AI Magazine Issue 10 2018

Acquisition International - Issue 10 2018 57 Annabelle Lee is the Chief Cyber Security Specialist at Nevermore Security. Additionally, Annabelle has over 40 years of technical experience in IT system design and implementation and over 25 years of cyber security design, specification development, and testing. Annabelle takes time out of her busy schedule to provide us with an overview of cyber security within the energy sector specifically. ver the last 15 years, I have focused on cyber security for the energy sector. During my career, I have authored or co-authored many documents on cyber security, cryptography, and testing. I began my career in private industry concentrating on IT systems specifications, software testing, and quality assurance. After working in the private sector, the US Federal Government, and the Electric Power Research Institute (EPRI), I decided it was time to go out on my own. My current focus is on cyber security for the energy sector and concentrating on operational technology (OT) devices. My areas of expertise include cyber security: • Strategy and risk management • Design and architecture • Specification, guidance, and requirements development • Assessments against standards • Training • Applied cryptography Cyber security in the electric sector is challenging for several reasons. The current grid consists of legacy devices, some 30-40 years old, and new technology. These older devices do not have cyber security controls because they were built and deployed before this was a concern. In addition, as the grid is modernized, devices and systems are more interconnected and there is increased two- way communications. This results in an increased attack surface that may be exploited. Also, with the increased use of off-the-shelf devices, there are more potential vulnerabilities that could be exploited. Contact: Annabelle Lee Company: Nevermore Security Address: 4826 Cloister Dr. Rockville, Maryland, 20852, USA Telephone: 0012402043258 Web Address: www. nevermoresecurity.com A Closer Look at Cyber Security in the Energy Sector O 1810AI49 Within the power industry, the priorities are reliability and availability. This means that even if there is a security incident, you can’t shut down devices or island devices. The power still has to flow. This is different from the IT environment. Also, because reliability and availability of the grid are the highest priority, there are some cyber security controls typically used in Information Technology (IT) devices that are not appropriate in the electric sector. For example, performing penetration testing and vulnerability assessments on OT devices could cause them to “brick” or shut down. Because of the constantly changing technology and threat environments, I believe it is important to “live” in two different environments – applied research and the operational environment. On the applied research side, I participate as a technical advisor for several Department of Energy (DOE) laboratories and the North American Energy Standards Board (NAESB) and as a research/advisor on several DOE projects. On the operational side, I work with utilities who are improving their capabilities related to cyber security for the OT systems. Grid modernization is important world-wide – with the deployment of photovoltaic (solar panels), wind farms, and micro- grids – and the new technology is necessary. I primarily work with utilities in the US, Europe, and Eurasia in the generation, transmission, and distribution domains. The utilities range in size from very small to large and all are addressing the same cyber security issues. Because utilities do not have unlimited resources, including personnel and funds, they need to prioritize the risks and the systems and begin addressing the highest risks. To ensure the availability and integrity of the new technology, cyber security needs to be addressed. What makes this more difficult is that the attackers only have to be right once when they exploit a vulnerability; we have to be right 100% of the time. Cyber security attacks will happen – and the electric sector is determining how to ensure the resiliency of the grid even through an attack. All of the issues and challenges described above, are what makes this a fascinating field. Additionally, working in this critical infrastructure where I can have an impact is great. “Cyber security in the electric sector is challenging for several reasons. The current grid consists of legacy devices, some 30-40 years old, and new technology.”