Dive Brief:
- The National Renewable Energy Laboratory last week published two reports highlighting cybersecurity tools that aim to improve utility asset management, risk quantification and visibility into the industrial control systems, or ICS, that are increasingly attached to the U.S. electric grid.
- Utilities can request to pilot NREL’s Cyber100 Compass application, which models cyber risk associated with energy system upgrades, the national lab said Thursday. And a Wednesday report on the runZero cyber asset attack surface management, or CAASM, system that aims to reveal potentially “hidden” risks in a utility system concluded its scanning methods “can improve visibility without affecting the performance of ICS assets.”
- The power grid is increasingly distributed and renewable but “right now, there’s a lot of uncertainty about how risky the transition is,” Maurice Martin, senior cybersecurity researcher at NREL, said in a statement. “It’s hard for utilities to know what kind of risk level they’re exposing themselves to, and that uncertainty can have a cooling effect.”
Dive Insight:
NREL’s Cyber100 Compass takes a new approach to managing cyber risk for utilities, combining data from subject matter experts with user-inputted information to perform a probabilistic risk assessment and produce a monetary estimate of potential losses due to a cyber attack, including one resulting in power outages.
The application asks utilities to provide information about their current energy system and plans for new resources, and then provides an assessment of how certain upgrades could change cybersecurity posture and risk.
“While the Cyber100 Compass application is still a proof of concept and not yet ready for industry use, it is an important first step toward developing guidance for system planners about potential cybersecurity risks as they integrate more renewable energy into their generation mix,” NREL said.
The lab has created a form for utilities to to request access to the application in exchange for providing feedback on its interface, usability and results. Utilities will need to input data on their risk tolerance and the value they place on avoiding certain types of cyber attack-induced physical events, including loss of power and harm to equipment attacks.
“The whole concept behind Cyber100 Compass is about mining the knowledge of these subject matter experts and capturing it in a form that is reusable across many different utilities of various sizes, loads, and generation mixes,” Martin said. “Cyber100 Compass provides a monetary expression of risk to help utility decision makers feel confident in their planned upgrades.”
Separately, NREL’s Clean Energy Cybersecurity Accelerator, or CECA, published a report assessing the efficacy of runZero’s CAASM system. The report concluded runZero’s platform identified all internet-protocol-addressable assets in the test environment and collected detailed information about each device and all open ports.
“Evaluations also showed no adverse effects on deployed ICS assets or ongoing supervisory control and data acquisition communications and processes,” NREL said. “Evaluations show that runZero’s active scanning methods can improve visibility without affecting the performance of ICS assets.”
While passive scanning only looks at network traffic, active scanning involves sending data to assets and analyzing the response.
“Running active scanning solutions built for IT environments can be unsafe and inappropriate in an [operational technology] environment due to bespoke assets, legacy firmware, or proprietary protocols,” NREL noted in its report. But runZero’s platform did not cause any problems.
“We are seeing more sophisticated attacks against critical infrastructure, particularly energy infrastructure,” Rob King, runZero’s director of security research, said in a statement. “Working with CECA allowed us to prove that active scanning of OT/ICS infrastructure can be done safely and effectively and is important to securing these vital systems.”
“It was interesting to see active scanning used safely,” said CECA technical team lead Nick Blair. “Active identification methods have been taboo in OT systems — for good reason — for a long time. While we can't claim our findings apply universally, hopefully they can break the ice and allow these methods to be considered as an option.”
