I recently joined top thought leaders at the U.S. Department of Energy (DOE) Cybersecurity and
Technology Innovation conference to discuss the future of the integration of information
technology (IT) and operational technology (OT) within critical infrastructure, focusing on
“Leveraging Innovation to Meet Future Challenges.” A year after the Colonial Pipeline attack
demonstrated the havoc that a cyberattack could wreak on humanity, it’s more important than
ever that we encourage cross-industry collaboration – including organizations across public and
private sectors – to advance IT, innovation, and engineer cyber-physical security within the
government and energy sector.
This DOE sponsored event provided the opportunity for industry and government leaders to
connect and discuss the status of our current critical architectures spanning sectors such as
Energy, Transportation, Broadband, and the Environment, as well as where we’re heading in
terms of Nation State threats and other attack vectors requiring risk mitigation. To recap the
experience, I wanted to share a few takeaways from the event.
1: Collaboration is More Important Than Ever
Since Executive Order on Improving the Nation’s Cybersecurity (EO14028) was released, there
has been significant conversation around the technologies that are in place today that improve
our nation’s defensive posture, many of which are being funded by way of the Bipartisan
Infrastructure Law (BIL). While continued collaboration, participation, and transparency is key to
moving the transformation needle, adoption of state-of-the-art and burgeoning solutions is
For example, The DOE National Cyber-Informed Engineering (CIE) Strategy seeks to guide
energy sector efforts to incorporate cybersecurity practices into the design life cycle of
engineered systems to reduce cyber risk. Pursuant to congressional direction, the CESER-led
Securing Energy Infrastructure Executive Task Force (SEI ETF) developed the National CIE
Strategy, building on foundational work developed at Idaho National Laboratory. This framework
advocates for an evolutionary shift across the energy industry and related institutions, including
researchers, standards bodies, Federal partners, and others. Its recommendations reflect
expertise and insight from energy companies, energy systems and cybersecurity manufacturers,
standards bodies, researchers, DOE National Laboratories, and Federal partners in the
cybersecurity and engineering mission space. It encourages the adoption of a “security by-
design” mindset within the Energy Sector Industrial Base, which refers to building cybersecurity
into our energy systems at the earliest possible stages rather than trying to secure these critical
systems after deployment.
Particularly in the energy sector, there is a primary focus on availability and certain
cybersecurity methods are perceived to provide a double edged sword – while they may protect,
we must be confident that they do not shut down system availability. As new technologies
provide capabilities to address these complexities, we must accelerate their proof of concept to
improve our defense posture and grid resilience.
2: We Need to Move Beyond Traditional Managed Detection and Response
A lot of today’s CISOs are doing the best they can with what they have, depending on traditional
methods of asset management, firewalls, monitoring, detection, and incident response as their
solution. Most utilities don’t have the resources or capabilities to implement a Security
Operations Center (SOC) with full incident response capabilities.
We must deploy more capabilities that provide stronger Protection enforcing policies from the
compute edge up the stack with the interoperability to enhance the zero trust model. Looking at
the NIST Cybersecurity Framework, there is a need to move beyond Protection, Detection,
Mitigation, and Restoration. The next step for industry is to pivot to include Prevention as part of
the stack enhancing the Protection element by leveraging new processors like ARMv8 and X86
that provide new capabilities at the endpoints and compute edge. BedRock does just this by
providing Active Security™ deployed in a Formal Methods verified trusted virtual environment
with policy enforcement that enables the prevention of the threat in the first place. This provides
greater isolation, micro segmentation, permission/enforcement, and the extension of Least
Privilege to Least Functionality among other things.
3. The use of Software Defined Networks (SDN) integrated with critical assets/controls within the grid, substations, or at command and control seem to offer interesting features that are needed in modernization (including their ease to implement and Cloud compatibility).
Their ability to integrate with existing legacy architecture, implement identity authentication/authorization features that obfuscate the adversary creating a dark network, and unify policies/rule engines with secure/trusted endpoints and layers of defense are all very attractive in addressing some of the IT and OT challenges. As we proliferate the use of solar and wind, the number of nodes on the DERMS, the concept of “Energy Shed” with generation, distribution, and end use closer to the edge – these architectures seem to be gaining
momentum. The conventional electrical power grid is transforming due to an enhanced threat
landscape and incorporation of the Industrial Internet of Things (IIoT). Traditional generation includes fossil-fuel based power generation units (e.g., nuclear, hydro, and coal-based power generation units) and is then delivered to customers via a huge network of transmission lines. Moreover, the flow of electric power is generally unidirectional. With the ever-increasing user demand of electricity, aging infrastructure, resilience issues, and prominence of renewable energy resources (RERs), the conventional power grid must become a smarter grid and SDN and ZTA are key frameworks.
4: AI and ML Are the Future
As the critical infrastructure grid becomes increasingly complex, we have so many more
endpoints to monitor and protect for control. Artificial intelligence (AI) and machine learning (ML)
advances are making their way to the next generation DERMS to improve forecasting of both
demand and generation supporting command and control at the edge. While these have
significant potential in increasing availability and reducing cost, the cyber-attack surface is also
increasing. BedRock locks down smart inverters, gateways, servers, controllers, and other key components in an effort to provide both resilience and to secure/protect the data streams that these new architectures are dependent upon.
As enterprises continue to adjust to the new hybrid workplace environment, we must put an
increasing emphasis on strengthening industry relationships, expanding upon cybersecurity,
and driving innovation to provide development opportunities and promote a diverse workforce.
I’m looking forward to joining influential leaders from the fields of cyber, IT, innovation, privacy
and records management, advanced data analytics, operational technology, risk management,
energy sector resilience and more to do just that.
Investments in grid resiliency include technologies that will strengthen our transmission and
distribution systems such as:
- Microgrids are a self-sufficient group of energy sources, like solar or wind, that support
- the energy needs of a local footprint, like a college campus or hospital complex.
Microgrids can disconnect from national infrastructure to continue to operate while the
main grid is down. Because of this, microgrids can strengthen grid resilience, decrease
power outages, and provide energy resources for faster system response and recovery.
● Demand Response is a consumer’s reaction to a high demand for electricity. By limiting
or postponing power consumption, during a time of high demand, consumers can help
utilities manage increased strain on the grid. Some utilities provide consumer rebates for
● Advanced Metering, or smart metering, lets consumers know how and when they are
using electricity so they can reduce their usage. Advanced metering could also help
consumers reduce their electric bills by making them aware of periods of time that have
a higher cost of electricity.
● Grid Scale Energy Storage Devices can help utilities continue to provide power during
peak loads, when the grid may not be able to support all power needs. These devices
can store electricity generated from carbon free sources so it can be used when it is
● Grid Hardware is critical for carrying, converting, and controlling power. Most of the grid
modernization efforts have been focused on advanced digital information and
communication technologies, but the physical equipment necessary to move power
needs to be updated as well.