their diligence, but then things change in five years.
The third one is to come with data and measurement. That's the theme of what we're talking about. That's something where we specialize, is to be able to show where there may be gaps or issues in a program.
Senior Grid Strategist, Idaho National Laboratory, Andy Bochman: Why is incorporating risk quantification in the cyber program a good idea? What are the benefits of doing this?
SVP, Strategic Accounts, Axio, Brendan Fitzpatrick: Often when people think of risk quantification, they falsely believe they need other processes in place before they get to what they consider a more senior activity. It's going to help whoever's performing those responsibilities elevate that conversation around cybersecurity to the business level.
Instead of standing in front of the CFO and CEO with a spreadsheet, with twenty-seven thousand vulnerabilities on it, you're going to be able to say, these are the five or six things I'm concerned about. This is where it's going to cost the bottom line. You're now speaking the love language of the senior leaders in your organization, and they can compare those operational risks you're presenting to risks across the business.
Senior Grid Strategist, Idaho National Laboratory, Andy Bochman: To what extent are measurement and metrics used in the NERC CIP program that we've all heard something about?
Technical Director, ICS & SCADA, SANS Tim Conway: Even after auditors come into an organization and conduct the five-day audit to the NERC CIP standards, looking at each requirement, each measure, they're leaving saying, we found no violations because they've only been there for a certain period of time. They've only looked at a certain set of your devices or your assets.
The real measuring stick comes when the auditors make recommendations on how to improve your programs when they say, if we return and you're doing this the same way, we may be issuing a possible violation.
Because, on the couple of things we sampled, you were able to sort of convince us with stacked evidence that things were good, but in reality, if we looked at every single device, we probably would be able to find something if we were here long enough.
That measuring stick comes from recommendations from entities that are running a continuous improvement program, and they're finding more and more violations. That's where this contrary view counts, meaning from a board or a stakeholder level, that's the message that needs to be delivered.
If we're running the best program, our metrics are fantastic, and we're doing continuous compliance and monitoring, we are going to find more violations. That's a contrary feeling, because the message for years has been, everything is working, we're compliant. The reality should be, in a zero-deficiency program like NERC CIP, you're going to find violations if you're running a leading-edge continuous improvement program.
Lead image: CTO and Co-Founder, BitSight, Stephen Boyer
Category (Actual):
Department:
