The energy transition will bring with it a new generation of cybersecurity challenges for the power sector. While information-sharing has been valuable, strategies to address issues related to vendor security, cyber talent, and lagging investment will also be critical, a former utility supply chain executive who led the development of an industry-wide cybersecurity risk exchange told POWER in an exclusive interview.
Betsy Soehren-Jones, who led Exelon’s Security Strategy before joining Fortress Information Security as its chief operation officer (COO), during a wide-ranging interview warned challenges “are coming from all different directions” as the world grows more interconnected. Solutions will require a keen awareness promoted by a common model, trust with suppliers, informed investments, and key talent, she said.
Soehren-Jones helped Exelon pioneer an industry model for cyber risk assessment and shared that expertise as co-chair of the Supply Chain Committee for the Edison Electric Institute (EEI), as well as while the committee lead for Supply Chain at the North American Transmission Forum (NATF). Both organizations now have standards for evaluating cybersecurity attributes of devices and the exchange of information to the electric utility industry. Soehren-Jones said she joined Fortress, a supply chain cybersecurity provider for critical infrastructure organizations, as a “next step” to help promote the firm’s “holistic approach” to connect information technology and operational technology (OT) assets, and vendors. As the firm’s new COO, Soehren-Jones will focus on the expansion of Fortress’ information exchange, the Asset to Vendor (A2V) Library, a platform that currently hosts information on more than 40,000 vendors and products utilized by more than 40% of the U.S. power grid.
This interview has been edited for length and clarity.
POWER: The power sector is a diverse critical infrastructure industry that is facing a spate of changes—transition changes, fuel changes, regulatory policy, and more. Everywhere you look, there’s some kind of flux. Why is this the right time to join a security company, coming from a utility?
Soehren-Jones: Let me take you back about five years and bring you through my journey on the ‘utility side’ of the house. I came from Exelon, one of the biggest investor-owned utilities (IOUs) in the country. We had six different utility companies across the country, lots of unregulated generation assets, a trading organization, and then obviously, a corporate function. So just about every flavor of cybersecurity was running through Exelon at that point. We needed to make some critical business decisions. Whenever you have a ‘problem’ within the utility industry, one of the things that the utility industry is really good at is getting together and trying to collaborate on solutions. If you think about environmental standards or safety standards, or any others, we all typically come together around the table and say, ‘how should we approach this?’ And we do that because we don’t have to compete for customers.
So, if you just think about the just the regular nature of what [the utility sector does], we’re very collaborative. We started to have conversations related to cyber, and they fell into really two buckets. The first ‘look’ at cyber was information protection. When we are sending information out of our environments into critical suppliers—so think about your engineering firms, law firms—that posed a pretty big cyber risk to us because if that information went outside of our doors or our walls, there wasn’t really a way to protect it. We had to really look at how to come up with a consistent methodology across the industry, considering that many of us use the same types of firms and strategic partners. It wasn’t an Exelon problem. It was an industry problem.
The other thing that we started to look at was: When we buy and install devices into the grid, how do we start to look at during the procurement process to understand the security features and the components that are involved in those devices? And then after we installed them within the grid, how are they operating? How are we monitoring traffic, etc.? Cyber has got a lot of different tentacles to it. And it made the most sense that again to use a typical playbook when it comes to stuff like this and work through the trade organizations.
We sat around the table at Edison Electric Institute (EEI), we sat around the table at the North American Transmission Forum (NATF), and we really started to put together what a good security assessment program would look like, irrespective of the regulations that were coming at us, because if you think about it, regulations focus on a particular part of the grid. The North American Reliability Corp. (NERC) is only looking at transmission—it’s not getting down to distribution. Some states were getting into distribution and not transmission. It needed a much more holistic approach to security.
And so, I ended up becoming the chair at the EEI working group for supply chain cybersecurity, and then I was a major contributor for NATF in this area. [During these conversations], we talked about assessing the vendor population, regardless of whether they fit into that information protection or the device-side of the house, and do it in a consistent manner, so we could really do an ‘apples-to-apples’ comparison of all of our vendors. Then once we started doing business with that vendor, we had our own individual risk programs within each of our utilities, based on the specific risk profiles that we have.
So, for five years, what I’ve been doing is really working not only within Exelon, but across the industry to [understand] those solutions, working out what the process should look like. The problem is that when you are creating something like that, there isn’t a market from a product perspective to support it. So this is where Fortress really comes into the picture for us. We came up with this assessment process. We know what the industry wants to do. Who can be a service provider to us to help us build the tools that we need to enable all of this? There’s a group of us that have been working with Fortress to really develop those products and services that were unique and support that industry model, so we’re at a pretty pivotal point right now where there’s been adoption by many of the major IOUs with Fortress.
Now it really becomes, how do we get it to the mid-level utility companies, and then also the municipalities, and the public power [entities]. I felt like this is a critical juncture to make sure that the industry was protected. It was better for me to move over into Fortress to continue that work, and realize that holistic vision that we’ve been executing. Really the only way to do that is to go in-house and help shepherd some of those conversations and be able to do that in a way where I wasn’t bound by working for one IOU.
POWER: How is Fortress contributing to a holistic vision in a sector that has so many cybersecurity “tentacles,” as you noted?
Soehren-Jones: Fortress is really working with the industry and evolving as the industry is evolving. Fortress is a pretty ‘moldable’ vendor. The first thing that they have stood up is what they call the Asset to Vendor (A2V) Library. This is the place where, if I am working with a vendor and I issue that vendor this industry assessment, this is where that vendor can store the answers to that assessment. All utilities can go and grab the information and start to look at it. The best way to think about it is truly a library. Fortress has built the infrastructure for a central library—a central repository of information that is based on the industry assessment.
The next piece is, it’s a choice. Some utility companies want just the raw data. We can either build an application programming interface (API) into one of their existing systems to pull that information over for them, or Fortress offers a platform. Fortress also offers a solution to do that data analytics. The reason that we separate those two things out is honestly for security. We want to keep those instances very separate from one another: You have an information exchange on one side of the house, and then an individual utility company risk assessment process in a completely separate spot.
POWER: Cybersecurity poses one of the most pervasive risk factors in our industry. Where do you see industry “soft spots” in cybersecurity awareness or strategy?
Soehren-Jones: It’s one thing when you are talking theory, and it’s a different matter when you get a call on a Saturday afternoon that one of your largest construction companies that you utilize for a utility was hit with ransomware. All of a sudden that conversation really just moved from something that a cyber group is handling to now, ‘I’m not getting any construction projects done for my utility because one of my key vendors can’t help me and is not going to be there because they’re dealing with a cyber issue of their own.’ It’s almost become that incidents are a forcing function for all levels across all departments to understand what’s happening because their impact is pretty widespread.
It used to be that the conversation was only, ‘Well what would happen if there was a cyberattack against the utility company itself?’ Well, the harder we’ve made it for the threat actors to get through the front door, the more they have to look at somebody else. Now, they’re starting to look at the weakest link, and that seems to be the vendor population. Well, the minute those events start to happen with vendors, they affect your ability to operate from a nine-to-five perspective. That conversation changes really quickly.
POWER: Can we bank on regulatory or legislative actions to curb risks posed by the vendor population?
Soehren-Jones: I think that from a regulatory perspective, understanding the ‘what’ is important. Getting that intel from the government about ‘what’ are we trying to protect against and ‘what’ we should do to protect against that threat—but not the ‘how.’ I think that that’s where regulations can sometimes go too far is in the ‘how.’ Take a remote terminal unit (RTU) as an example. This is a piece of equipment that every single utility company in the country utilizes, but we utilize it in very different ways. It’s based on the architecture within each of our organizations. The risk of that device to me is not going to be the same risk profile that it is [another company].
Tell me I need to protect the device and tell me what I’m supposed to be looking for. But don’t tell me what exactly I should do with it once it’s installed in my environment. Let me work through the ‘how’ based on the risk that the device poses to me and my own infrastructure. That’s where we’ve got to be really careful with the regulations.
POWER: Industry recently wrapped up an administration-led “100-day plan” to help owners and operators of industrial control systems (ICS) across the power sector to “identify and deploy” technologies and systems that could enable “near real-time” situational awareness and response capabilities in critical ICS OT networks. How effective do you think those measures were? What have been some key takeaways from that measure and others like President Biden’s July 2021 National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems?
Soehren-Jones: Over the last five to seven years, all of us have been trying and struggling with exactly how much do we invest. Where should we invest? What should we be looking at as far as ICS is concerned? The way that I see these pilots, and especially the 100-day plan, is it’s really providing a roadmap for all of us. We may have done this on our own at Exelon and made these investment decisions related to cyber because it was the best business decision for us. But what this is doing is it’s also helping the mid-sized utilities and the smallest ones to come up to basically the same starting line. This is the beginning of getting all of us to the same starting point, which is only going to then allow us to really harness the data that’s coming in.
POWER: Even with larger collaborative measures like these, uncertainty is a primary concern. The pace of change in the power sector is ushering in so much new technology to tackle decarbonization and decentralization. How can we assess the security of new components? Do you think limiting procurement is a good idea from a security perspective? How do we balance that?
Soehren-Jones: It is a balance because, on the one hand, you do not want to, especially in this space, crush research and development and innovation. We need all of the innovation, all of the help we can get in trying to find the right technology [for decarbonization], but there has to be a balance, to your point, on the security side of the house. I think that it can be done by really looking at the bill of materials for both the hardware and the software. That really is the next evolution of the assessment program.
Industry is coming up with a standard methodology for how we are assessing the software bill of materials and the hardware bill of materials, because again, if you give the vendors and those who are working in this space the appropriate guardrails, they can produce products that will be safe. But until we can tell them what our expectations are and what the accountability model is going to look like, it’s going to be difficult for them because they’re constantly going to have to be playing catch up. We did this with environmental, and we did this with safety. So let’s take the same playbook—give them the standards that we expect, at least a baseline set of standards, let them build the security into the devices instead of trying to bolt it on afterward, and have that be part of their R&D process.
POWER: What should we do about existing components?
Soehren-Jones: For existing components, there’s going to be a catch-up period. There has to be a catch-up period. And it has to be done in a way where it is a partnership between the utility companies and the vendor population. I remember hearing a quote about Thomas Edison being able to identify about 70% of the devices in the field—because they didn’t change. You’ve got to give utilities a chance to work with their vendor population to get these protocols really in place, fix or fail. When these devices are failing in the fields, or we go through a storm, and we’ve got to do massive updates and replacements, do it in a way where we’ve got the understanding of when this particular device goes down. Replace it with one that’s got the better safety feature or security features built into it the next time a replacement can be made.
POWER: Given that you’ve held many different positions at the helm of security strategy over what has been a definitive era of public-private collaboration, what is your view on the investment that will be needed for effective cybersecurity?
Soehren-Jones: There still needs to be pretty significant investments on all fronts on cyber. Because we’ve got plenty of devices that are out in the field today that are going to have to be replaced with more expensive ones, which have the security features built into them that we need. And there has to be an understanding with the public utilities commissions (PUCs) that this will be part of the cost profile moving forward. Same thing for the ‘net new types of designs’—so especially your distributive energy. There is going to be an additional cost associated with those new technologies that are going in, not just to build in the security features, but then also to monitor them.
I think that what most people don’t understand about that formula is it’s one thing to secure the device [one time]. It’s another to then staff to monitor all of the information that’s now coming back. So, it’s an initial investment plus a rolling investment every year that’s actually looking at that data. I think that the PUCs are working very diligently across the nation, especially through the National Association of Regulatory Utility Commissioners to understand what that methodology should look like and what’s appropriate. We are in full support of those conversations.
POWER: What in your view is an underreported issue facing cybersecurity?
Soehren-Jones: I would say talent—cyber talent. We are going to have to get smarter with how we utilize cyber talent. That it is going to take a new methodology for how we share talent to do this type of work because there are simply not enough people around with the skillset to be able to if each of us continue to stand up individual programs at every utility company across the U.S. We’re going to hit a wall when it comes to talent.
The next set of discussions once these programs get designed must cover how we are appropriately going to staff them. And it really is an opportunity to retool a lot of industry experts into the cyberspace. I think one of the most successful programs that I’ve seen in industry to date is actually to go the other way and take existing utility professionals who understand the devices, understand how the grid works, and start to retrain them from a cyber perspective, and add that skillset on top. It’s been a very good model.