Wow, how cool to be a part of this inaugural conference hosted by INL and the Solar Energy Industries Association (SEIA)! This conference was developed to bring together industry, researchers, and government professionals to talk specifically about cybersecurity needs, challenges, and solutions for renewable energy. This conference, hosted in San Antonio and tied to the RE+ Texas exposition, gave me the opportunity to learn from people who have been thinking about these issues much longer than I have, but also allowed me to have a voice in the conversation, engaging with attendees with a diverse background of skills, experiences, and interests.
In the opening remarks, security was compared to brakes on a car. It's a safety measure. it allows us to go faster, with higher tolerances, and it provides more confidence to drivers. Like in car manufacturing, security needs to be a core value in the renewables energy, and we need to leverage both top-down and bottom-up approaches.
One of the biggest themes throughout the conference is that cybersecurity needs to be framed as a business risk, just like other risks. Cybersecurity pays for itself if just one event occurs. Like insurance, the reason we have it is not that we expect bad things to happen, but we want to be protected in case they do. Also like insurance, more incidents occurring raises the overall cost of security, but fewer incidents (resulting from better cybersecurity built in from the beginning) lowers the cost of insurance.
Lots of new technologies were discussed. The goal is not to fit renewables into the legacy systems used in the bulk power system, but to leverage distributed collaborative control. Technologies like block chain offer unique opportunities to bring novel innovations into the power industry. It can be good for incident response: detecting and stopping attacks in action.
Another key takeaway was that cybersecurity should not be a point of competition or differentiation in the industry. We want to encourage collaboration. This has worked effectively in the banking world. Information sharing among competitors is not only encouraged, but automated. There are many things that industry does not trust each other on, but security should not be one of those things. One concern with this approach is that companies may only seek to meet cybersecurity minimums if having the best cybersecurity doesn't give them a competitive advantage. However, going above and beyond can still be encouraged by having an industry-wide forward-looking philosophy. All companies will benefit from info sharing, and they can collaborate in this area while still competing in other ways.
Cybersecurity compromises are going to happen. Failures are inevitable. We should adopt the posture that pressure will lead to eventual failure, and our response should be to apply defense-in-depth, with multiple, heterogeneous layers of security. Here's a couple questions to get started:
Who's attacking you and what are they attacking you with?
What are you going to do about it?
What are your critical systems? You can't protect everything, it's too expensive, so what are you going to prioritize?
Not to sound morbid, but the cavalry is not coming. The government will not be able to save you in the event of a compromise. We can't keep up with all the vulnerabilities and patches, so let's think about how to engineer our systems for resilience, how to test our plans and response procedures, how to build relationships with vendors so security is shared core value.
These questions all lead us back to a discussion rooted in risk. As one speaker said, "protect diamonds like diamonds and pencils like pencils."
The clean energy revolution has the potential to give us more reliable energy via resource diversity. Let's make sure that it's a secure revolution.