In The Boardroom With…
Mr. Dave Schmitt
IoT Vertical Solutions Group: Utilities
SecuritySolutionsWatch.com interviews Dave Schmitt, Solutions Architect, Cisco.
SecuritySolutionsWatch.com: What is your perspective, Dave, on the current threat landscape facing utilities?
Dave Schmitt: Utilities are especially popular, high-profile targets for attacks. According to the Cisco Security Capabilities Benchmark Study, 73% of utility IT security professionals say they’ve suffered a public security breach, compared with an average of 55% in other industries. Most U.S. utilities have already undertaken substantial security measures throughout many parts of their systems. However, the nature of cyber threats and vulnerabilities keeps changing.
U.S. utilities have, for several years, been deploying IoT technology (aka Smart Grid) because it enables significant business and operational benefits: increased grid reliability, enhanced integration of renewables and other distributed energy resources, reduced operating costs, and more. However, all of this opportunity comes with the tradeoffs of increased complexity and new risks.
The legions of new network connections to more devices in more parts of utility power systems pose security challenges. From turbine controllers to thumb drives, every network-connected device represents a potential entry or execution point for attacks by insiders, hackers, criminals, terrorist groups or nations.
SecuritySolutionsWatch.com: Can we drill down into Cisco’s product portfolio for IoT security? What are the specific solutions and benefits that Cisco delivers?
Dave Schmitt: Cisco IoT System Security delivers security at scale, simplifies compliance, and builds trust. The product portfolio includes OT-specific security appliances, the capability to use the network as a sensor and enforcer and physical security.
We also have solutions built on this product portfolio for specific utility needs such as substation security. The latest evolution of the Substation Security Solution helps enable utilities to meet the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) Version 5 mandated standards to monitor, log, and diagnose systems with ease. The Cisco Validated Design solution eases the increasing burden of compliance reporting and auditresponse for utilities.
SecuritySolutionsWatch.com: Let’s talk about the regulatory environment for a moment. “In 2014, NERC initiated a program to help industry transition directly from the currently enforceable CIP Version 3 standards to CIP Version 5. The goal of the transition program is to improve industry’s understanding of the technical security requirements for CIP Version 5, as well as the expectations for compliance and enforcement.” (http://www.nerc.com/pa/CI/Pages/Transition-Program.aspx) . Tell us a bit about the journey that utilities take with Cisco to achieve compliance.
Dave Schmitt: NERC CIP v5 represents an opportunity address security in a comprehensive manner. Rather than a prescriptive approach with predetermined measures, utilities now will take a risk -based approach to achieve compliance. The transition from “how” to “what” requirements may help utilities focus on security, rather than paperwork.
NERC-CIP requires utilities to inventory their assets and rate them as having low, medium or high potential impact. Consequently, several utility assets that previously were deemed non-critical, including some smaller substations, must now be brought into NERC-CIP compliance. This helps address the problem that, previously, some utilities claimed to have few or no critical bulk power system assets. But today, security is required for every substation — it’s just a matter of how much.
Developing a NERC CIP compliance program represents a valuable opportunity for a utility to gain a deeper understanding of its security priorities — including where security intersects with IT and OT organizations, and how cross-departmental coordination and collaboration might help enhance overall security.
SecuritySolutionsWatch.com: Customers have noted that they’ve chosen Cisco grid security because of the integrated, converged approach. Care to elaborate for us on this vital integration point?
Dave Schmitt: Utilities have some unique needs such as geographic distribution. Very few industries control such a widely distributed infrastructure that connects so directly with citizens. Consequently, when there is a utility system failure, the impact to, and feedback from, customers is immediate and sharp — and often, quickly followed by increased scrutiny by regulators and the media.
Further, many utility OT departments are now managing networks far larger than their IT departments ever had to. Many utilities face challenges with the scale of securing IoT-enabled systems. They need security solutions that can be applied cost effectively across hundreds of thousands, or even millions, of nodes.
Cisco delivers security solutions that build security into the network infrastructure to address the problem of scale through consistent, policy-based enforcement of controls. We integrate on other important levels as well including digital and physical security and common practices across IT and OT teams.
Read the full interview here.