Process

Processes, Integration, and Standards: Researching and developing technical approaches to address process and coordination challenges associated with cyber security. (i.e., cyber-informed engineering, governance, risk management, workforce development, etc.). Cyber security requires people and processes to implement and maintain measures consistent with strategies. Security tools will not be effective without a trained workforce and repeatable processes. Studies show that people are often an organization's weakest cyber security link. For example, the 2024 Verizon Data Breach Investigations report found that 68% of breaches involve the human element.

Key process and integration topics include:

• Governance, Risk, and Compliance
• Program Development
• Workforce Development
• Supply Chain

Governance, Risk, and Compliance

Governance, Risk, and Compliance refers to organizations’ integrated approach to ensuring that their cyber security programs are aligned with business objectives, compliant with regulations, and resilient against cyber threats. Effective GRC strategies allow organizations to proactively manage risks, maintain regulatory compliance, and enhance their overall cybersecurity posture.

Challenges and key practices with GRC in power generation facilities include:

• NIST Cyber Security Framework 2.0 (Draft) adds “GOVERN” as the sixth function.
• Regulatory compliance has traditionally been the major driving force in shaping cyber security processes and integration; emerging incentives from investor interests and the government are now encouraging the industry to go beyond compliance.
  • Regulations are always changing, and their requirement scope expanding. For instance, in North America, five high-priority NERC standards projects affecting CIP standards are planned to be completed by 2024, which address virtualization, Internal Network Security Monitoring, enhancing low impact category, etc. In the European Union, the NIS2 Directive came into force in 2023 and Member States have until October 2024 to transpose its measures into national law.
  • In the U.S., FERC issued an order establishing incentive-based rate treatment to encourage utilities' investments in Advanced Cyber Security Technology and participation in cyber security threat information sharing programs.
• Risk-informed approach allows for optimal cyber security programs resistant to changing threats, regulations, and asset lifecycles. Implementing an effective risk management program involves several components. It is crucial to ensure that consistent and periodic risk assessments are performed to respond to evolving cyber threats. Risk Assessment refers to identifying, analyzing, and evaluating potential risks. A practical risk-based approach also involves Risk Treatment and Risk Monitoring to accompany the Risk Assessment. Risk Treatment refers to strategic actions and measures to mitigate, transfer, or accept identified risks. Risk Monitoring is a continuous process that follows Risk Treatment to evaluate the effectiveness of implemented risk mitigations.

Relevant EPRI Resources

• Risk-Informed Cyber Security Program Guide for Electric Generation Facilities: Generation Cyber Security
• Cyber Security Risk Assessments: A Methodology to Identify and Evaluate Operational Technology Cyber Security Risk
• Asset Management and Baseline Configuration for Generation and Renewable Assets: Field Guide
• ConEd and Duke Energy Evaluate Cyber Security with Technical Assessment Methodology
• Cyber Security Operations Security (OPSEC) Awareness Posters
• Cyber Security Risk Assessment: A Case Study in Digital Overspeed Protection Systems
• Cyber Security Technical Assessment Methodology: Risk Informed Exploit Sequence Identification and Mitigation, Revision 1
• Duke Energy Optimizes Cyber Security for Generation Fleet
• Fossil Power Plant Cyber Security Life-Cycle Risk Reduction: A Practical Framework for Implementation
• Operations Security (OPSEC) Program Development Guide

Program Development

Program management refers to strategic developing, documenting, monitoring, and communicating cyber security processes. Mature cyber security program management allows consistent and effective implementation of strategies and promotes continuous improvements.

Current program development key practices include standards and IT/OT integration:

• Organizations may use frameworks or standards, such as the NIST Cybersecurity Framework, NERC CIP, and CIS Critical Security Controls, to develop and structure their cyber security programs.
• Increased IT/OT integration demands that the OT cyber security program align with, learn from, adapt to, and mature corporate IT processes. An example is data governance and information security. As OT data became more available and utilized, organizations established data governance and information security frameworks for OT data, often utilizing, referencing, or adapting the existing IT information security frameworks.

Relevant EPRI Resources

• Risk-Informed Cyber Security Program Guide for Electric Generation Facilities: Generation Cyber Security

Workforce Development

Workforce development is a crucial component of cyber security process and integration. It ensures that competent and adequate resources effectively carry out and manage the developed cyber security program.

Current workforce development challenges and key practices in power generation include:

• The development of the Operational Technology (OT) cyber security workforce is challenging due to the need for a blend of specialized knowledge in OT and cyber security. This creates a competitive landscape for a limited talent pool, further exacerbated by the scarcity of industry-specific learning materials and platforms.
• Cyber security workforce includes many stakeholders, including personnel in the core OT cyber security, IT security, physical security, compliance, procurement, operations, maintenance, and senior leadership. In a survey conducted in 2020, P209 members have identified that tailored, role-based cyber security training as one of the gaps.
• Energy transformation introduces a new set of workforce requirements. Renewable generation assets are often remotely located, are minimally manned, incorporate new technologies, and require more external connections (including third-party vendors).
• The NIST NICE Workforce Framework for Cybersecurity provides a set of building blocks for describing the tasks, knowledge, and skills that are needed to perform cyber security work.

Relevant EPRI Resources

• Generation Cyber Security: Workforce Development
• Access Control and Permission Management: Generation Cyber Security - Computer Based Technology Transfer
• Computer-Based Technology Transfer (CBTT): Secure Interactive Remote Access in Power Generation Facilities v1.0
• Cyber Security Operations Security (OPSEC) Awareness Posters
• Developing a Cyber Security Culture in the Operational Technology (OT) Environment
• Guideline on Cyber Security Scanning for Generation Plant Control Systems Computer Based Technology Transfer
• Guideline on Digital I&C Configuration Management and Hardening for Generation Facilities Computer Based Technology Transfer Module, version 1.0
• Incident Response Guidance: Generation Cyber Security-Computer Based Technology Transfer (CBTT) Module
• Operations Security (OPSEC) Program Development Guide
• Patch Management Guideline CBT Transfer Module, version 1.0
• Technical Assessment Methodology (TAM) Revision 1: Computer Based Technology Transfer Module (CBTT)
• Transient Cyber Assets and Removable Media Guideline: Generation Cyber Security

Supply Chain

Supply chain cybersecurity involves safeguarding the interconnected network of organizations, processes, and technologies that contribute to producing and delivering goods and services from cyber threats and vulnerabilities.

Current supply chain key practices and challenges include:

• The complex nature of supply chains involving multiple stakeholders, technologies, and processes makes security challenging.
• Attacks against the supply chain vary widely and include third-party code libraries, software development tools, distribution, remote access, and attacks against vendors.
• Visibility is mainly limited and incomplete. Source code visibility is rare for commercially available software. Standardized software bills of materials (SBOMs) and hardware bills of materials (HBOMs) are being driven by U.S. federal government initiatives but have not been widely implemented in the private sector.
• In North America, NERC standards CIP-003, CIP-005, CIP-010, and CIP-013 address the supply chain and vendor remote access requirements.

Relevant EPRI Resources

• Cyber Security Procurement Topical Guide: For Control System and Operational Technology Installation and Upgrade in Power Generation Facilities
• Hydro Power DCS Upgrade Cyber Security Assessment: Cyber Security Technical Assessment Methodology (TAM) Case Study
• Understanding Vendor Cyber Security Certifications: Generation Cyber Security
• Cyber Security in the Supply Chain: Cyber Security Procurement Methodology, Revision 2