When it comes to grid security, the importance of layered defenses cannot be overstated, and while the power sector has a good overall understanding of the risk it is facing in this area, to the extent that more information can be shared from the federal government to entities and utilities, that is helpful for utilities to understand their risks and respond accordingly, said Adrienne Lotto, Senior Vice President of Grid Security, Technical & Operations Services, American Public Power Association (APPA), on Dec. 7.
She made her comments at a joint Department of Energy-Federal Energy Regulatory Commission supply chain risk management (SCRM) conference in Washington, D.C.
Lotto was a panelist at the conference that examined current supply chain risk management reliability standards, implementation challenges, gaps, and opportunities for improvement.
Other panelists were Jeffrey Sweet, Director of Security Assessments, American Electric Power, Shari Gribbin, Managing Partner, CNK Solutions, Scott Aaronson, Senior Vice President of Security and Preparedness, Edison Electric Institute, and Lonnie Ratliff, Director, Compliance Assurance and Certification, North American Electric Reliability Corporation.
Panelists were asked whether they think the currently effective supply chain risk management standards are sufficient to successfully ensure bulk power system reliability and security in light of existing and emerging risks to the cyber security supply chain.
“The simple answer is yes,” Ratliff said. “The standards provide a foundation to address and mitigate some of the supply chain challenges that we have across our industry. With this foundation, there’s always opportunities to improve so as we look at the effectiveness” of the standard, “NERC has taken several opportunities to assess those standards, bring up teams and evaluate the effectiveness and propose change to those standards.”
Lotto said that NERC and the power industry have shown a willingness to continue to partner and examine the NERC Critical Infrastructure Protection (CIP) standards as it relates to supply chain security and are continuing to do so.
As threats continue to evolve, the utility sector and NERC have also shown a willingness to evolve and take a second look at those standards and “that risk-based approach remains ongoing.”
At the same time, Lotto highlighted jurisdictional limitations to FERC “and the burden that that then places on the utilities trying to gain insight into the suppliers that they are utilizing in their systems.”
“I do believe that the standards that are in place today are effective and are appropriate,” said Sweet. “They provide the flexibility for the utilities to be able to address the risks that they realize within their organizations.”
The supply chain risk management standard requires entities to have a supply chain risk management plan.
Supply Chain Risk Management Plan
Panelists were asked to address the question of whether it would be beneficial to provide additional clarity for the supply chain risk management plan in a couple of areas.
“One is in identifying and assessing risks,” said David Ortiz, Director of the Office of Electric Reliability at FERC. “Identifying triggers that would require activation of the plan and then requirements in that plan to respond to risks that are identified.”
Addressing the question of whether the power sector needs help in identifying and assessing risk, Lotto said, “the short answer is yes.”
She said that to the extent that more information can be shared from the federal government to entities and utilities, large or small, that is helpful for utilities to understand their risks and respond accordingly.
Lotto cautioned against an idea floated earlier in the conference that proposed throwing out the definition of high, medium and low in the risk-based approach currently being used at NERC.
She warned against making a holistic change in this approach. “The NERC CIPS standards are effective. They are working and that is sound risk management practice in any sector – to understand what your high, medium, low impacts are, so a holistic change like that at this time I think would actually set us back, as opposed to enable NERC to continue doing what it’s doing with the utilities and move us forward towards greater supply chain security.”
Prior to joining APPA, Lotto was vice president, chief risk and resilience officer at the New York Power Authority, where she led a team of risk management professionals.
Meanwhile, Puesh Kumar, Director of the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response, noted that utilities “are trying to manage risk, but to do that they first need to understand the risk.”
He asked Lotto whether utilities “know the risk well enough and, if not, what are the gaps? What more could we be doing?”
Do utilities “have a good understanding of the risk that they’re managing to?”
“I would say holistically the answer is yes,” Lotto responded. There has been a “tremendous amount of work” done at the DOE, Department of Homeland Security, the Electricity Information Sharing and Analysis Center and the Multi State Information Sharing and Analysis Center “that helps to inform and provide industry insight into the risks. Now, that said, could we always do better? Of course.”
Lotto said that a recent incident involving an attack on Duke Energy substations in North Carolina “is a physical example where you see the risk in day-to-day life that the grid is exposed to, so continuing to foot stomp and provide situational awareness in a timely fashion with context and suggested solutions or guidelines, I think is important.”
She noted that APPA provides resources and guides and partners with the DOE through agreements “that enable us to do that. Particularly for the smaller members, it’s exceedingly helpful.”
EEI’s Aaronson said that “we understand the risk, but risk is always changing. Risk is a factor or a function of threat, likelihood and consequence.”
He said that “what is the consequence of something is also evolving, not just because the threat is evolving but the grid is constantly evolving.”
At a later point, Lotto emphasized the need for layered defenses when it comes to grid security. She said that while FERC and NERC have done a good job in addressing the baseline, the energy sector continues to collaborate, which includes discussing baselines and focusing on “getting even better and stronger.”
This continued coordination, not just in the regulatory arena, but also in terms of best practices, needs to continue to happen, she said.
“I think the greatest power that the federal government has is the power to convene,” Lotto said. Continuing to bring industry experts together with the federal government “to solve critical problems has to continue to evolve.”
She also said that the importance of economies of scale must not be overlooked “because individually we can’t do it alone. Our members can’t do it alone. The cyber threat, unfortunately, is advancing to the front lines where, fundamentally, our members are getting asked on a day-to-day basis to act as frontline defenders of networks and that’s an almost impossible task. They’re not set up to defend networks on a day-to-day basis from nation state adversaries that are attacking them.”
The power to convene at the federal government level, both through the NERC process “wherein they’re continuously looking and trying to evolve to meet the threat, together with best practices and advancing through groups that already exist or at the federal government level to achieve economies of scale and layered defenses is critical.”