pwr_february-2024 - 26

CYBERSECURITY
2. Zero trust (ZT) was introduced in 2004 as
a security design concept. ZT is a collection
of pillars " designed to minimize uncertainty in
enforcing accurate, least privilege per-request
access decisions in information systems and
services in the face of a network viewed as
compromised, " says the Cybersecurity Infrastructure
Security Agency (CISA). Source:
CISA
ing SBOMs for software makers. " If the
industry takes steps to require SBOMs
and attestation forms voluntarily, the less
the government will have to mandate
them, " he said.
Yet another emerging industry-championed
attribute is the " zero-trust " (ZT)
principle. Seeking to proactively manage
threats to OT technology, including ransomware
and malware tools like PIPEDREAM,
ZT is a collection of concepts
(Figure 2) that builds upon and enhances
historical controls and perimeter-based
security models-as opposed to tearing
them down. " Industry needs to continue
to develop equipment and software as
well as people, processes, policies, and
governance capable of delivering on ZT
principles, " NERC said. " Entities should invest
in staff training for ZT, develop OT security
programs, design roadmaps based
on a ZT maturity model for the development
of ZT architecture (ZTA) at the right
pace for their organization. " ZTA, however,
will be a long-term effort. NERC suggests
operators should typically begin by implementing
it in their IT environments, focusing
on IT/OT demilitarized zones (DMZs)
and operational control centers.
Pervading Challenges
Despite these measures, experts suggest
more will need to be done, and
several challenges lie ahead. The most
glaring issue remains an organizational
issue, where " engineers and managers
who 'own' the power plant and substation
equipment are generally not part
of a cybersecurity program, " said Joseph
Weiss, a registered professional
engineer, who is managing director of
ISA99, an International Society of Automation
(ISA) standards committee that
produced and continues to develop the
26
ISA/IEC (International Electrotechnical
Commission) 62443 series of standards
and technical reports. ISA/IEC 62443
provides a framework for ensuring the
secure operation of OT systems used
across various sectors. A key reason is
that " cybersecurity is being addressed
as a network problem, " Weiss stressed,
noting the mismatch has its roots in the
early 2000s, when companies began
shifting their cybersecurity from operational
organizations to IT.
Today, Weiss said there is no cybersecurity,
authentication, cyber forensics, or
cybersecurity training for control system
field devices such as process sensors,
actuators, and drives. The dire gap poses
a serious cybersecurity oversight with potential
impacts to reliability and process
safety, he noted. Weiss warned that current
regulations and approaches aren't
proving effective because " current technology
is not identifying, preventing, or
mitigating control system cyber incidents.
There have been hundreds of power plant
and substation cyber incidents that have
shut down facilities or damaged equipment
but are outside the scope of cyber
security regulations, " he said.
Research and advisory firm Gartner
pointed out other pervading challenges,
including difficulties in fulfilling a demand
for security talent (Figure 3). " The global
cybersecurity talent shortage is a perennial
issue, " it noted. In the U.S. alone,
there are only enough qualified cybersecurity
professionals to meet 70% of current
demand-an all-time low over the
past decade. Unfortunately, labor market
supply-and-demand issues cannot be
solved by individual security and risk management
(SRM) leaders, " it said. " What
can be solved is an emerging skills gap.
Yet cybersecurity leaders continue to hire
for legacy roles and skills, " it said.
The skills that cybersecurity teams need
are changing drastically, given a convergence
of megatrends. These include cloud
adoption, the rapid rise of generative AI, an
operating model transformation requiring
cybersecurity professionals to increasingly
work with and through business partners,
and vendor consolidation. The threat landscape
now also encompasses cyber-physical
systems, remote work, and generative
AI, it noted. " SRM leaders must reskill
their teams by retraining existing talent
and hiring new talent with new profiles, "
Gartner said.
These new demands arrive with new
scrutiny about corporate spending as the
industry grapples with inflationary pressures
and other industry disruptions. Acwww.powermag.com
3.
A survey of 12,000 energy professionals
in 149 countries conducted by Airswift in October
2023, and recently published in its 8th
annual Global Energy Talent Index, ranks skills
in demand versus skills respondents may be
influenced to develop. Courtesy: Airswift
cording to a benchmarking collaboration
between security practitioners, IANS Research,
and human resources firm Artico
Search studying security budgets over
2023, cybersecurity budgets grew only
6%, " a modest figure following doubledigit
increases in 2020 and 2021, " though
nearly a third of the 550 security executives
it surveyed reported flat or declining
budgets.
ABB's Boo suggested that " while
many power companies'
initiatives are
spearheaded by one or two truth fighters-the
ones that really live for cybersecurity
even though it may not be
their dedicated role-they also rely on
external help for various reasons. It's extremely
beneficial to them because they
get all that combined experience from
that external consultancy or resource
as a part of their organization, " Boo said.
Third-party consultants like ABB, he
noted, are often practical and pragmatic.
" We utilize industry standards, such as
IEC 62443, to establish a robust network
architecture and foundational cybersecurity,
which can be expanded upon with
additional cybersecurity measures as
needed. " In addition, third-party firms are
typically aware of emerging technologies,
therefore, they can guide customers
through recommendations, he said.
" More and more of our customers I talk
to have actually done impressive things
and are taking cybersecurity seriously,
but I also fear that there's a lot out there
that could use a little bit of a boost. " ■
-Sonal Patel is a POWER
senior associate editor.
POWER | February 2024
http://www.powermag.com
pwr_february-2024

Table of Contents for the Digital Edition of pwr_february-2024
