By: Chris Humphreys Lead Cybersecurity Solutions Architect at Foxguard, (CS)²AI Fellow
This week, I had the honor of presenting at the (CS)²AI Cyber Security for the Electric Sector Symposium. It was awesome to get some of the old band back together while also meeting new faces and hearing about the evolution of cybersecurity within the Electric Sector in a wide variety of complementary, yet differentiating, content. Derek Harp and his team were very clever and strategic in, not only gathering the content for this event, but also the sequence at which the presentations flowed.
The opening presentation by Phosphorus CEO/Founder Chris Rouland, was extremely insightful and provided an awesome view globally of the threat capability landscape-both present and future- to the Electric Sector and Industrial Control Systems space as a whole. His insights from his crystal ball on both where threat is headed and the technologies available to combat these threats were also really cool and informative.
Next up was PJM VP/CSO Steve McElwee. He gave a very complimentary presentation from an ISO/RTO perspective on how PJM addresses many of the threat vectors Chris Rouland mentioned in the previous presentation. Steve focused on how PJM looks at overall cyber risk through their maturity models and how they balance baselining that maturity with NERC CIP being the floor of their maturity and NIST being their ceiling. Steve also gave a great overview of how PJM fits and operates as an interconnection and the responsibilities associated.
I don’t know if Steve knew his content would fit logically as the middle of a “Chris Sandwich” as I would go next.
My presentation was another great transition by (CS)²AI from the previous two as I would leverage the global threat landscape from Chris Rouland's presentation and the ISO/RTO approach given by Steve and how Foxguard applies it to the specific challenges associated with Patch Management. Patch Management has been, since day 1 of NERC CIP, the most violated NERC CIP standard. I wanted to offer some ideas on why that continues to be the case. I focused on balancing the "3 legged stool” of people, process controls, and technology to create the synergies that are so often absent between compliance risk and operational cybersecurity risks. I also continued to highlight the massive challenge NERC CIP applicable entities face in balancing being compliant vs being secure.
Next up was an extremely interesting discussion on the rapidly evolving Cyber Insurance Industry moderated by one of my oldest colleagues and compatriots, Patrick Miller who is the CEO of Ampyx Cyber, along with Monica Tigleanu (Cyber Strategy Director/BMS Group) and David White (President/Co-Founder of Axio). I’ve been tracking the trends in the Cyber Insurance industry for the last few years but the insight provided by Monica, David, and Patrick was extremely enlightening. They offered some great questions to ask when shopping/evaluating cyber insurance coverage options for electric sector organizations. While this is a newer frontier for the Electric Sector, I couldn’t help but feel like I’d seen a version of this movie before in that the cyber insurance industry seems to be another variable in measuring overall risk within an organization- much like the early days of the NERC CIP Standards. Additionally, the compliance/insurability vs security debate continues to evolve within the insurance verticals as well.
Last, but definitely not least, Alex Waitkus - OT Cybersecurity Architect for Southern Company - closed out the symposium with just an awesomely relatable and practical approach to addressing OT Cybersecurity Threat and Risk Mitigation. For Alex to be able to simplify how effective an entity like Southern Company’s architectures and methods are in addressing the OT side of cyber risk was extremely refreshing and should be equally encouraging to entities of all sizes that they can be equally as effective while being practical and sustainable. Alex and I both definitely subscribe to the “if my mother can understand my content- I’m good” approach to public speaking and Alex absolutely nailed it!
In closing, I wanted to again commend (CS)²AI for compiling such a great program of content- especially for a half day symposium. I can’t wait to see what they do in the future with an entire day…or two….or three…. www.LevelZeroConference.com
Comments