Cybersecurity is an intriguing topic when it comes to the Utility Industry.
During major Industry events, Utilities typically play down the topic in case they spook the Government, investors or customers. While in 1:1 discussion, you will typically find cybersecurity is in the Top 3 list of what keeps the management team awake at night. That said, remember that 'security' has been an integral part of the Utility Industry DNA for decades. So while cybersecurity poses a whole new set of challenges, it's not as if Utilities are totally lost trying to deal with these challenges.
It's a complex topic so it will be interesting to chat with many different Utility stakeholders at the upcoming #EngeratiMeets to find out what's actually going on today in the industry. What works, what does not work and what needs to be done next. At the event, I'll be facilitating the cybersecurity workshop. During the workshop it's up to the participants to collectively agree on what they see are the key challenges and issues and then to define what they believe needs to be done to address them. The after event report should make some interesting reading ...
Personally, I'll be most interested to find out what going on today in the industry in relation to the following 5 items;
1> When it comes to cybersecurity, there is no shortage of methodologies, standards and recommendations out there. I participated in the EU's Smart Grid Task Force a few years back, where one of the working groups developed recommendations for privacy, data protection and cyber-security (in EG2). This and other reports have fed into work that is ongoing at EDSO, ENTSO-E, European Union Agency for Network & Information Security (ENISA), European Network for Cybersecurity (ENCS) etc ...
Over in the US, Utilities are required by the Federal Energy Regulatory Commission (FERC) to adhere to the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) ... So I'm curious to know what methodologies/standards/recommendations Utilities are actually using today, and why?
2> Intel, AMD and ARM have all invested Billions into developing silicon-based cybersecurity functionalities such as hardware-based root of trust, secure boot, encryption, secure data storage etc. As a few examples, you have Intel's AES New Instructions, Software Guard Extensions (SGX); AMD's GuardMI Technology, Secure Root of Trust, Run and Move Technologies and ARM's CryptoIsland, CryptoCell, TrustZone etc ...
Are Utilities specifying such technologies & capabilities when they issue their tender's? Or is such technology just seen as too complicated or a 'nice to have'?
3> A few years back, one of the answers to the challenge of securing 'brownfield' devices was to either place a new secure gateway 'in-front' of the legacy device or to 'virtualise' the legacy device / app via some virtualization or containerization technology.
So how's that going... is anyone actually deploying such technologies or?
4> Regardless of the 'cool' technology you can deploy, it's usually us 'humans' who are the biggest security challenge. This can range from people simply being careless, social engineering traps or an employee who has a grudge.
So what's seen as best practice these days in relation to 'human' processes and procedures to limit this risk?
5> And of course, is Blockchain / Distributed Ledger Technology seen by the Industry as having a role to play in helping secure the Future Grid?
It should be a fun few days in Vienna ... Kevin.