Whether you call it information assurance, information security, computer security, cybersecurity, or cyber-physical systems security, it really doesn't matter. If your segment of the electric grid uses electronic devices, you are part of the internet of things.
As the number and types of electronic devices in grid IT and OT continues to grow, the need for cyber education is critical for all of us. It is not just for technical people, cyber education is for everyone throughout the transmission, substation, and distribution networks, front and back offices. The ability to write, speak, and do basic math are important, but operators also need to know how to stay safe in a world increasingly driven and controlled by technology.
The awareness of security risks, unintended consequences, and responses should be known. Emphasis on a "safety first" culture is well known within electric utilities and the security culture is well on the way to becoming as prolific. All utility employees and contractors subject to North American Electric Reliability Corp. (NERC) regulations receive security awareness training that covers general cybersecurity issues, including phishing training — simulating the experience of real-world attacks.
For cybersecurity, we would like to provide a timely metaphor using contagious diseases and vaccination. In this metaphor, cybersecurity risk is a contagious disease and immunity through vaccination is created when the population knows what to do and what not to do with technology. Cyber cannot be a technology-only solution. There is no silver bullet. To keep us safe, human factors must be a part of the solution. We need to be smarter and more aware.
At Boise State University, we have three pillars in our cyber programs: Cyber for All, Cyber for STEM, and Cyber Operations.
Cyber for All is a program that provides a cybersecurity background for everyone. The objective is to raise cybersecurity awareness across the campus. A study by Siemens and the Poneman Institute indicates that there is a critical human capital gap at utilities, but appropriate funding for training or personnel is being used for technology and compliance investments. In order for this human capital gap to be reduced, priorities require adjustment for funding. We need everyone to know how to stay safe while browsing the internet or checking email, and know the basics of cyber hygiene.
The American Public Power Association (APPA) is a trade association for public power utilities that helps represent their vision of public power to governments and the public at large. The APPA understands that the public power community needs to improve its overall cybersecurity posture and has provided members with access to Department of Energy (DOE) resources and funding to help train staff on cybersecurity readiness.
Cyber for STEM is a program that provides cyber-informed engineering skill sets. The objective is to train future engineers and scientists to incorporate cybersecurity into the design process for more resilient systems against the security threat. The National Integrated Cyber Education Research Center (NICERC) provides curriculum for cybersecurity, STEM, and computer science for all grades K through 12. Efforts such as the NICERC will help close the STEM education gap for cybersecurity. Design engineers are to take cyber into consideration as part of the design process, for example, redundancy and resiliency, interdependence, simplicity, and so forth. This way, cyber defense is designed into the system to reduce attack surface.
Cyber Operations is a program that provides cyber operations skill sets. These are the future disease fighters on the frontline. The objective of the program is to produce disease fighters. These fighters are required to have additional training regarding the NERC Critical Infrastructure Protection (CIP) Standards and utilities are striving to increase the effectiveness of operations training. Knowing how intruders think will help defenders better defend. Cyber intelligence and cyber risk assessment are to be closely coupled, as there is a limited amount of resources. Arizona Public Service increased its trainee engagement from 4% using traditional training methods to over 80% by using online, story-based training. Clearly, there is still room for improvement. A 2018 report from three of the regional entities tasked by the NERC to perform compliance monitoring found that one of the major themes that utilities continue to struggle with is lack of awareness of the utility's needs related to NERC CIP Standards.
Maybe we need to redefine success and failure. The idea of a blue team needing to do everything right all the time versus a red team only needing to be lucky once does nothing to improve cyber posture. Since there are unknown vulnerabilities and no way to eliminate all security risk, total security cannot be achieved. Is cyber intrusion without causing permanent damage considered a failure? If you have a resilient system/network with the ability to get up and running quickly, a compromise might not be considered a failure. Building a resilient system/network is a lot of hard work and a lengthy process that takes significant time and capital investment. This goal must start with cybersecurity training and awareness of everyone involved in the generation and delivery of electric power.