First Clean Energy Cybersecurity Accelerator Cohort Looks Back and Ahead
Three companies recently completed the inaugural cohort of the Clean Energy Cybersecurity Accelerator™ (CECA): Sierra Nevada Corporation (SNC), Blue Ridge Networks (BRN), and Xage Security (Xage). The CECA program is purpose-built to accelerate emerging cybersecurity technologies into the market by demonstrating and evaluating them in groups, or cohorts, defined by utilities’ prioritized threats or solution gaps.
The National Renewable Energy Laboratory (NREL) performed technical assessments of the companies’ technologies that offer authentication and authorization solutions for industrial control systems, the theme for Cohort 1. The CECA program is managed by NREL and sponsored by the U.S. Department of Energy’s (DOE’s) Office of Cybersecurity, Energy Security, and Emergency Response and utility industry partners Berkshire Hathaway Energy, Duke Energy, and Xcel Energy, in collaboration with DOE's Office of Energy Efficiency and Renewable Energy.
NREL recently released a summary report detailing the first cohort’s evaluations through the Advanced Research on Integrated Energy Systems (ARIES) cyber range. Using the ARIES cyber range’s capability to virtualize and emulate energy systems, Cohort 1 testing allows utilities to better understand how realistic threat scenarios would affect their operations without putting their own networks, assets, or customer information at risk.
Through CECA, the partners performed technical assessments on innovative technologies in the energy sector that help solve urgent security gaps. The collaboration between NREL, DOE, and utility partners proved a fast and effective way to assess the participants’ security devices’ abilities to address emulated threat scenarios in a utility environment.
CECA has been recognized by the White House Office of the National Cyber Director in its National Cybersecurity Strategy as one of the programs created to address Strategic Objective 4.4: Secure Our Clean Energy Future. It was also recognized in the recently published White House National Cybersecurity Strategy Implementation Plan
Key Takeaways From CECA’s First Cohort
CECA’s assessments identified functionality gaps in authentication and authorization solutions. Each company demonstrated that their solution protected against some threats in the Cohort 1 testing environment, however, no one solution offered protection against all threat scenarios. The assessments highlighted the need for utilities to strategically deploy multiple solutions across multiple layers of their networks.
This first cohort also demonstrated the success in using the ARIES cyber range to safely evaluate solutions and help inform utilities about which solutions are ready to deploy and which can be further optimized through continued development.
To capture key takeaways from the participating solution providers themselves, we spoke to each about their overall experience in being part of CECA Cohort 1.
Sierra Nevada Corporation
For Andrew MacDonald, director of cyber programs for SNC, the most important lesson learned during this process was to walk when it comes to utilities, not run.
“We’ve learned we need to make our technology more bite size,” MacDonald said. “Our product, Binary Armor, is designed for deep packet inspection, bidirectional communication, whitelisting, and more. Integrating and operationalizing all these pieces is too much for the utility all at once. Let’s start by solving the most straightforward problem first with a product that can grow with the utility.”
“Our approach is to tackle access control first,” MacDonald said. “Then we can slowly start adding additional cyber defenses to systems. During a possible attack, all the operational technology remains active, and the lights stay on.”
Before expanding into the commercial market by working with utilities, SNC focused on contracts with the U.S. Department of Defense, installing in Air Force bases where it must interface with legacy systems. Because many utilities also have legacy systems, SNC believes it is a good match.
SNC is grateful for the CECA experience, and MacDonald said it gave the company insightful and targeted industry feedback on how Binary Armor can best solve customer needs.
“NREL also provided a gap analysis for us to provide easy product deployment improvements that can have a very significant impact for industry,” he said. “In the process of working with NREL, we learned it’s better to do the lowest common denominator incredibly well and refine that as we go along.”
SNC is now in talks with Berkshire Hathaway Energy about working together.
“CECA provided insight into what utilities need the most right now,” MacDonald said. “Cybersecurity is a complicated problem that has high priority, but there’s not a single answer to solve it. It was a huge privilege to be in the inaugural CECA cohort. The NREL team was very communicative and easy to work with. They are smart people; they ask good questions—it was a great experience overall.”
Blue Ridge Networks
Technology offered by Blue Ridge Networks Inc. uses CyberCloak capabilities to essentially hide networks in the information technology and operational technology spaces to prevent breaches. The product, called LinkGuard, does not require any Internet Protocol network address changes, which makes installation easier while segmenting the network, reducing exposure.
“If they can’t find it, they can’t hack it,” BRN Marketing Director Susan Powell said. “It reduces the battle surface.”
The system can help utilities by allowing them to manage interconnection of control systems from a central point or multiple points but remain segmented, isolated, and secure.
According to BRN, it was easy for evaluators to install LinkGuard and understand where everything fits, and even with no prior experience, BRN was able to walk them through what they needed to do and get the system configured and up and working.
“It was a true honor to be selected,” BRN Senior Systems Engineer Rollo Knoll said. “It’s like an industry award.”
For Xage Vice-President Kip Gering, just being selected for the CECA program was a form of validation.
“We view ourselves as industry leaders,” he said, “both in cybersecurity and industrial operations of utilities and renewables. We were excited to participate, especially knowing the quality of cybersecurity expertise at NREL.”
Xage uses identity-based technology to enable secure access to operations. Fundamentally, it allows operators the ability to create access and interaction policies for industrial control system devices. Workers are able to view and access their authorized devices through a web-based interface.
“For the end user, it’s more convenient because we give you single sign-on with multifactor authentication to all operations,” Xage CEO Duncan Greatwood said. “It’s much safer because if you quit your job, you’re not carrying the memory of passwords with you. This system raises the standard for every piece of equipment including legacy OT assets. One of the things that was very appealing to us in this CECA process is that it was great to have something that went from the most abstract principles all the way into structure with end users and their practical realities.”
Xage already works with renewable energy companies, and CECA helped them accelerate that process, as well as broaden their reach with utilities.
“CECA can help provide insight on the attack vectors with the most direct relevance to energy systems,” Greatwood said. “Demonstrating new cybersecurity capabilities for a higher standard of protection is much needed for utility and clean energy operators.”