EnergyTech Insights: An Intro

EnergyTech Insights

While we are all practicing social distancing and staying indoors, we often take for granted some of the modern amenities that allow us to do things like working from home and remote schooling; we toggle the lights, surf the internet, and turn on the TV to browse streaming options without a passing thought.  Despite how comfortable society has gotten with these comforts, and despite how much of a saving grace they have been during this global pandemic, there are still some real concerns that consistently loom over the ability to provide these services. Even before the unfortunate rise of COVID-19 and its spread across the globe, known cyber-attacks had become a big problem, elevating the need for robust cybersecurity of power grids and critical national infrastructure (CNI).

As of now, a majority of the power grid infrastructure remains a collection of electrical systems that are not connected to the Internet.  Given that, it’s easy to wonder how a system of metal towers, wood posts, and power lines are even susceptible to cyber-attacks—logically, wouldn’t the greater threat be a physical blow to the actual systems on the ground?  That once might have been, but with the advancement of technology over the past few decades, control systems and smart-grid technologies have been incorporated into the CNI to make it more efficient, collect better usage data, and provide a better overall experience for customers.  These enhancements have also connected CNI to the Internet, thus rendering the power grid vulnerable to not only physical harm, but also additional cyber risks.

As the international regulatory authority for bulk power systems (BPSs), the North American Electric Reliability Corporation (NERC) has made its mission to reduce these new risks as they threaten the reliability and security of CNI. In doing so, they diligently work to help protect the grids by implementing operating standards that include guidelines for cybersecurity practices—known as Critical Infrastructure Protection (CIP) standards, these requirements have evolved over time alongside changing technologies and varied risks.

The Reality of CNI Cyber Risks

In September 2019, NERC issued a lessons-learned document that detailed what is assumed to be the largest known cyber-attack to North American BPSs. Having occurred during March 2019 in the western part of the United States, the attack lasted for nearly half a day and was determined to be the result of a failure to patch firewall firmware.  Since then, the NERC CIP standards have aimed to reduce the risk of these events by creating requirements that enforce good cybersecurity hygiene, and some experts suggest taking it even further—to the protection of physical factors—as they believe that there are also risks associated with utilizing certain power supply components from nation states such as China and Russia.  Word has traveled all the way to President Trump, who recently signed an executive order that bans the purchase and use of Russian and Chinese parts from being used in power plants and transmission systems, citing that it creates an “unacceptable risk to national security.”

What is Next?

In actuality, the progression towards greater protection extends even further. Bulk power systems use various software and technologies provided by vendors for their operations, and recent studies performed by NERC have explored better supply chain risk mitigation—so, while BPS companies continue to explore security around their own infrastructure, their suppliers and software vendors are also joining the fight to keep our CNI secure. Though the best way to demonstrate the maturity of their security practices remains to be seen, as IT compliance professionals, we continue to dig into this topic to understand which solutions make the most sense.

For more information, stay tuned for our series of articles about EnergyTech security and compliance.

About the Author

Kristen Wilbur

Kristen Wilbur is a Director at Schellman, with over 10 years of experience in providing IT attestation and compliance services. Kristen has evaluated risk and controls for Global 1000, Fortune 500, and regional companies during the course of her career with a strong focus in the technology sector. Kristen currently leads the New York City practice at Schellman where she specializes in SOC 1, SOC 2, ISO 27001, and HIPAA reporting. In her portfolio she also oversees large scale engagements that include assessments around FedRAMP, HITRUST, and Privacy. Kristen has a strong passion for giving back and recently helped to establish the corporate social responsibility program at Schellman called SchellmanCARES.

More Content by Kristen Wilbur
Previous Article
Choosing the Correct SOC 2 Categories
Choosing the Correct SOC 2 Categories

Determining which SOC 2 Trust Services Categories (TSCs) to choose boils down to what categories are right ...

Next Article
Schellman & Co Statement Regarding SBA "PPP" Loan
Schellman & Co Statement Regarding SBA "PPP" Loan


First Name
Error - something went wrong!