Utilities are gearing up to meet the security requirements laid out in the Critical Infrastructure Protection (CIP) Security Compliance Standards: NERC Critical Infrastructure (NERC-CIP) standards and waiting to see how a presidential executive order, also designed at securing bulk power systems (BPS), shakes out.
That’s created an opportunity for the Asset to Vendor Network Power Utilities (A2V) to step in to protect the supply chain and help utilities nationwide share critical information on cybersecurity risk. A2V, aiming to be a membership-based forum that facilitates information sharing among utilities and the vendors that serve them, picked up its first new partner – Southern Company – earlier this summer.
“Utilities have a long history of working together to overcome challenges, and securing our mutual supply chain through A2V is just the latest example,” Tom Wilson, vice president and chief information security officer for Southern Company, said at the time. “A2V offers the opportunity for companies to collaborate and help share expertise and best practices.”
Spearheaded by Fortress Information Security and American Electric Power (AEP), A2V seeks to secure the supply chain, something that Fortress co-founder and CEO Alex Santos said utilities are uniquely positioned to do.
Utilities are “the police department of the supply chain,” Santos told SC Media, explaining that A2V keeps them from having “to hire people or buy technology by leveraging what the industry is doing.”
A2V says it will help utilities reduce overall operating and maintenance (O&M) costs associated with cybersecurity compliance; access a substantial library of completed vendor risk assessments; and contribute to a national cyber risk assessment library for utilities.
SC Media caught up with Fortress Vice President of Energy Security Solutions Tobias Whitney to discuss how utilities can prepare for the new CIP standards and the yet-to-be finalized executive order.
We’re less than 60 days out from having the new CIP standards take affect. What are you seeing in terms of readiness among the companies that keep the grid running?
We are seeing utilities identifying ways to improve their supply chain program. Many utilities have a third-party risk program, but they are unsure how effective or efficient it could be to meet the NERC CIP standards. Many utilities have contacted us to help automate and improve their program as we get nearer to the go-live date. October 1 is the deadline in many ways, but many utilities view it as a start date for long-term investment in the management of the risk of suppliers, vendors and manufacturers.
The comment period on the Trump BPS EO is underway. It seems like the EO is taking shape in real time and this period will be critical in shaping how the EO is carried out. What’s your sense about the conversation on the EO? How important is this comment period?
Our sense is that the executive order is engaging the industry to identify best practices that extend beyond what is required by the NERC CIP Standards. Electric power companies have contacted us to learn more about our abilities to identify and map the foreign origins of critical Bulk Power System vendors and their products. Our ability to inspect a grid software or system’s foreign ownership, control and influence (FOCI) at the subcomponent level, in our opinion, is a key aspect of the executive order and industry’s means to mitigate the risk of foreign advisors. By analyzing risks at this level, we can help ensure that utilities have the ability to make informed decisions about whether a supplier’s FOCI risk is acceptable for use on the grid – the heart of the executive order.
How can the partnership between Southern AEP and Fortress help utilities prepare for the new CIP standards coming in October as well as the White House executive order for utilities, which is still taking shape now?
I want to preface [this] by saying is that the executive order has not been fully finalized. The industry is aware of some potential expectations. One is to limit procurement from foreign adversaries and, potentially going forward, to go back and look at their installations to determine where certain equipment has been sourced. In addition to what we’re doing to help folks be compliant with the CIP standards for utilities, [we’re trying] to give [companies] more visibility into who their vendors are [and] where those vendors have operational or manufacturing facilities, [and help them] understand the security profiles of those vendors so that they can make informed decisions about procurement and contracts with potential service and product equipment vendors.
As we work with our utilities (we treat them as our partners), as we evaluate vendors and their products, that information becomes accessible to any of Fortress’s asset vendor members. Any member utility that becomes part of the program will now have access to that same content of vendors’ security profiles and their products. That allows for [organizations] to have a much greater level of efficiency when determining who to engage with in terms of procurement processes, and allows them to more effectively mitigate and manage risks for any findings that may result from these assessments so that they can more effectively apply security for those vendors and those products as they’re being implemented within their environment. It greatly improves the effectiveness and efficiencies of assessing and evaluating vendors.
How does this association help boost security on the vendor side of the equation?
It provides a more effective, more streamlined means for vendors to allow them to improve their security profiles. As opposed to every utility going out and communicating issues and concerns to their vendors, we provide a strong amount of feedback to the participating vendors to help improve their supplier security practices. The other benefit is through the various risk assessments to have that understanding of geopolitical influence. To have an objective assessment of what those foreign influences could be will allow for our customers to more effectively engage their vendors to determine specific whereabouts about any potential adversarial threats in the product space.