We’ve all heard about cyberattacks on corporations, but when those attacks go after critical infrastructure, such as the energy grid, it can affect every person in the country. At the Modern SOC Summit, Pete Tseronis, former CTO at the Department of Energy (DoE), had a lively discussion with Adrienne Lotto, Chief Risk and Resilience Officer at the New York Power Authority (NYPA), and David Wells, Senior Advisor at the Department of Energy Office of Electricity, about current and future challenges of securing critical infrastructure.
Risk and resilience
To begin the discussion, Adrienne discussed the synergy of her dual responsibilities covering risk and resilience at NYPA. While she manages traditional risk management, such as identification, mitigation, and transfer, she also focuses on how best to make NYPA more resilient. Going beyond business continuity or disaster recovery planning, NYPA’s resiliency efforts now include additional elements, such as supply chain security and a new insider threat program they’re building from the ground up. As an energy provider, NYPA works with the federal government to understand all the elements of their energy systems and how to secure them end-to-end. As Adrienne pointed out, her role “is a combination of some of the more traditional risk management that you see in any sector and utility, and also takes it beyond what we would call traditional resilience.”
Resilience is more than just reliability. David shared his thoughts on this from his involvement in efforts like the North American Energy Resilience Model (NAERM). The NAERM is working to build an analytics engine that can define and model the interdependencies nationwide in the energy infrastructure—from electricity generation by different sources like oil, natural gas, or nuclear—and how those sources flow from end to end. The goal of the modeling is to deliver both reliability and resiliency so that if one source is disrupted, the model can show the upstream and downstream effects and possible mitigations. “It’s also working to deliver on the goal of clean energy and a carbon-free footprint by 2050,” David says, “and in a responsible, resilient, and reliable way so our stakeholders, customers, and industries can run efficiently and keep up.”
As Pete points out, “It’s not the technology itself that is the problem, it’s the implementation of it, customizing the technology to meet the needs of the specific customer or entity.”
When working with the Federal Information Security Energy Restoration (ICER) group, Adrienne’s team served during emergencies as the primary liaison to the energy sector, which involved strategic, tactical, and operational technology decisions. Now, at NYPA, where they have the goal to be the first end-to-end digital utility, she is leveraging that ICER experience when building on their roadmap by focusing on people, process, and technology. As she says, though, “what I have learned in a short period of time is that's a very aspirational goal. Technology does not replace good people, and it does not replace good processes.”
Adrienne’s advice is that when trying to make good business decisions, understand your business case and what the return on investment is, either from an efficiency or financial perspective. “And then keep going,” she adds, “Ask yourself if disaster strikes, what is the resilience of that piece of technology.”
OT and IT considerations
Whether in cloud-based data centers or the national energy grid, both operational technology (OT) and information technology (IT) are critical areas. As Adrienne sees it, organizations may need both the traditional IT CISO and a new position of OT CISO, with both of them members of the C-suite. The lines between OT and IT are becoming blurred as business and technology evolve, so this is an area to watch in how different public and private sector entities manage complex issues like corporate governance.
David, on the other hand, believes the OT and IT roles need to be kept separated. Coming from long experience on the communications (OT) side, he explains that OT and IT have very different methodologies. “OT is built around sustainability, always up, never down,” he says, “while IT is more about the protection of data and information, so they'll take the downtime to ensure that the information is secure, and that their network is secure.”
Listen to the rest of the discussion…
Listen in as Pete, Adrienne, and David continue their discussion, including:
Why security is not just the job of the CIO or CISO
The importance of people and process, as well as technology
The digital grid of the future
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.