In The Boardroom With...
Mr. Dave Schmitt
IoT Vertical Solutions Group: Utilities
SecuritySolutionsWatch.com: Thank you for joining us today, Dave. Before discussing Cisco IoT solutions and the utility space in greater detail, please tell us about your background.
Dave Schmitt: I’ve been working with networks for about 25 years now. I joined Cisco a little over 15 years ago and have been working with the utility industry - both large and small organizations in varying capacities ever since. I currently am lead architect responsible for Cisco's global utility vertical in their Internet of Things solutions group.
SecuritySolutionsWatch.com: Care to elaborate on Cisco’s unique capabilities in this critical infrastructure market…why Cisco?
Dave Schmitt: Many of the technologies being deployed to support smart grid projects--such as smart meters, sensors, and advanced communications networks--can make the grid more vulnerable to attack.
Cisco grid security solutions deliver an integrated, converged approach to security that simplifies compliance and mitigates risk in a cost-effective manner. Customers gain visibility into IoT devices and enforce security policies by building security into the network infrastructure and OT-centric security appliances. Knowing that data and systems are protected, customers can confidently put smart grid to work to improve efficiency, safety, and customer experience.
SecuritySolutionsWatch.com: Our conversation today could not be timelier. The NY Times, on February 29, 2016, reported that, “The Obama administration has warned the nation’s power companies, water suppliers and transportation networks that sophisticated cyber attack techniques used to bring down part of Ukraine’s power grid two months ago could easily be turned on them.”
(A note to our readers...
...additional details about this cyber attack are available from The Department of Homeland Security here.
And, Cisco’s Threat Environment White Paper…is a must read (http://www.cisco.com/c/dam/en/us/products/collateral/se/internet-of-things/C11-735871.pdf).
What is your perspective, Dave, on the current threat landscape facing utilities?
Dave Schmitt: Utilities are especially popular, high-profile targets for attacks. According to the Cisco Security Capabilities Benchmark Study, 73% of utility IT security professionals say they’ve suffered a public security breach, compared with an average of 55% in other industries. Most U.S. utilities have already undertaken substantial security measures throughout many parts of their systems. However, the nature of cyber threats and vulnerabilities keeps changing.
U.S. utilities have, for several years, been deploying IoT technology (aka Smart Grid) because it enables significant business and operational benefits: increased grid reliability, enhanced integration of renewables and other distributed energy resources, reduced operating costs, and more. However, all of this opportunity comes with the tradeoffs of increased complexity and new risks.
The legions of new network connections to more devices in more parts of utility power systems pose security challenges. From turbine controllers to thumb drives, every network-connected device represents a potential entry or execution point for attacks by insiders, hackers, criminals, terrorist groups or nations.
SecuritySolutionsWatch.com: Can we drill down into Cisco’s product portfolio for IoT security? What are the specific solutions and benefits that Cisco delivers?
Dave Schmitt: Cisco IoT System Security delivers security at scale, simplifies compliance, and builds trust. The product portfolio includes OT-specific security appliances, the capability to use the network as a sensor and enforcer and physical security.
We also have solutions built on this product portfolio for specific utility needs such as substation security. The latest evolution of the Substation Security Solution helps enable utilities to meet the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) Version 5 mandated standards to monitor, log, and diagnose systems with ease. The Cisco Validated Design solution eases the increasing burden of compliance reporting and auditresponse for utilities.
SecuritySolutionsWatch.com: Let’s talk about the regulatory environment for a moment. “In 2014, NERC initiated a program to help industry transition directly from the currently enforceable CIP Version 3 standards to CIP Version 5. The goal of the transition program is to improve industry’s understanding of the technical security requirements for CIP Version 5, as well as the expectations for compliance and enforcement.” (http://www.nerc.com/pa/CI/Pages/Transition-Program.aspx) . Tell us a bit about the journey that utilities take with Cisco to achieve compliance.
Dave Schmitt: NERC CIP v5 represents an opportunity address security in a comprehensive manner. Rather than a prescriptive approach with predetermined measures, utilities now will take a risk -based approach to achieve compliance. The transition from “how” to “what” requirements may help utilities focus on security, rather than paperwork.
NERC-CIP requires utilities to inventory their assets and rate them as having low, medium or high potential impact. Consequently, several utility assets that previously were deemed non-critical, including some smaller substations, must now be brought into NERC-CIP compliance. This helps address the problem that, previously, some utilities claimed to have few or no critical bulk power system assets. But today, security is required for every substation — it’s just a matter of how much.
Developing a NERC CIP compliance program represents a valuable opportunity for a utility to gain a deeper understanding of its security priorities — including where security intersects with IT and OT organizations, and how cross-departmental coordination and collaboration might help enhance overall security.
SecuritySolutionsWatch.com Customers have noted that they’ve chosen Cisco grid security because of the integrated, converged approach. Care to elaborate for us on this vital integration point?
Dave Schmitt: Utilities have some unique needs such as geographic distribution. Very few industries control such a widely distributed infrastructure that connects so directly with citizens. Consequently, when there is a utility system failure, the impact to, and feedback from, customers is immediate and sharp — and often, quickly followed by increased scrutiny by regulators and the media.
Further, many utility OT departments are now managing networks far larger than their IT departments ever had to. Many utilities face challenges with the scale of securing IoT-enabled systems. They need security solutions that can be applied cost effectively across hundreds of thousands, or even millions, of nodes.
Cisco delivers security solutions that build security into the network infrastructure to address the problem of scale through consistent, policy-based enforcement of controls. We integrate on other important levels as well including digital and physical security and common practices across IT and OT teams.
SecuritySolutionsWatch.com: Black & Veatch seems to have summed it up pretty well. “Cybersecurity vendors are aware that utility data infrastructures and their associated OA&M require specialized architectural constructs. These environments have specific security posture visibility needs as well as industry specific status and compliance reporting requirements. For years, we’ve been engaged with Cisco, who has demonstrated active engagement in understanding utility customers and their unique security requirements.” Any other customer voices or success stories you’d like to mention?
Dave Schmitt:Yes, it’s been our experience that there are unique characteristics within the utility segment as well as formidable security challenges. Some examples include:
- The geographic diversity of assets
- The scale at which communications and security must be addressed
- Digital and physical security in challenging outdoor environments
However, we have significant experience and many partners who share our viewpoint and can help. Some helpful resources include:
SecuritySolutionsWatch.com: Thanks again Dave for taking us on our journey today.