The Future of Cyber Compliance: Insights from the 2019 Utility Cyber Security Forum

January 13, 2020

Conference experts share their insights and opinions on future investments and trends to ensure future NERC CIP compliance.

With the holiday season on full display in downtown Chicago, perched high above the legendary Michigan Avenue, a diverse group of ~50 cyber security experts and leaders from around the country convened to discuss the latest trends, challenges and best practices on digital security and compliance in the modern utility environment at the 2019 Utility Cyber Security Forum (UCSF).

This year’s UCSF showcased an impressive panel of speakers, ranging from utility professionals, white-hat hackers, vendors, and thought leaders. Each speaker had unique perspectives, practical applications and value-added insights on how modern-day utilities are combating cyber threats and navigating the complexity of ensuring NERC CIP compliance.

Speaking to this year’s event, UCSF organizer Dan Coran, said “This was a focused opportunity for professionals in the utility cyber security space to network and share experiences and insights.  It can be challenging for utility people to interact in a meaningful way on this topic, as there is highly sensitive information being discussed. So, I am happy to be able to provide a venue in which meaningful conversations can take place, toward securing the network. Cyber security is a constantly moving target and increasingly important in today’s interconnected world, so it’s imperative for utilities to continue sharing notes, strategies and insight into what works and what doesn’t. Meeting face to face like this is a critical piece of the solution, and it was great to be able to provide this.”

The importance and relevance for this conference can’t be understated. In a recent study performed by KPMG, 49% of power and utility CEOs say that becoming a victim of a cyber-attack is now a case of ‘when’, and not ‘if’. Given this reality, only 51% of the CEOs say their utility is prepared to deal with cyber-attacks.

As a platinum sponsor for the 2019 UCSF, Network Perception is a strong participant and contributor to the dialogue on empowering utilities to manage network security uncertainty, and compliance.  Our CEO & President, Robin Berthier, presented at the conference, demonstrating how both NP-View and NP-Live enable users to simplify compliance management and achieve real-time network visibility to prevent future attacks.

In continued effort to pursue valuable insights from these top cyber security industry leaders, I spoke with a handful of the speakers to gain their feedback on five underlying challenges facing the utility industry in 2020. In the following section, I highlight a few notable quotes from the featured UCSF speakers, Todd Chwialkowski (Sr. NERC Compliance Specialist, EDF Renewables, Michael Rothschild (Director of Marketing, Indegy), and Robin Berthier (CEO & President, Network Perception).

Here is what the experts told us:

1. What initiatives or risk mitigation needs are currently driving investment spend in 2020?

Michael Rothschild: “Generally speaking, I’m seeing more budget being allocated towards security & compliance solutions, with a particular emphasis on reducing risk in the area of OT and IT convergence.”

Todd Chiwialkowski: “NERC requirements on our Low Impact generation facilities are driving our efforts at the sites. Physical Security, Electronic Access Controls, and TCA/RM are some of the driving initiatives.”

Robin Berthier: “The different groups inside each organization are maturing and we observe more strategic investments being made to equip IT, compliance, and security with the resources they need to be more productive and to better collaborate with each other.”

2. Any notable, current trends related to technology investments solving specific cyber security needs?

Michael Rothschild: “We are seeing increased interest in organizations deploying active detection in addition to simple passive scanning to better secure and reduce the risk associated with IT/OT convergence strategies”

Todd Chiwialkowski: “Network segmentation (control networks from business networks) are driving network costs this year. Updating our equipment (firewalls, routers, switches) are also budgeted items for 2020.”

Robin Berthier: “Platforms that emphasize integration through standard API to easily share data with each other for better visibility are on the rise. We also see solutions to monitor security and compliance on hybrid environments, such as IT/OT or on premise/cloud-based data centers.”

3. What are your current organizational or operational issues that impact your ability to achieve NERC compliance?

Michael Rothschild: “Many people that we talk to  have come to understand that you can’t secure or achieve NERC or any other compliance on things which  you can’t see. Understanding what is in your OT environment and what it is doing is an ongoing challenge for most utilities. Navigating this the complexity requires organization-wide accountability and a granular view into what is happening in the OT environment.”

Todd Chiwialkowski: “ Change can be difficult, and generation sites are extremely cost conscious. Any change requires justification, analysis and approval. The biggest hurdle that we face is the time involved with making changes.”

Robin Berthier: “Getting everyone on the same page with respect to best practices and internal processes can be a significant challenge. This requires training, awareness of compliance objectives, and continuous visibility over what need to be done and who is doing it.”

4. Where do you see the future of best practices and standards going for NERC compliance?

Michael Rothschild: “I see the future of compliance and regulations becoming much more holistic in approach and encompassing more than just OT and may include IT and IoTs play in the bigger picture.”

Todd Chiwialkowski: “I see NERC continuing to review other standards to improve our strategies for the energy industry (eg., IEEE, IEC, FISMA, NIST, etc.)”

Robin Berthier: “I think we are on the path to develop a standard set of best practices and workflows that organizations will all adopt and follow. Today, we never drive a car without a seatbelt or fly a plane without a checklist. Tomorrow, we won’t deploy a firewall without running a security and compliance checker on its configuration.”

5. What key organizational elements are needed to ensure a company culture around compliance?

Michael Rothschild: “Companies that educate their employees in best security and compliance practices is step number one. Step number two is ensuring that both security and compliance are intertwined across both IT and OT is essential given these converging environments.”

Todd Chiwialkowski: “The culture of compliance starts at the top of the organization. Having a solid compliance “charter” is important so that all divisions of the organization know the importance of compliance efforts. Also, implementing Control Self-Assessment strategies help individual departments play a role in maintaining compliance. In essence, they “buy in” to the program better, because they are part of the program. Finally, balancing operations and compliance is key to the implementation of solid compliance program.”

Robin Berthier: “Adopting a culture of cyber compliance in which IT, security, and compliance can work together while maintaining their independence is becoming the norm. It is key for companies to first: equip each team with the resources they need to be efficient, and second: measure progresses made towards adopting best practices.”

The Bottom Line: Greater Visibility Improves Security and Compliance

To address the complex, varied and dynamic considerations with cyber security and compliance, developing technology that allows visibility into your network, devices, methods and firewall is of paramount importance.

This year’s UCSF conference ultimately highlighted the value the industry is placing on pursuing solutions, methods and processes to help move utilities towards an environment that embraces visibility and ensures regulatory compliance.

Please mark your calendars for next year’s UCSF conference in July 2020.  Details will be coming soon on location and conference dates. Questions about cyber compliance or how to secure your network in the future? Please get in touch with us.