Electric utilities form the backbone of modern societies, but the magnitude of this importance brings with it enormous responsibility. Ensuring the cybersecurity of this critical infrastructure has always been crucially important. 

We recently sat down with our Founder and CEO, Matt Wyckhouse, to discuss cybersecurity in electric utilities, CIP Regulations, and CIP 13, specifically.

Let's explore the takeaways regarding regulations and changes shaping the landscape of electric utility cybersecurity:  

The Bedrock: CIP Regulations

  • Historical Context: Electric utilities have long been subject to cybersecurity regulations. Central to this has been the Critical Infrastructure Protection (CIP) regulations.
  • CIP's Role: Primarily governing compliance for US electric utilities, the CIP regulations dictate what these utilities need to implement for enhanced security.

Spotlight on CIP 13: Software Supply Chain Security

  • Introduction: The most relevant regulation concerning software supply chain security is CIP 13, one of the latest additions to the CIP suite.
  • Requirements:
    • Electric utilities must maintain documented supply chain cyber security risk management plans and practices.
    • The objective is to verify the integrity and authenticity of software before it's integrated into their systems, especially within the high and medium categorized networks of the Bulk Electric System.

Breaking Down Authenticity & Integrity

  1. Authenticity: Ensures that the software or update received originates from the trusted vendor, eliminating chances of interceptions or modifications by malicious entities.
  2. Integrity: A somewhat ambiguous term. At its core, integrity ensures the software remains unaltered. However, the deeper implication could be its security. The ambiguity of this term has sparked discussions for further revisions to CIP 13 in the coming years.

The Emergence of SBOMs

  • Current Trends: Electric utilities are increasingly adopting Software Bill of Materials (SBOMs). It's now common for utilities to request SBOMs from their vendors.
  • Future Predictions: Given the momentum, it's plausible CIP 13 could evolve to mandate SBOMs for critical segments of the bulk electric system.

Proactivity in the Electric Utility Sector

  • Addressing Risks: Despite the regulatory environment, electric utilities are not just waiting for mandates. They are actively taking steps to mitigate risks.
    • Examples include utilizing SBOMs, VEX, and other vulnerability reports to understand software integrity and associated risks.
  • Robust Programs: Many electric utilities have already established comprehensive software supply chain risk management programs. While initial approaches were more manual, the trend is shifting towards automation, with a rising demand for machine-readable vulnerability reports.

The Need for Transparency and Collaboration

The electric utility sector, home to some of the most vital assets, must maintain the highest security standards. Therefore, vendors supplying software to critical areas like substations and other Operational Technology (OT) networks within utilities must be transparent. This transparency fosters a collaborative relationship, ensuring the safety and security of the electric grid.

Wrapping Up

Cybersecurity in the electric utility sector is evolving rapidly. With emerging regulations, proactive risk management, and an emphasis on transparency, the industry is gearing up to face modern threats head-on, ensuring a secure and reliable power supply for all.