Q&A With Jon White: Achieving Security by Design
We can no longer claim surprise when a cyberattack or disruption befalls national infrastructure. The question is now: How can we make these complex and interconnected systems secure and resilient by design?
For Cybersecurity Awareness Month, NREL’s Cybersecurity Program Director Jon White shares his own path into the field and the laboratory’s strategy for deploying technologies that stay one step ahead of adversaries.
What inspired you to pursue degrees in mechanical engineering?
In high school, I loved working on my family’s cars. I could get lost for hours taking them apart and seeing how they worked. To my dad’s frustration, I occasionally put them back together incorrectly, though that was great for learning, too. He was a professor of mechanical engineering, so we grew up with lots of mechanical toys and tools.
How did you become interested in renewable energy?
The finite resources on our planet and the limits on how much life it can sustain become obvious when studying engineering. The pivot towards renewable energy happened between my master’s and Ph.D., when I had a combined realization that addressing pollution and climate issues was not optional, and I had the technical skills that could be valuable to the renewable space. That’s when I started working on wind energy technology.
What led you to NREL?
In 2014, there was a catastrophic failure of a wind turbine at the SWiFT facility I was leading at Sandia National Laboratories. Although that failure was not caused by a cyberattack, it opened my eyes to the possibility. When the opportunity arose at NREL to work on the cybersecurity of renewable systems, it was the perfect challenge for merging my interests. If we are to be successful in the deployment of clean energy technologies at scale, those systems must be secure and resilient to disruption.
Your team is undergoing rapid growth. What is exciting about working at NREL at this moment in history?
The original grid was built around making a lot of electricity and sending it to industrial uses, but over time private citizens and small commercial operations came to dominate the demand. Transitioning to a distributed system made the grid more interconnected, and the advent of the computer and the digital chip added a layer of communications. No one could have assumed that this is where the grid was going or could have expected the cybersecurity ramifications. But we can’t say that going forward. Knowing what we know today, we have the opportunity to chart a different path into the future: decarbonizing the grid but doing it securely by design.
NREL’s cyber program leverages the laboratory’s expertise in systems integration and envisions solutions that autonomously identify and respond to threats within distributed energy systems comprising a hybrid mix of renewable energy technologies, such as wind, solar, storage, and hydropower.
What is the Clean Energy Cybersecurity Accelerator, and how will it catalyze innovation?
The program has two differentiating factors: Utilities come together to share intelligence in NREL’s neutral third-party environment, and the laboratory’s at-scale validations accelerate technologies to market. Technology startups exit with competitive experience, new partnership opportunities, and professional evaluation of the most urgent cybersecurity challenges related to modern energy systems. The program draws on expertise from asset owners in the energy sector, federal oversight, and technology innovators in a way that has not been done before.
Why is it important to pool private and public expertise?
Since the energy landscape is evolving so quickly, collaboration is the only way to integrate cybersecurity early in the design and development stages. The Clean Energy Cybersecurity Accelerator has a federal advisory board of experts from DOE [the Department of Energy], while strategic direction and cost-sharing will be provided by an industry-led steering committee, including experts from Xcel Energy and Berkshire Hathaway Energy. Connecting leading industry entities with national laboratories is key to securing both the bulk electric systems and the grid edge. NREL’s research efforts get amplified through close to 600 active partners in private and government sectors.
What are the most significant cybersecurity challenges particular to a grid with renewable resources?
Solar energy and other cost-competitive renewables are making up a larger share of the energy mix. As geographically dispersed assets come online, the installations need to communicate with other system elements, such as centralized control. Challenges we are monitoring right now include the exponential growth in communications devices that are being connected to the grid; the rise in private or third-party owners of such assets, who may not have a vested interest in cybersecurity; and the rise in devices being manufactured outside of the United States, which could introduce supply chain challenges. These issues must be addressed in a way that does not place undue financial burdens on either the asset owners or the utility.
What is an emerging technology or framework you are particularly excited about?
The cybersecurity team has translated research into some exceptional technology innovations. There is the DERCF online tool that assesses cybersecurity of distributed energy resources at U.S. federal government sites and the Situation Awareness and Grid Anomaly tool we call SAGA, which will visualize grid events and train computers to classify them in near real time. Module-OT is a plug-and-play solution to authenticate, authorize, and encrypt data on existing operational technology systems. I am also excited about our work securing electric vehicle fast-charging stations and researching into telecommunications networks such as 5G.
What do you do for fun outside of work?
Working from home this year gave me the opportunity to spend quality time with my family, especially my kids. I also did home improvements like building a deck and gardening—anything not thinking about computers. I’ve found some fun in automating my house for efficiency with intelligent thermostats, security, cooling systems, etc. It’s hard not to look around and think, which of these devices is going to be the one to go down?
Learn more about NREL’s cybersecurity research.