This article was originally published on Greentech Media by Jeff St. John
Andy Bochman, one of the energy industry’s top cybersecurity experts, has been saying for a long time that the utility industry and its regulators need to add cybersecurity to the list of long-established categories of risk -- safety, reliability and financial security among them -- that they attend to every day.
Now the former IBM energy security lead is starting his own security advisory service, Bochman Advisors, that’s aimed at bringing that vision to leaders in the energy and utilities sector.
Bochman, a former U.S. Air Force Academy instructor and security consultant to the federal government and defense contractors, has certainly chosen an opportune time to make this move. With smart grid technology transforming the utility sector’s approach to cybersecurity risk assessment, and energy industry regulators and the Obama administration bringing an unprecedented focus to securing the country’s critical infrastructure, the industry is on the verge of a major transformation in how it secures its grid assets, from power plants and substations to smart-metered customers.
We spoke with Bochman just after his departure from IBM to ask him about his new endeavor, as well as to have him lay out the chief challenges facing the utility industry, smart grid vendors and the government agencies that regulate how cybersecurity should be incorporated into every level of the energy enterprise. We also asked him to provide a brief overview of the latest steps being taken to set up frameworks for measuring the current state of utility security, from technology and grid operations to workforce training and C-suite cost-benefit calculations.
Those include a recently released cybersecurity draft framework from the National Institute of Standards and Technology (NIST) laying out proposals for how to translate President Obama’s February executive order on cybersecurity preparedness into discrete actions that utilities and state regulators can put into practice. Along with this draft document, we’re seeing ideas emerge from public- and private-sector stakeholders on how utilities can find ways to pay for mitigating these as-yet-hard-to-calculate risks, fromfederal grants and cybersecurity insurance to the potential for utilities torecover costs via rate cases at the state level.
All of these developing issues make seeking expert opinions on how to proceed more important than ever. Here's what Bochman had to say about it.
GTM: What's the state of the utility and energy industry's preparedness on the cybersecurity front?
Bochman: There are so many utilities -- approximately 3,500 -- and such a wide variety of utilities across the U.S. that it takes an uncomfortably broad brush to paint an answer to this. But in short strokes, I'd say, in the aggregate, better than often portrayed in the press, and improving. But as they are so interconnected and interdependent, we want most, or all, of them to be pretty solid.
It’s also hard to say for sure, since there's as yet no consistent way to ascertain or communicate readiness or lack thereof, short of the NERC CIPs [the North American Electric Reliability Corporation’s regulations on Critical Infrastructure Protection]. NERC CIPs apply to only a small portion of the grid and are not assessed consistently from region to region, making a holistic appraisal of the U.S. or North America very difficult. Many are opposed to security metrics and measurement approaches for a variety of reasons. But even if imperfect, I believe they'd be a boon to senior utility management and might help us get a more accurate snapshot of the current state.
Certainly, the utilities are later to the cybersecurity game than others whose businesses demanded they get engaged much earlier. The telecom guys -- the internet lives on their infrastructure, that’s how they run their business, it is their business, and its one of the primary conduits for attack. From the very earliest days, if not of computing, but of internet networking, their business demanded it. The same goes for Wall Street, where the access to real cash dollars is relatively proximate for a would-be attacker with dollar signs in their eyeballs to have compelling reasons to go after them -- as they have. Ever since ATMs and online banking, those guys had to up their game immediately. And they’ve organized accordingly.
GTM: What constraints exist that prevent cybersecurity from being taken seriously by utilities, or prevent them from getting focus on the amount of investment needed to get to where we need to be?
Bochman: Constraints here are similar to other capital-intensive industries. Utilities are used to managing many kinds of risk, including those from market and financial fluctuations, fuel costs, storms and fire, even vegetation. Cyberattacks and malware, formerly viewed as nuisance-level threats to IT systems, are understood and managed like in every other sector. But the strategic nature of the threats to operational technology (OT) systems is new to them, and because it’s often described in overly technical terms, is largely opaque to senior management. All are adapting to this new reality, some quicker than others.
It’s important for the senior management and the boards to have a better understanding of every risk category. They don’t have to go back to college, but it’s contingent on them taking a step toward the security professionals and improving their own understanding, whether its through some type of appropriate training, some book study, some tutoring, to get better and not push off all this stuff. On the other hand, what’s often been presented to them has not been adapted all that well to them. If I’m a security guy, and my head is full of ones and zeros, it’s incumbent on me to speak in a language they understand, to translate security issues into the language of business and risk management.
Lastly, the traditional business model rewards them for large capital investments like new generation machinery and new power lines. Cybersecurity spending doesn't make them any money -- that's true cross-sector. Calculating the likelihood of breaches and potential impact of the threats is what's in flux. Remember: the highest values in this sector are reliability and safety. When the incentives are working as intended, everything else comes after that, including profits. And, if cybersecurity comes to be seen as important or essential to reliability or safety, it will get much more attention.
GTM: What are the emerging ideas, particularly coming out of the process set in place by the White House's cybersecurity for critical infrastructure executive order, that might help address these constraints?
Bochman: Whenever something like this is being worked out, there’s a lot of contention, a lot of different opinions from people with different backgrounds. It’s like what they say about compromise -- a really good compromise satisfies no one, but all are equally dissatisfied. The key term there is "equally."
They seem to recognize out of the gate that if they focus solely on operational security matters -- and that largely means technical issues on the IT side, and to a certain extent, on the OT side -- that they could make the best plan or framework, but if they don’t have senior management buy-in, it wouldn’t get prioritized, it wouldn’t get funded, and it would wither on the vine. Since the first workshop, they’ve said that one of their main objectives is to solicit and speak to executive-level concerns, and encourage them to be part of the process.
I think this preliminary draft really makes that clear, that the whole process begins with executive-level input on the mission of their company or organization, and their risk tolerance. Even the best cybersecurity program cannot reduce cyber-risk to zero. It’s all a question about how to, with some fidelity, first determine what your tolerance for risk is in general, and then calibrate your efforts in accordance with your risk tolerance.
GTM: What about how to pay for it?
Bochman: Whatever comes out of the NIST CSF [the NIST cybersecurity framework] process -- and these are guidelines, not mandatory, right now -- they will suggest that utilities begin doing things they are not currently doing. It presupposes that the status quo is not adequate, and that every utility, whether they’re the biggest one or the smallest one, whether they’re forward-leaning on cybersecurity, or backward-leaning or somewhere in the middle, will see things that they’re interested in doing that they’re not currently doing. That may require additional spending, in terms of reworking processes, or in terms of technology.
Where’s the money going to come from? You’ve seen articles already that say that some utilities are petitioning to build the compliance cost of NIST-CSF into their rate cases. In the past, as I’ve said with the California example, they could say that as part of a smart-meter rollout, a certain percentage of that goes to cybersecurity. I’ve mentioned citizen groups asking, 'What do we get out of that?' I think what they get out of that is a potentially more reliable system.
Utilities are going to try to see if they can use this to get cybersecurity funding in a more formal process. The important note is that, I think they’re asking for that to be arbitrated at a federal level, but ultimately rate cases are ruled by state PUCs. So I think the federal input to this could add heft to this petition. But it’s ultimately the states that get to decide, and that’s 50 different groups of different-minded individuals. I think, without being too harsh on them, that their capacity to rule on the appropriateness of cybersecurity spending proposals from their utilities is limited. As part of my new practice, I’m hoping to help educate the states, help them ramp up with improved cybersecurity capabilities, so they can better play their governance and oversight role.
GTM: How much of the cybersecurity challenge lies in technology, and how much of it lies in the human, social and organizational side of the equation?
Bochman: A lot of it is technical in nature, including how to best partition networks to make the attackers' jobs more difficult, how to keep systems patched in a timely manner, ensuring encryption is used appropriately to protect data, ensuring good identity and access management controls are in place (I could go on for a while). And this is where the focus has largely been, without a lot of rhyme or reason.
What would help at this stage would be more emphasis on enterprise-wide cybersecurity policies set to achieve specific risk-reduction goals. That means centralized authority and accountability for IT and OT security, which could provide senior leadership with a better apples-to-apples view of security risk and controls across the whole company, including for the larger utilities, across multiple states and multiple lines of business. These are too often siloed at present.
Lastly, but maybe most important to drive the types of change just described, a visible increase in security understanding and awareness at the highest levels of management could spark culture change that would see every employee increase their vigilance and shore up their often-unsafe online behaviors: casual use of USB drives, clicking on links in phishing or spear-phishing emails, etc. This could be modeled on the way safety awareness permeates every aspect of utility culture.
GTM: What are the dangers of keeping to business as usual on this front?
Bochman: Business as usual is where there is a huge amount of complexity in utilities’ systems, their systems are being increasingly interconnected, they’re growing their attack surface in security terms -- more ways in, and easier ways in, for bad guys. Without an understanding of how security is a part of all business decisions -- I’m going to link with a new partner, I’m going to start buying cloud services, etc. -- they will continue to add complexity, and it will make the job of securing all of their assets that much harder.