Communications, Cyber Resilience, and the Future of the U.S. Electric Power System Proceedings of a Workshop (2020) / Chapter Skim
Currently Skimming:
3 Strategies to Increase Resilience
3 Strategies to Increase Resilience
Pages 29-46
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 29... ...
While complexity is the enemy of security, adding security measures to electric infrastructure is anything but simple, Dagle said. Utilities and the country as a whole are challenged to determine when and 29
|
From page 30... ...
Speakers included Joy Ditto, Utilities Technologies Council (UTC) ; Mark Adamiak, Adamiak Consulting; Samara Moore, Amazon Web Services; and Tim Roxey, formerly of the Electricity Information Sharing and Analysis Center (E-ISAC)
|
From page 31... ...
In addition, many utilities are adopting new cybersecurity mechanisms for their operations networks. Examples include trusted platform modules for SCADA remote terminal units; password management systems and key distribution centers that take the human element out of password protections; and the use of secure communication protocols such as Secure File Transfer Protocol, Secure Shell, virtual private networks, PUSH mechanisms such as data diodes, the industry's own protocol IEC 61850, and routable Generic Object-Oriented Substation Event (GOOSE)
|
From page 32... ...
Moore expressed her view that cloud services can support utilities' security objectives, including those related to regulatory requirements. Cloud infrastructure is built to meet very secure standards, is tested on multiple frameworks to meet multiple global requirements, and supports government, academia, and large enterprise customers.
|
From page 33... ...
Discussion Panelists and participants discussed the effectiveness of existing defense mechanisms, policy and regulatory issues, and system-level solutions. The Effectiveness of Existing Defense Mechanisms Dagle and Granger Morgan, Carnegie Mellon University, asked panelists to elaborate on the use and effectiveness of existing defense mechanisms such as air gaps and firewalls.
|
From page 34... ...
David Batz, Edison Electric Institute, expressed concern that some utilities may feel forced to use cloud services, and Anjan Bose, Washington State University, asked how utilities could reconcile cloud services with their culture of owning physical systems. Moore answered that it is best for utilities to collaborate with cloud service providers and regulators to identify specific challenges, create implementation guidance, and revise existing standards to clarify how utilities can use cloud services.
|
From page 35... ...
• All parties benefit when the relationship between industry and government is collaborative rather than adversarial. Cynthia Hsu, National Rural Electric Cooperative Association (NRECA)
|
From page 36... ...
Marc Child, Great River Energy Marc Child, information security program manager at Great River Energy and chair of NERC Critical Infrastructure Protection (CIP) Committee, shared perspectives on NERC's CIP regulatory standards, enacted after the 2003 blackout in the Northeast United States.
|
From page 37... ...
Joe McClelland, Federal Energy Regulatory Commission Joe McClelland, FERC director of the Office of Energy Infrastructure Security, discussed FERC's approach to utility security. Just as the electric power system comprises several interdependent infrastructures, FERC's purview intersects with the authority of several other government agencies.
|
From page 38... ...
He also quoted a 2019 statement,2 referenced earlier by Stockton, in which Director of National Intelligence Daniel Coates asserted that China has the ability to disrupt U.S. natural gas pipelines through cyberattacks: China has the ability to launch cyber attacks that cause localized, tempo rary disruptive effects on critical infrastructure -- such as disruption of a natural gas pipeline for days to weeks -- in the United States.
|
From page 39... ...
However, he cautioned that our adversaries cannot be depended on to follow the same rules of war, underscoring the critical importance of staying prepared for an attack that does target critical civilian infrastructure. Discussion Participants discussed the role and appropriate scope of standards, along with what steps could be taken to create a culture of security.
|
From page 40... ...
Cynthia Hsu, NRECA, asked whether there were lessons learned from how the NERC CIP standards have or have not worked that can inform conversations on extending it beyond its current base of covered entities. McClelland pointed out that the electricity subsector is very mature and capable, in part due to standards, but also because of longstanding exchange between government and industry.
|
From page 41... ...
Kevin Stine, National Institute of Standards and Technology Kevin Stine, leader of applied cybersecurity within the NIST Information Technology Laboratory, described how NIST helps organizations apply standards, guides, and practices in order to better understand and manage cybersecurity risks. NIST is a nonregulatory agency, so its standards are voluntary and consensus-based, not mandatory.
|
From page 42... ...
The Framework has three key focuses: the alignment of an organization's business processes with its cybersecurity capabilities and technologies; recognition of interdependencies among organizations, sectors, and shared infrastructures; and the imperative to increase resilience, which is defined as post-attack response and recovery mechanisms that best position an organization to continue critical operations. In addition to its cybersecurity expertise, NIST supports standards and tools for energy sector operations, including smart grid technologies.
|
From page 43... ...
She described how the 2011 standards- ased Roadmap to Achieve Energy Delivery Systems b Cybersecurity5 helped inspire new technologies to help utilities withstand a cyber incident. She emphasized the importance of grounding innovations in utilities' control, operational, and energy delivery systems in order to enable attack recognition and "self-healing" capabilities whereby a utility can sustain critical functions even if compromised.
|
From page 44... ...
Bose added that electric power systems are comprised of many layers of equipment, with devices constantly being added at the grid edge, and that each additional layer increases the attack surface. Hawk agreed that grid-edge IoT activity requires close attention and noted that DOE is actively working to address needs at the grid edge through generation, transmission, and distribution, including in the IoT realm, but reiterated that DOE is not a regulatory agency and that she could not comment on the potential for standards and regulations in this area.
|
From page 45... ...
Bringing Security into Education and Training An attendee from Oak Ridge National Laboratory raised the need to better incorporate security awareness and expertise into relevant educational programs. Amir agreed, and noted that the computer science field does not consistently teach basic security skills.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.