Recently, Tripwire held its Energy and NERC Compliance Working Group virtual event. Tripwire has customers spanning the entire energy industry, including small, medium, and large city municipals, cooperatives, and investor-owned utilities and energy companies. The information shared in these sessions offered valuable insights for both very mature customers, as well as new customers that are still early in their Tripwire journey.
Tripwire was acquired by Fortra (previously HelpSystems) earlier this year, allowing us to build and expand on our collective focus of providing best in class cybersecurity and automation software solutions, which really opens the doors for even broader cybersecurity and compliance technology coverage.
The user group featured speakers from a broad population of the energy sector, and the topics ranged from policies that are framing the cyber defenses of the future, to a panel discussion exploring strategies for tackling the unique and often complex cybersecurity processes in the energy market, and some of our own product specialists, who shared insider tips about Tripwire Enterprise and Tripwire State Analyzer.
Keynote: Sharla Artz
The event started with a conversation with Sharla Artz, who serves as the security and resilience policy area vice president for Xcel Energy, where she works with utilities, government partners, and industry stakeholders to develop policies that enhance the resilience of critical infrastructure. Sharla was also formerly the director of government affairs at Schweitzer Engineering Laboratories (SEL), where she established close working relationships with government officials, contributed insight for sound policy decision making, and was an advocate on the role of technology and grid resilience.
While it could seem unusual to have a government affairs expert speak at an energy conference, Sharla explained that the utility industry, suppliers, and government partners are all committed to the objective of protecting critical infrastructure and keeping the grid reliable and resilient. In Sharla’s words, “good policy in this space gets us to that objective of critical infrastructure protection faster or cost effectively, and gets us those better results. Bad policy though, means that entities have to possibly reprioritize projects, and investments. This could completely change planned technology deployments and it doesn't help us efficiently and effectively get to that point where we are protecting critical infrastructure and standing up and being able to withstand attacks from advanced persistent threats.”
Sharla pointed out how, over the past year, the White House has been very engaged with industries that are heavily focused on cybersecurity efforts. The Biden Administration has stepped up efforts toward interagency information sharing. This initiative was helpful in understanding and addressing some of the concerns and questions arising from executives and other stakeholders in the energy sector. This led to the CISA ShieldsUp guidance. The White House reached out to the governors of all 50 states, requesting to know whether or not they had mandatory cybersecurity standards. There is also the ripple effect from this outreach, whereby the threat environment guidance has been put in place to help smaller and medium size entities get up to speed in terms of being able to address the threat to critical infrastructure. Agencies are being given the opportunity to look at how they can maybe use some emergency authority to satisfy these requirements.
One of the controversial approaches that was undertaken by the White House was the request for the Electric sector to participate in what was known as the ICS 100, or the 100-day initiative. This encouraged electric utilities to deploy technologies that would provide better situational awareness on what was happening on their networks, sending anonymized, aggregated data back to a platform through which the government could query, and then provide some alerts to the industry based on what they were seeing from the shared network traffic. Around 155 electric utilities volunteered for the effort, and there was an announcement made earlier this spring where that initiative actually helped proactively identify some bad actor and potential attacks that were forthcoming, enabling the government to prevent them from happening. Other recent additions to this program include water and gas utilities.
In even more forward-looking approaches, President Biden’s national security memorandum requires the Department of Homeland Security (DHS), in conjunction with the National Institute of Standards and Technology (NIST) to develop baseline cybersecurity performance goals originally for Industrial Control Systems. This has since expanded, but that initial focus was on ICS environments. The guidance for these cross-sector Cybersecurity Performance Goals will soon apply to all 16 critical infrastructures. While the initial guidance reeked of mandatory compliance, the many comments submitted to correct that were honored with a second draft that was a better fit for all involved.
A few questions that Sharla contemplated: Since there is currently a patchwork of existing requirements, who would oversee, and who would audit the performance conditions of each entity? Would it be done via region? Would NERC be the entity that would oversee all 50 different states? There is a lot of complexity in the details of how this would get enacted, even if the concept, on its face, is just about encouraging greater security at the distribution system level.
One thing that is clear from Sharla’s introduction to the user group is that there is cybersecurity interest at all levels and departments of government. This extends beyond The Cybersecurity & Infrastructure Security Agency (CISA). In Congress, there is strong agreement by both parties to enact stronger cybersecurity legislation for all areas of critical infrastructure.
Tripwire Energy Working Group Sessions
The sessions continued with two panels. One was hosted by three Tripwire customers, and the other offered a question and answer session with the Tripwire team.
The customer panelists delved into the question of automation in NERC compliance, specifically, how much automation is too much? In some cases, automation can help reveal gaps, but that comes with the strong warning that automation is a tool, and that it is important that the right data is being presented to the right people. The customer panelists also candidly discussed cloud adoption, alerting, real-time monitoring, and what features they would like to see in new releases of Tripwire Enterprise.
The question and answer session with the Tripwire team included David Bruce, Ted Rassieur, and Mike Betti. The team explored topics, such as, what is the biggest cybersecurity challenge in the energy sector? Surprisingly, the answer was not the threat of ransomware. Another topic of concern was the speed at which the technology has advanced in the last ten years. How can a person keep up, not only with the technology, but with all the emerging threats against these new technologies? Here, the team echoed some time-honored wisdom about how to keep up with the seemingly unending swirl of developing technologies.
If you’re looking to learn more about the industrial cyber threat landscape, the relevant frameworks you can use for ICS security, and how to gain organizational buy-in for your industrial security program, you should download our Navigating Industrial Cybersecurity: A Field Guide to learn more.