Energy / Utilities / ICS / OT Security Solutions

Renewable Systems

Renewable energy is resulting in a substantially increased number of endpoints, sensors, controls, fault detection/response, and overall complexity of the grid. The implementation of smart meters, EV Chargers, and the need to transact bi-directionally on the grid is contributing largely to the complexity and threat surface of the modern grid.

Microgrid and hybrid power plants are relatively new players in the energy grid and are part of its transformation to a smart grid. With larger penetrations of Distributed Energy Resources (DER) and renewable energy as a growing portion of the global energy mix, the challenge of intermittent generation arises. These systems incorporate both Enterprise (IT) command and control as well as OT (Edge) elements. They also have a higher likelihood to be connected to the public Internet because they may be installed behind the meter with many of the monitoring and controlling of these assets online or wireless via encrypted bi-directional communications. These microgrids can also provide ancillary services to the grid such as Open Automated Demand Response with the electronic platforms that service these DER-based systems and provide communication channels between the utility and customer.

As the interoperability of smart micro-grid architectures look more towards local generation and distribution to optimize the use of sustainable renewable energy, we are pushing more of the decision making to the edge incorporating sensors, AI/ML, smart inverters, customer/stakeholder interfaces, bi-directional communication, and control algorithms. These systems’ availability and resilience rely on the protection of the data integrity and system critical components. As mentioned previously, these systems require both IT and OT capabilities for daily operations, command and control, and transacting with the business/financial supporting systems. BedRock Systems’ trusted virtualization architecture enables integration/convergence of both IT and OT systems applications, protocols, and operating systems (including RTOS).  This is an essential element to converge these functionalities economically in these next generation grid architectures.

BedRock Systems recently demonstrated its ability to secure Software Defined Network (SDN) connected critical assets using its trusted virtualization and active security™ platform to stop ransomware, kernel integrity, root kit, and other attacks that traditional monitoring and detection systems do not. BedRock Systems has been working closely with NCCoE as an NCEP, as well as Florida International University, STAT-EI, and other leading institutions and the energy sector eco-system to enhance the availability, flexibility, sustainability, and scale-ability of these systems to the national level. Projects include: Securing the IIoT – Cybersecurity for Distributed Energy Resources (SP-1800-32), Micro-Grid Interoperability Guidelines, and Secure Inverter.

Inverters & Microgrid Protection

With the continued expansion of microgrids across the US and more intelligent devices being installed on the edge; cyberattacks are becoming a serious threat to those who do not apply BedRock Systems. BedRock Systems’ platform and policy generator promotes Least functionality, which is similar to the concept of least privilege, but with a focus on functionality (or constraining in a similar way what a device or application is allowed to do). Most architectures contain operating systems, applications, and processors that are designed for general purpose computing to promote interoperability and large market access. For least functionality, architectures would need to be intelligent enough to execute only the tasks or work flows necessary to perform a specific function or set of functions required to satisfy and reinforce the least privilege of a user, and nothing more. Many operating systems and applications have much more capability than is necessary, which is inherently a cybersecurity concern, so further restricting and containing what an OS or application or piece of hardware can provide the defender with an extra tool in the ZT toolbox to further reduce and microsegment the attack surface, making it much more difficult for an adversary to exploit such ZT solutions.

Organizations leveraging BedRock Systems’ trusted virtualization platform with Active Security™  can isolate, secure, and implement least functionality through Virtual Machines (VMs) that run on a formal method of proven trusted computing base. Leveraging a capabilities-based model, each VM operates with an independent and isolated Virtual Machine Manager (VMM) that implements policies to constrain the VM functionality. This fine-tuned control of VMs to constrain access to the exact resources necessary to execute tasks specifically defined in the system’s design is unique. Using this approach, organizations can establish both least privilege and least functionality policies that strip out all unnecessary functionality that an adversary can target and manipulate. Previously, organizations were forced to rewrite operating systems or redesign specific applications–both at great expense and business risk. Embracing this new approach would allow the implementation of least functionality for users running modern software and applications completely unmodified on top of BedRock Systems’ trusted virtualization and integration framework.

BedRock Systems is currently teaming with several government agencies (NIST, NCCoE, and MITRE) in the effort to define possible Smart Inverter Cybersecurity Guidelines. BedRock was recently announced as a NIST NCCoE NCEP Partner. This program is an ongoing collaborative partnership between US companies and NIST’s NCCoE with the potential to advance the state of cybersecurity practice.

Oil & Gas Gateway Solutions

In the oil and gas market, consolidation is happening everywhere. Since the pandemic, oil companies have been spinning off large unprofitable parts of their business while giving other companies the opportunity to acquire and become new market leaders in vertical sectors.  Through this consolidation, attrition and loss of tribal knowledge have given companies the need to cross train IT personnel with OT cybersecure responsibilities.

It’s time for IT leaders to evolve their approach to cybersecurity, away from the defense-in-depth mindset to the ZT model. As the American Council for Technology-Industry Advisory Council defines it, ZT provides a security strategy for users to access data and assumes a “never trust and always verify” stance to require continuous authorization, thereby increasing visibility and analytics across a network.

Simply stated, ZT is an approach in which no user, device or application is implicitly trusted on the network, and whereby each network connection is a resource to be validated on a case-by-case basis. This continuous authentication and validation means users only obtain access to what they need to do their job, and nothing more – a concept known as “least privilege.”

As an example, in many traditional cybersecurity architectures, role-based access controls are widely accepted. This allows adversaries to take advantage of a larger domain of access once they are in a system as they can navigate within the architecture to escalate privilege and obtain additional credentials to exploit access control. With a ZT mindset, access control is defined down to a specific individual and their specific request (based on least privilege) to the network at the time they are connecting. By narrowly defining identity and ensuring tasks are constrained to least privilege, a ZT approach enables the continuous monitoring of access based on identity and authorization.

BedRock Systems is using this ZT model in a new approach to secure edge devices. BedRock Systems is collaborating with multiple passive cyber security software solutions to provide them the ability to proactively prevent attacks from spreading. This will give users the best way to lock down their assets in Upstream, Midstream, or Refining applications.