Tripwire recently held its annual Energy and NERC Compliance Working Group. This year's attendees included more than 200 Tripwire customer utility personnel representing over 80 different registered entities from all across the US and Canada. The company sizes ranged from public utility districts and city municipalities to medium and larger-sized investor-owned utilities, including many of the Fortune 500 and 1000 power entities. Tripwire is looked to as one of the leading cybersecurity and compliance technology solutions in the marketplace, especially for utilities under NERC CIP compliance obligations. The acquisition by Fortra has multiplied our abilities, and we still conduct business as Tripwire, maintaining that same commitment to the quality of technology, services, and support. With Fortra, we're now backed by a strong cybersecurity ally that understands and is fully invested in the continued growth and success of Tripwire while also offering even broader solution capabilities beyond what Tripwire alone can offer.
This year's virtual conference opened with a keynote speech delivered by Stacy Bresler from Archer Energy Solutions. From the dawn of the IT OT convergence in the late 1980s, Stacy Bresler has been an instrumental figure, steering the technology and energy sectors toward a more secure future. Over a career spanning three decades, Stacy has consistently merged a keen understanding of information systems with the dynamic needs of operational technology. Beyond his individual roles, Stacy's passion for cybersecurity led to the birth of The Energy Sector Security Consortium (EnergySec), of which he was a co-founder. During the conference, Stacy offered a wealth of knowledge about utility cybersecurity.
Stacy is a firm proponent of the fact that we are standing at a pivotal moment in the history of the electric utility sector. For centuries, the way we generate, distribute, and consume electricity has been evolving, but the pace at which change is occurring, now driven by digital innovation, is unparalleled. The devices we use, the homes we live in, and even the cars we drive are becoming more interconnected and dependent on our electric grid every day. This transformational era, while exciting, also presents new challenges that we must navigate. These challenges revolve around ensuring the safety, security, and reliability of our electric infrastructure in this digital age.
The electric grid isn't just about transmitting electrons anymore; it's about transmitting data, and with it comes an expanded threat landscape. We must leverage technology for progress while also safeguarding it against potential harm.
We've witnessed the birth of smart meters that can communicate real-time data. "We're seeing Artificial Intelligence algorithms optimizing grid performance and digital integration, seamlessly fusing renewable energy sources with conventional ones," said Stacy. "The sheer scale and rapidness of this technological evolution have shaped the way we think about utilities – not as static services – but as dynamic, evolving ecosystems."
Doing nothing in the face of advancing technology leaves the utility infrastructures exposed and vulnerable. As our systems become increasingly sophisticated, so do the threats they face. We're not just contending with outages due to physical mishaps but an onslaught of cyber threats that could destabilize entire regions. These aren't mere inconveniences but risks that could ripple through the communities and economies in daily lives.
This brings us to the North American Electric Reliability Corporation's Critical Infrastructure Protection (NERC CIP) standards. Most energy professionals grapple with this on a daily basis. The establishment of NERC CIP standards was a clear acknowledgment of the need for action. It wasn't about standing idly by but an initial attempt to confront and address the dual challenges posed by technology and threats. Stacy expressed that this laid the groundwork, setting initial benchmarks for utilities. However, he cautioned that we must recognize it as a foundational step, a set of standards that had moderate improvements since its initial approval in 2008.
The agility with which technology continues to evolve and ever-increasing cyber threats outpace this consensus-driven process of regulation updates. This isn't a mere bureaucratic challenge but a reflection of the complexity and the myriad of stakeholders involved in the utility sector. We must consider that both NERC and CIP have an expanded role to play. They must not only set standards but also foster an environment that promotes anticipatory, not just reactive measures.
The example Stacy cites to illustrate the point is NERC CIP 13, the supply chain risk management standard. To him, the standard is not fully realized and fails to build a stronger supply chain for the industry. It has also frustrated many vendors with the plethora of questionnaires they're asked to complete on a regular, almost daily basis. Along with that, development teams have been working for years, attempting to modify the existing requirements to address virtualization, and there is still no clear approach to managing such environments securely.
The Challenge of Auditing and Emerging Threats
Stacy shared his thoughts about some of the challenges with NERC CIP auditing. He is confident that there is a better method than the current practice. "It has to start with the security assessment using the standards as the base. Focus on the purpose and intent of the standards and have qualified cybersecurity professionals perform an assessment of a utility security program overall. Define the gaps that exist and then give the utility a reasonable amount of time to remediate, and negotiable depending on the severity of the gap." He concludes that this would be much more effective than the current approach. If the remediation is not completed as agreed upon, only then should penalties and sanctions be levied.
Another potential way to improve the process is to adopt practices from other industries that have solved the same problems. Along with that, strong vendor relationships can also strengthen security in the energy sector. Finally, the industry needs to be faster to address emerging threats. When physical security weaknesses resulted in physical attacks against electrical substations, the industry acted quickly to pass laws to deter that. The resulting standard, CIP 14, was passed in less than a year. This is the only way that emerging threats will be effectively managed.
A Case Study That Proves the Value of NERC CIP
Unfortunately, some utilities have approached the NERC CIP standards in the wrong way. Stacy spoke of a prominent utility company that had the responsibility of powering millions of homes. This company was so resistant to regulations and standards that they spent many meetings looking for loopholes rather than solutions to adhere to the rules. It was not uncommon for the leadership to engage their legal team in attempts to sidestep the requirements. This mindset, coupled with an overtly dismissive attitude towards regulators, left the company not only lagging in compliance but also created strained relationships with regulatory bodies.
Externally, the organization's technological landscape mirrored its internal challenges. The company was beset with continual security issues, from virus outbreaks that disturbed operators to frequent thefts of equipment from substations. There were also multiple instances of mysterious system behaviors that bewildered even the seasoned engineers. The fallout was evident. Operational downtimes, dwindling regulatory trust, and increasing regulatory scrutiny. However, amidst this challenging scenario, there was a dedicated group within the company, comprised of compliance leaders in the cybersecurity team, who were determined to bring about change.
Recognizing the adverse effects of the prevailing attitude, they shifted their strategy. Instead of advocating actions for compliance, they emphasized solutions for the business. Their approach was incremental. They addressed immediate challenges, and by showcasing how the CIP standards offered practical solutions, they underscored their value. For instance, after mitigating a virus outbreak using a method that would be directly tied to adhering to CIP, it was presented not just as a compliance success but as a triumph for the business, demonstrating the saved costs while maintaining operational resilience. The shift in narrative began to bear fruit.
Each success was celebrated, highlighting how it aligned with business goals, reduced operational costs, and improved the company's reputation. As these success stories accumulated, a transformative change in mindset became evident. The leadership started to recognize the inherent value of not just meeting but exceeding compliance standards, which fostered a culture of proactive security resilience. This proactive approach also ultimately mended the damaged relationships with regulators. Their commitment to going beyond the bare minimum changed the company's image from a resistance entity to a proactive, collaborative partner. The lessons here are very clear.
The Future of NERC CIP
Stacy is a firm supporter of the positive future for NERC CIP.
"The evolution of NERC CIP isn't likely to come from improved requirement phrasing, or direction from the standards themselves. The evolution is going to come from how utilities adopt the purpose of the standards. From its inception, NERC CIP was developed as a framework to guide utilities in bolstering their cybersecurity postures to protect critical infrastructure from emerging cyber threats. The primary objective was, and remains the safeguarding of the bulk electric system. It's not about merely ticking off boxes or ensuring procedures align perfectly with written requirements. Instead, it's about internalizing the underlying purpose of these standards and then implementing them in ways that best serve a particular utility's unique operational context."
The future evolution of NERC CIP isn't simply about amending the existing regulations, adding clauses, or refining terms. These are essential, but the real evolution lies in how utilities perceive, interpret, and enact these standards. It's about shifting from a mindset of obligation. It is about performing tasks, not because they're mandated, but because the utility is genuinely committed, recognizing the intrinsic value of these guidelines.
The Common Threats to Utility Companies
Stacy explained that the threats to utility companies are similar to most organizations. Phishing and Spear Phishing remain the common attack vectors. The attack against the Ukraine power grid was initiated by a successful phishing email, which then allowed attackers to manipulate the grid's Industrial Control Systems (ICS). Advanced Persistent Threats (APTs) are also very common. This continuous and stealthy cyber espionage technique is often sponsored by nation-states. The well-publicized 2015 Ukraine power attack, where around 230,000 residents were left without power was a chilling realization of what APTs could accomplish. Utilities have been shown to not just be vulnerable but a prime target. Ransomware also factors into the threat landscape of utility companies. The Colonial Pipeline incident in 2021 caused significant fuel distribution disruptions across the Eastern US. These all serve as stark examples of the real-world impacts of such cyber attacks.
Other Areas of Guidance
Some other sources that Stacy recommended to improve security for utility organizations include many of the popular frameworks and guidance offered by NIST, CISA, DoE, and ISO. However, he cautions that these are to be used as guides and apply them where needed.
Information sharing is also an important component of a full security initiative. There is a heightened interdependence between various critical infrastructure entities. With the integration of the Internet of Things, devices, and the push for smart cities, that overlap will only increase. Stacy indicated that we might anticipate a regulatory landscape that is more holistic, bringing the gaps between individual sectors and offering a unified defense strategy. Additionally, the push for renewable energy sources and decentralized power generation like solar panels and wind farms might result in regulations focused on securing more novel power resources.
The decentralized nature of these sources introduces unique vulnerabilities and will undoubtedly shape the regulatory framework of tomorrow. We're already seeing those discussions happen with utility commissions in various states, and the conversations continue to talk about standards and cybersecurity requirements around these distributed network environments. Predictions about future regulatory changes and advancements include the growing sophistication of threats. That requires us to consider our defense mechanisms increasing as well. We may see a shift from broad prescriptive regulations to more adaptive and risk-based approaches that allow organizations to tailor their defense strategies based on their unique risk profiles. Further, the slow evolution of regulations like NERC CIP, when juxtaposed against the rapid emergence of threats, might lead to a regulatory paradigm that's a bit more agile.
We could envision a future where real-time threat intelligence sharing becomes not just a best practice but a mandated norm. Finally, as we've observed an increasing emphasis on collaboration between utilities, cybersecurity experts and regulators, future regulations might incorporate more collective intelligence drawing from a broader pool of expertise to ensure our defenses are as comprehensive and forward-thinking as possible.
Societal and Ethical Considerations
Stacy concluded by sharing his passion for the ultimate purpose behind the energy sector.
"The broader societal and ethical implications of our industry's actions is both timely and crucial. Our work doesn't just stop at complying with regulations or fortifying our infrastructures. It reaches into the very heart of the societies we serve. Electric utilities don't merely keep the lights on; they power hospitals, schools, businesses, and homes. We ensure that lifesaving equipment functions, that children can learn even after dark, and that our modern world runs smoothly. It's not just about providing electricity, but ensuring it's consistent, safe, and secure delivery. As such, every decision we make and every regulation we adopt directly impacts the quality of life of countless individuals. In our race to adopt the latest technological advancements, we must pause and reflect. Does the push for a smarter grid or the adoption of internet of things come at the cost of compromising security?"
Every individual working in the energy sector has a unique and pivotal role to play in shaping the trajectory of utility cybersecurity. Let's not just be passive recipients of information, but active architects of the future, where our grid stands resilient and secure.
Stacy's knowledge and his vision for a better future are inspiring and encouraging. His ability to bring together regulatory requirements with practical reasoning and purpose make him a valued professional in the energy industry. To learn more about how Tripwire can help your utility organization achieve better security and compliance, contact us here.