When cyber threats were less of an issue than they are today, the relationship between a utility and a vendor was based on discussions about bugs that could be found in products or systems. The utility often qualified hardware reliability and tested the software and algorithms embedded in the product. The qualification of a product characterized, in detail, its behavior. The qualified hardware and software were carefully managed to guarantee overall behavior.
As far as cyber security is concerned, this strategy is becoming almost impossible to maintain. That’s thanks to a new factor that’s entered the picture: vulnerability. One example is the “heartbleed” vulnerability that was recently discovered on a communication stack called OPENSSL. Numerous releases of OPENSSL contained this vulnerability, leading several companies to release new firmware for their products and systems.
As a result, regulators are imposing requirements to update affected devices with the latest secure firmware versions—especially when a crypto library is at stake. In this case, it’s almost impossible to redo devices’ full qualification processes. Systems are sometimes even more complex because no direct business relationship exists between the utility and the device manufacturer. In some complex ecosystems, contractors, integrators, panel builders, and manufacturers are involved. The problem of asset management is becoming more complex and utilities are often left with the challenge of how to address these constraints.
This issue is also becoming critical for utilities because some insurance companies now refuse to compensate system damage caused by a cyber attack if all known patches have not been properly applied. It’s become clear that all equipment, including operational technology devices, must follow the same rules, and that all the components—including internal device software libraries—must be identified and documented.
In the realm of Asset Management, the lack of a standardized approach is a problem that must be overcome.
To learn more, read the white paper, “A Framework for Developing and Evaluating Utility Substation Cyber Security,” and let me know what you think. Or have a look at the previous posts in this series: