Critical Infrastructure Security

Keeping the lights on!

We are all acutely aware of the convergence of operational technology (OT) and information technology (IT). Awareness of the challenge arising from this convergence can be seen in the increasing homeland security efforts on cybersecurity. Especially cyber supply chain security. 

Recently, there has been an increased intensity in scrutiny of the world's electric grids. This scrutiny follows on the heels of a barrage of global news regarding the power industry and cyber resilience. A recent publication expounded on the level of the United States' preparedness, or lack thereof, for an extended operational failure of its grid. An hours-long power outage in Eastern Europe was established to be the first power outage directly tied to cybercrime. In February, researchers at the Kapersky Security Analyst Summit in Spain highlighted a unique vulnerability. They noted that remote manipulation of air conditioner shut off devices could create load surges causing targeted and/or large scale outages. 

How then do we keep the lights on? Together, we must address the risks inherent in converged industrial controls and information technology which not only impacts, but in fact, operates our grids. A key part of addressing this challenge is developing and deploying a comprehensive security strategy.  After all, our global grids truly are examples of complex and interconnected supply chains.

I was privileged to recently present to the Federal Energy Regulatory Commission (FERC) in February at its Technical Workshop on Supply Chain Risk Management. A set of key themes resonated across the statements of regulators, bulk distributors, regional utilities, educators, and private IT and OT providers present. 

Through my lens, I saw a crisp and panoramic picture: only a layered approach that drives prevention, detection and mitigation efforts against threats can be truly effective. 

To undertake a layered approach, we much first align on what our goal is. I propose that nothing short of comprehensive security must be the goal. The outcome of applying layered, comprehensive security across the IT and OT which lies at our grid's operational heart, is resiliency, privacy, data protection and trustworthiness.

A number of foundational elements can form a path to achieving this level of comprehensive security. We must embrace the goal of retaining each member of the grid's flexibility to deploy the right security in the right node of its own supply chain at the right time. The process of deploying the right security in the right node at the right time must be undertaken in a risk-based manner to ensure economic and operational viability. The goal is a meaningfully secure grid that can operate not one that is en route to bankruptcy. 

Further, it is key that we avoid relentless promulgation of new, albeit well-intended, standards, certification or accreditation schemes and guidelines. Leveraging those already in place should allow swifter implementation and broader adoption. 

Finally, weighing the existence and robustness of suppliers' own security and resiliency programs is essential. Flexibly including this as a part of procurement decisions should serve to move the security needle swiftly while retaining the benefit of proprietary innovation that suppliers bring to the table. 

In short, a comprehensive layered approach, deployed collaboratively through public – private partnership can effectively secure the grid, ensuring that we all remain “illuminated.”

Edna Conway

Edna Conway currently serves as VP, Security & Risk Officer, Azure Hardware Systems & Infrastructure at Microsoft. She is responsible for the security, resiliency and governance of the cloud infrastructure upon which Microsoft’s Intelligent Cloud business operates. She has built new organizations delivering trust, transparency, cybersecurity, compliance, risk management, sustainability and supply chain transformation.

Conway is recognized domestically (U.S. Presidential Commissions) and globally (NATO) as the developer of architectures delivering value chain security, sustainability and resiliency. She was appointed to the Executive Committee of the U.S. Department of Homeland Security Task Force on ICT Supply Chain Risk Management. Her insight is featured in a range of publications, analyst reports, and case studies, including Forbes, Fortune, Bloomberg, CIO Magazine and the Wall Street Journal.

An influential speaker and author, Conway has contributed to a number of industry-related books and presented at events/forums spanning industry, government and academia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.