2013 TCIPG Industry Workshop - Program
Industry Panel Topics
In addition to sessions featuring invited presenters and current TCIPG research, our program will include the following panels and experts (subject to change):
Supply Chain Cybersecurity for Energy Delivery Systems
- Nadya Bartol, Utilities Telecom Council
- Ido Dubrawsky, Itron, Inc.
- Dennis Gammel, Schweitzer Engineering Laboratories
- Jess Smith, Pacific Northwest National Laboratory
Modern manufacturing in many sectors incorporate sub-components supplied from third-party sources. In the case of electronic subassemblies such as ASICs, suppliers are often offshore. It is therefore the case that many modern devices depend on a long and complex supply chain, which provides opportunities for insertion of counterfeit or otherwise compromised parts. Counterfeit parts have, for example, long been a serious issue in aircraft maintenance. A counterfeit phone charger was recently implicated in a death by electrocution. In addition to the reliability impact of counterfeit parts, the issue of compromise in the form of rogue logic is of potentially greater concern. A compromised device might function normally for a period of time, but is potentially subject to an exploit of a vulnerability deliberately inserted at manufacture. Moreover, such a compromise is extremely difficult to detect in practice.This panel examines supply chain issues specifically as they impact the reliability and security of energy delivery systems. We examine the concerns of leading system vendors, the role of research, and mitigating measures to manage the potential risk.
Implications of Cloud Computing on the Security of Grid Systems
- Art Anderson, Pacific Gas and Electric Company
- Alvaro Cárdenas, University of Texas at Dallas
- William Hadala, iWire365
- Craig Miller, National Rural Electric Cooperative Association
- Larry Saxon, OGE Energy Corp
As is the case with other industrial and economic sectors, electric power is experiencing economic drivers that argue for the adoption of cloud computing. Already it is the case that many smaller municipal and cooperative utilities use cloud services for some of their business functions as well as functions such as meter data management. Some examples include:
- Generation and Transmission (G&T) cooperatives provide SCADA management for distribution cooperatives through a mix of on-site and cloud-based solutions
- Billing software pulls data from cloud-based meter data management systems (MDMS)
- Associations of cooperatives provide cloud-based services for office networks and functions, but not typically for grid management
These examples are considered private cloud services. Widespread adoption of the cloud for grid controls may raise regulatory issues. Cloud services offer potential advantages in terms of professional system administration, redundancy and elasticity to quickly reconfigure computational capacity in response to changing utility needs. However, there is the concern that some critical data processing takes place outside of utility administrative control. This panel will explore the degree to which utilities are currently using cloud services, what services are migrating to cloud providers, what services make economic sense, and whether the security concerns can be overcome and by what approaches. Various cloud models will be considered, including private clouds as well as “intra-clouds” owned by or operated exclusively for utility associations.
Managed Security Services for the Electric Sector
- Al Cooley, Symantec
- Phil Craig, Pacific Northwest National Laboratory
- Monta Elkins, FoxGuard Solutions
- Bill Menter, ViaSat
- William Souza, PJM
Electric power utilities, like many other businesses, usually lack deep expertise in cyber-security topics; furthermore, each utility, acting individually, can at best achieve only a narrow perspective on current cyber threats that may affect the industry. One approach that has been suggested to solving the latter problem is developing structures and frameworks for information sharing between utilities. Another approach that is emerging outside the utility context is the use of Managed Security Service Providers (MSSPs). Large MSSPs such as Symantec and IBM use, among other things, log information from their world-wide clients to detect emerging threat behaviors after which the MSSP’s experts help clients implement responses. MSSPs also assist clients in various industries in complying with industry-specific cyber-security standards. The purpose of this panel session is to help those in the power industry (our guests) and power cyber-security researchers (ourselves) understand more about MSSPs, their services, and capabilities, generally, and to consider their potential employment in the power industry, including using their capabilities in control network protection.
Executive/Legislative Actions Affecting Energy Delivery Systems Cybersecurity
- Joe Bucciero, Corporate Risk Solutions
- Don Harris, Sargent & Lundy
- Scott Mix, NERC
- Melanie Seader, Edison Electric Institute
For many years, the Government has been working on a concerted effort to protect the nation’s power grid. A tremendous amount of improvement has been made, but there is still much to do. With efforts on the books such as the NIST IR 7628 and the followup work from EPRI’s NESCOR initiative, there have been a lot of documents providing guidance and approaches to solving cyber security problems.The nation sees a need for more. DHS has been focusing on wide-path critical infrastructure for many years already. Legislation has emerged in some sectors. Now, with the Presidential Executive Order (13636) and other recent actions, legislation is rapidly forming to put some stakes in the ground. A defeated bill, S. 3414, proposed comprehensive Cyber Security legislation of a similar nature. New bills continue to come forward and committees are taking a closer look at this problem.With the emerging NERC CIP v5 standards looming, changes in compliance are on the way too. How do these work together? What is the impact? What does all of this mean for Energy Delivery Systems as a whole? How do these potential legislation and compliance changes impact the approaches to cyber security for the sector? This panel explores this area and presents a diverse set of viewpoints on the topic.