2020 Deloitte Renewable Energy Seminar Renewables for a ......2020 Deloitte Renewable Energy Seminar...
Transcript of 2020 Deloitte Renewable Energy Seminar Renewables for a ......2020 Deloitte Renewable Energy Seminar...
2020 Deloitte Renewable Energy SeminarRenewables for a sustainable future September 24, 2020
Sharon Chand, Principal, Deloitte & Touche LLPSam Icasiano, Senior Manager, Deloitte & Touche LLP
Cybersecurity for renewables: Keeping up with the rapid pace of
innovation
2020 Deloitte Renewable Energy SeminarCopyright © 2020 Deloitte Development LLC. All rights reserved. 3
Cyber threat landscape for renewable energy developers, owners and operators 5
Drivers which can lead to the need for cybersecurity services 6
Supply Chain attacks are on the rise 8
Cybersecurity for Distributed Energy Management/Storage Management 10
Manufacturing and R&D 12
Identifying the right balance between security and agility 13
New Technologies with Solar Energy 15
Agenda
2020 Deloitte Renewable Energy SeminarCopyright © 2020 Deloitte Development LLC. All rights reserved. 5
Threats are relentless and increasing as systems become more interconnected and accessible
• Operational technologies like Supervisory Control and Data Acquisition (SCADA) need a different approach for security than traditional IT controls
• Malware may be leveraged against multiple sites simultaneously
• Physical security has often not been sufficiently covered in the security design; inherent risks for renewables given large geographic landscape required for facilities
• Third-party remote access raises additional risks
• Multiple communication links to renewable sites given number of parties involved (e.g., owner/operator, OEM, market participants)
• Many components are sourced from overseas and may not be secure or could conflict with pending regulatory requirements
• Competition continues to grow in intensity – Cyber attacks can be impactful across many facets of operations
Of the sixteen Department of Homeland Defense identified critical infrastructure sectors, energy is atypical as it provides an enabling function across sectors
• 3,300 utilities delivering power through 200,000 miles of high-voltage transmission lines, 55,000 substations, and 5.5 million miles of distribution lines1
• Incapacitation or destruction could significantly impact the nation's security, economic stability, public health and/or safety
Cyber Threat Landscape for Renewable Energy developers, owners and operators
1Source: https://www.scientificamerican.com/article/what-is-the-smart-grid/2Source: https://www.eenews.net/stories/10602547513Source: https://www.fireeye.com/current-threats/threat-intelligence-reports.html4Source: https://www.powermag.com/wp-content/uploads/2018/03/dragos_2017-industrial-control-system-threats.pdf
2020 Deloitte Renewable Energy SeminarCopyright © 2020 Deloitte Development LLC. All rights reserved. 6
What’s driving the need for better cybersecurity?
New cyber regulations became enforceable on January 1, 2020 (NERC CIP “Low Impact”) 1All generation resources operating over 100kv must comply. Penalties for non-compliance can be significant ($1M per day, per violation)
Expansion of resources operated by a single entityIf an entity crosses a 1500MW threshold of aggregate generation at a single control center, they reach the next tier of requirements in NERC CIP. This threshold adds 100+ cyber requirements in scope
Recent events driving a response to threats10/2019 – Renewable developer hit with cyber attack due to firewall vulnerability2
04/2020 – Utility/Renewable entity in Europe targeted by Ransomware attack3
New technologies focused on speed to value - less secureSolar+, Internet of Things (IoT), battery management systems, etc. – Use less secure “lightweight” communication protocols, cloud-based web / database servers
1Source: https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx2Source: https://www.eenews.net/stories/1061421301 3Source: https://www.hydroreview.com/2020/04/17/portugals-edp-hit-with-costly-ransomware-attack/#gref
2020 Deloitte Renewable Energy SeminarCopyright © 2020 Deloitte Development LLC. All rights reserved. 8
In addition to other supply chain risk areas, organizations are exposed to a wide variety of cyber and physical security risks when working with external vendors. Such as:
• Low visibility into supply chain security vulnerabilities
• Limited availability of data and analytics for better, timely decision-making
• Reliance on third parties to maintain security practices & procedures, including verification of fourth-party security controls
• Inability to keep up with emerging supply chain regulations
• Foreign adversaries and other bad actors embedding malware into a supply chain components
Supply chain as a potential threat vector is under scrutiny
Executive order on securing the US bulk power system
• An Executive Order was signed on May 1, 2020, halting the installation of bulk-power system (BPS) equipment “designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.”1
• The executive order aims to protect weaknesses in the utility sector supply chain.
The 4 Main Components of the Executive Order
1. Prohibits any acquisition, importation, transfer, or installation of bulk-power system electric equipment which has a nexus with any foreign adversary and poses an undue risk to national security, the economy, or the safety and security of United States persons.
2. Authorizes the Secretary of Energy to establish criteria for recognizing particular equipment and vendors as "pre-qualified“.
3. Calls for identifying any now-prohibited BPS equipment already in use, allowing the government to develop strategies and to work with asset owners to identify, isolate, monitor, and replace this equipment as appropriate; and
4. Establishes a Task Force on Federal Energy Infrastructure Procurement Policies Related to National Security, which will focus on the coordination of Federal Government procurement of energy infrastructure and the sharing of risk information and risk management practices.
1Source: https://www.whitehouse.gov/presidential-actions/executive-order-securing-united-states-bulk-power-system/
2020 Deloitte Renewable Energy SeminarCopyright © 2020 Deloitte Development LLC. All rights reserved. 9
How the Executive Order could impact across renewable energy organizationsTechnology enablement to illuminate your environments, understand your vendor ecosystem, and provide better data for making business decisions in accordance with regulatory requirements
Maintain vendor profile and ecosystem mapping
Fourth- and fifth-party identification
Identification of foreign-suppliers
Sub-components library
Integration with rating agencies
Pro-active alerting and notification
IT/OT procurement planning
Facility design
Supplier selection
Alternatives and Risk Mitigation
Workforce Impacts
Downstream business impactsAsset discovery technologies
Discovery and inventory
Ongoing monitoring
IT/OT asset dataVendor, hardware, firmware,
and other device-level attributes
Environment Illumination
Third-party risk management
Users of vendor information
Security risk assessments
Approved vendor lists
Independent Assessors | SOC2
2020 Deloitte Renewable Energy SeminarCopyright © 2020 Deloitte Development LLC. All rights reserved. 11
IoT and cloud computing technologies are expected to advance distributed energy and battery management systemsCybersecurity for Distributed Energy Management/Storage Management Systems
Potential Threats from Cybersecurity Vulnerabilities
• Unauthorized Software Updates/Changing
• Source Codes at IoT devices
• Unauthorized Access to Data Storage in IoT Devices
• Insecure IoT Network Protocols
• SQL Injection Attack to Cloud Database
• Unauthorized Cloud Access from Unauthorized IoT Devices/Botnets
Cyber Attack Defense Strategies for IoT and Cloud
• Strategies for Securing IoT software
−Design the secure coding of the IoT devices
− Format source codes as libraries, executables and obfuscation codes
• Strategy for Network Security
− Authentication key-enabled IoT protocol for IoT network
− TLS/SSL Security for the TCP/IP protocol
− Key-based authentication for SSH security
• Strategies for SQLI Mitigation Methods
− Constrain and sanitize input data
−Use type-safe SQL parameters for data access
Blockchain for Trustworthy IoT network and data security
• Blockchain is a distributed chronological ledger that maintains a continuously growing list of data records secured from tampering and revision.
• Blockchain is hosted, updated, validated by individual peer nodes rather than by a single centralized authority, the block chain improves the trust, security, and transparency of transaction.
2020 Deloitte Renewable Energy SeminarCopyright © 2020 Deloitte Development LLC. All rights reserved. 12
Cybersecurity risks in the manufacturing and R&D landscape
Intrusion into the company’s network that leads to
exfiltration of intellectual property or disruption of
manufacturing by a competitor to gain a business advantage
Cyber Espionage
Inability to update or patch manufacturing machines based
on incompatibility with older machines or a need for high
availability (e.g., unable to have extended downtime)
Patching & CVEs
Compromise of a trusted third-party partner or vendor that
leads to an intrusion within the company’s network
Third-Party Vendors
Infiltration of a company’s network that leads to a data
breach of customer data, company confidential or other
sensitive information.
Data Breach
Potential Impacts:
- Network compromise- Privileged account abuse- Direct access to third-party tools on
company’s network
Potential Impacts:
- GDPR or other applicable fines - Reputational impact - Customer loss- Leaked IP or Trade secrets
Potential Impacts:
- Increased likelihood of device compromise
- Persistent vulnerabilities- Incompatibility of security software for
monitoring
Potential Impacts:
- Physical machine disruption- Blocked business expansion- Supply chain compromise- IP and R&D theft
2020 Deloitte Renewable Energy SeminarCopyright © 2020 Deloitte Development LLC. All rights reserved. 13
Culture: The organization needs to stop seeing security as an obstacle and instead see security as an integral part of the application itself.
Tools: Architects do not have the time or resources to be devoted specifically to security. It has to fit in with the goal of speed. The right scanning tools have to be implemented to help facilitate this. The tools provide feedback on vulnerabilities as code is written and deployed.
Education: Developers do not need to be security specialists, but they do need the skills to write secure code from the start and help make security better understood.
Responsibility: Architects should be measured not just on speed and quality, but on security as well. Implementing security KPIs for the entire company and metrics for developers can make sure everyone is doing their part and making security the priority it needs to be.
In the highly competitive renewable market, agility is key to success. Security and Agility, sometimes seen as two opposing priorities, can co-exist.
Priorities between agility vs. security
2020 Deloitte Renewable Energy SeminarCopyright © 2020 Deloitte Development LLC. All rights reserved. 15
Parting thoughts: Working to Future-proof the industryCarbon reduction goals, corporate sustainability practices, and environmental factors all point to the continuing growth of the renewables industry. Renewable energy operators, and the suppliers to those entities, will continue being the target of cyber attacks. Innovation without security embedded into the process can create opportunities for attackers.
What can be done?
• Look at planned expansion activities and consider when NERC CIP thresholds for control centers may be reached – Plan ahead!
• For developers and manufacturers, evaluate supply chain risk, particularly reviewing key suppliers and their security practices, as more scrutiny and regulation is on the horizon
• Conduct security risk assessments against commonly accepted frameworks to determine where gaps, risks, and opportunity areas may exist
• Force security into the design of new technology projects and embed security workstreams as a must-have!
Physical Security Monitoring and
Integration
Industrial Internet of Things (“IIoT”)
design and implementation
NERC CIP & NIST benchmarking and
implementation
Cyber Risk Quantification &
Cyber Board Reporting
Security architecture
review and design
Cybersecurity M&A due
diligence reviews
Secure supply chain strategy,
implementation and operation
Security Solution System Integration / Implementation
Services
Cyber is everywhere
2020 Deloitte Renewable Energy SeminarCopyright © 2020 Deloitte Development LLC. All rights reserved. 16
Connect with us
Sharon Chand PrincipalCyber Risk Services – Strategy & GovernanceDeloitte & Touche LLP+1 312 486 [email protected]
Sam Icasiano Senior Manager Cyber Risk Services – Strategy & GovernanceDeloitte & Touche LLP+1 973 602 [email protected]
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms or their related entities (collectively, the “Deloitte organization”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser.
No representations, warranties or undertakings (express or implied) are given as to the accuracy or completeness of the information in this communication, and none of DTTL, its member firms, related entities, employees or agents shall be liable or responsible for any loss or damage whatsoever arising directly or indirectly in connection with any person relying on this communication. DTTL and each of its member firms, and their related entities, are legally separate and independent entities.
About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.
© 2020. For information, contact Deloitte Global.