The U.S. electrical grid is old, essential, and under a lot of stress. Plenty of efforts are being made to modernize where we get our energy from, how we transmit it, and — in the event of cyberattacks — how we secure it. While securing the nation’s energy infrastructure is as important a goal as figuring out how to find new sources of clean energy, what’s intriguing to me is how utilities are a good example of how old-line industries are dealing with the increasing amount of technology and the risks associated with that technology.
On the security side, Fortress Information Security has announced a new framework designed to help U.S. utilities secure their connected infrastructure from attacks. Together with partner American Electric Power, the cybersecurity company has launched the Asset to Vendor Network (A2V Network) as a way to understand the risks facing all vendors selling products to electric utilities.
The framework is a response to both the rise in the number of security threats against the U.S. energy industry as well as a response to recent regulations that force utilities to lay out the risk they face of a cybersecurity attack.
The A2V Network is essentially a clearinghouse of completed questionnaires through which electrical industry vendors lay out their cybersecurity practices. That’s because, under new federal rules, vendors such as GE, ABB, and even smaller companies providing regional products and gear are required to fill out such questionnaires so that customers will understand how each of them approach cybersecurity.
The questions cover everything from lifecycle management to the use of trusted computing modules on hardware to over-the-air updates, how employees are screened, and more. A vendor has to answer these questions for each utility they want to work with. In the U.S., there are more than 150 utilities that will be governed by the new rules. That’s a lot of questionnaires!
Alex Santos, the CEO of Fortress, says his company created the framework because there were so many different parties involved in the electrical grid — each with a different level of sophistication around cybersecurity — that it made sense to offer one centralized place where vendors can to go to fill out a questionnaire and where utilities can go to find compliant vendors.
Santos compares the effort of securing the electrical grid to the effort that residents undertake as a community to secure their neighborhoods. While individual residents might lock their own doors, the entire community also has an interest in hiring a police force to monitor the streets. In his example, the A2V Network is the community effort aimed at improving safety overall, not just on an individual basis.
For this to actually work, however, the framework needs input from both utilities and vendors. It also needs a way to tell companies that aren’t compliant how to get into compliance using basic cybersecurity practices. Santos says recommendations are part of the framework. Fortress makes money when it adds members to the framework, but doesn’t necessarily profit when someone decides to implement the framework’s recommendations. Companies don’t need to hire Fortress to remediate any issues. Of course, venders serving the utilities could hire Fortress if they so choose.
Cybersecurity is so complex and such a hodgepodge of best practices and standards that it’s not surprising that so many entities are getting hacked these days. A regional hospital or small-town government doesn’t have the resources to create a highly secure environment. And yet, as criminals are now aware, the more institutions become dependent on technology, the more any holes in their respective security systems present a potential catastrophe in which computers are taken over for ransom or probed for user data. In some cases, malicious actors might even hack into a system to actively destroy it.
The energy industry is prey to all of these trends, and is such a key element of the economy that protecting it is keeping plenty of people up at night. But for those utilities not focused on security risks, bigger concerns are climate change — in particular, finding clean sources of energy — and reducing energy use overall. Here, utilities are also looking to the tech industry for ways to solve their problems.
For example, the Linux Foundation has created LF Energy to help drive clean energy efforts at utilities using open-source software and collaborative development. Most utilities are traditional enough that the idea of open-source software is scary and verboten. But LF Energy has been educating the industry on open source and has members in the energy/tech sectors that are starting to embrace it. So far, the LF Energy group counts among its members only a few utilities and grid operators (Germany’s Alliander is one, as is a French electrical distributor), but it’s a start.
As modernization hits old-line industries, we’re going to see a growing number of them embrace solutions from the technology world that can help drive more rapid innovation and the scale to quickly adapt to new threats. The energy industry is just one example, but it’s a good one.