Grids designed years ago strain to adopt modern information and communications technology. IT and OT converge. Compliance burdens increase. And the lights must stay on. Utilities need security.

UTC helps its member utilities build holistic security programs:

  • People are often your first and last line of defense. Inspire and educate them!
  • Hardware is vital to protect your infrastructure. Do you know your supply chain?

Software is incredibly sophisticated but must be installed and managed correctly.

UTC services, education programs, member programs, and resources help pave your way to “secure”.

Want to engage with the UTC Security Team? Contact us at cybersecurity@utc.org.

Bartol Headshot 2013-08-29 v1

Nadya Bartol CISSP CGEIT
Vice President, Industry Affairs and Cybersecurity Strategist

Nadya Bartol leads UTC cybersecurity initiatives world-wide and provides strategic cybersecurity advice to utilities cybersecurity leaders. She was one of the primary forces behind the initiation, justification, development, and completion of the first global standard addressing security risks associated with supplier relationships, ISO/IEC 27036. Before joining UTC, Nadya worked at a global management and technology consulting company where she was responsible for leading multidisciplinary teams to capture, develop, and deliver cybersecurity services to US government and commercial clients.

BL bio photo new

Bob Lockhart CISSP
Manager, Cybersecurity Programs

Bob Lockhart has five years’ experience in electricity grid cybersecurity, with 23 years’ total experience in information security. He was previously Navigant’s research director of transmission, distribution, smart metering, demand response, home energy, software, telecommunications, data analytics, and cybersecurity.

Security Services

Security Assessment and Roadmap
UTC Security Assessments and Roadmaps:

  • Establish the current status of security in a utility
  • Identify security goals based on requirements, environment, and risk appetite
  • Capture supply chain risks which may be obscure
  • Design a tailored implementation plan
  • Consider each utility’s goals and available resources individually
  • Follow a well-honed and methodical approach:
  • Policy
  • Guidelines
  • Network Diagrams
  • Architecture
  • Asset Inventories
  • Operating Procedures
  • High-level Review of Main Facility
  • Interview Functional Mangers
  • Interview Security Team
  • Interview Senior Leadership
  • Validate document review findings with interview responses
  • Correlate findings with industry standards and models
  • Identify Security Gaps
  • Identify Resiliency Gaps
  • Identify Baseline
  • Identify Desired Security Postures
  • Determine Areas of Improvement
  • Develop Recommendations
  • Use Standards, Best Practices, Expertise
  • Organize/Prioritize Recommendations
  • Deliver Results

Standards-based assessments

Security Assessments and Roadmaps work best when based upon well-known standards. Your auditors will use those same standards, so why not get ahead of the game and build in compliance?

UTC Security Assessments are based upon recognized global standards:

  • ES-C2M2: DoE Electricity Subsector Cybersecurity Capability & Maturity Model
  • NIST Cybersecurity Framework
  • NERC CIP v5: Reliability Standards for North American Bulk Energy Systems
  • ISO/IEC 27001 and 27002: Information Security Management Systems
  • ISO/IEC 27036: Information Security in Supplier Relationships
  • NIST SP 800-53: Security and Privacy Controls for Federal Information Systems
  • NIST SP 800-82: Guide to Industrial Control Systems (ICS) Security
  • NIST IR 7628: Guidelines for Smart Grid Cybersecurity

Clients and assessment experts work together to determine the most appropriate standard for any given project.

Technical Assistance

Beyond assessments and roadmaps, UTC members enjoy the ability to consult with UTC staff or other members on specific issues:

  • The UTC Security Team is always available to answer questions, discuss sticky issues, and suggest courses of action
  • The UTC Security Committee forum allows any (core???) member to ask a question of their peers. Follow-up can be private or in lively forum discussions
  • UTC and its partner suppliers can provide estimates for more detailed technical assistance.

UTC’s IT/OT Security Working Group enables members to exchange ideas as their IT and OT software converge.

Business Intelligence Reports show what information about your utility is readily available on the Internet, either in free or paid sites.

Ecosystem – Vendor Catalog

(Under construction – if we can, hide this page for now. Else we’ll just add later).

Education and Training

Carnegie Mellon University’s CERT Division of the Software Engineering Institute (SEI) was created in 1988 to coordinate response to internet security incidents. The CERT Division now has more than 150 cybersecurity professionals.

UTC partners with CMU to offer the CERT Division’s STEPfwd Simulation, Training, and Exercise Platform. STEPfwd presents innovative ways to compress the time it takes to build security expertise across a globally distributed workforce.

UTC members can access two distinct packages of the STEPfwd program:

  • Technical information systems security package that speaks to the technical information security issues such as those associated with securing the network perimeter and infrastructure devices, network monitoring, wireless networks, IPV6, Domain Name Servers (DNS), and Radio Frequency Identification (RFID).
  • Cybersecurity for managers package that speaks to broader security issues including risk management, cyber threats, and incident management fundamentals

Register for CMU STEPfwd courses (requires UTC membership)

(Not sure if this topic is ready for publication on our website)

UTC and Thomas Edison State University (TESU) offer the Graduate Certificate in Cybersecurity – Critical Infrastructure. UTC and its members developed this curriculum to prepare for the coming shortage in cybersecurity skills.

The 100% online curriculum can be completed in one year by full-time employees:

  • Foundations of Cybersecurity
  • Building Security-Protective Controls
  • Monitoring and Detection
  • Cybersecurity Risk Management
  • System and Solution Lifecycle Cybersecurity Management

The courses blend IT and OT security with a focus on critical infrastructure sectors such as energy, water, gas and transportation.

Learn more at the TESU website.

UTC’s partnership with the SANS Institute offers its members discounted access to courses that utilities will find useful. SANS Institute is a globally recognized premier provider of Security training. UTC members enjoy discounted access to two SANS programs:

  • OnDemand training provides access to 30 SANS Institute online courses
  • SANS Secure the Human (STH) curriculum focuses on the weakest link in security – the human. STH targets broad user awareness across organizations. UTC members can move utilities towards a security culture where users know the right behaviors and exercise good judgement to protect utility resources.

SANS courses are tailored to multiple audiences like utilities, engineers, and end users

Register for SANS courses with UTC discount (requires UTC membership)

UTC and EnergySec combine to offer NERC CIP Foundations Training for utility cybersecurity professionals. EnergySec’s NERC CIP experts deliver training tailored to UTC member priorities.

EnergySec is a non-profit corporation formed to support energy sector organizations with the security of their critical technology infrastructures. NERC CIP Foundations Training focuses on NERC CIP 5 and beyond to provide utilities the information they need to transition to NERC CIP 5.

UTC members receive discounted access to EnergySec NERC CIP training.   The discount applies to EnergySec training events and to UTC-hosted EnergySec classes.

Register with a 30% discount (requires UTC membership)

training

UTC delivered courses

UTC Supply Chain Training is a full-day course to help utilities and their technology partners secure critical infrastructures. Delivered by UTC and experts from industry and government, these workshops offer practical steps for utilities to protect their supply chains.

About UTC Supply Chain Training and Workshops:

  • Delivered by Nadya Bartol, UTC VP of Industry Affairs and Cybersecurity Strategist
  • Feature utility leaders and experts, sharing experience and lessons learned
  • Presents dos and don’ts of managing security risks in supplier relationships
  • Offered at UTC events and at EnergySec events
  • Email to cybersecurity@utc.org if you would like to offer the course at your event

Register for UTC Supply Chain Training (requires UTC membership)

Security Programs for UTC Members

UTC’s Security, Risk, and Compliance Committee is chaired and run by member utilities. UTC members share their security risks and triumphs with other utilities in an unfettered and private environment.

UTC offers its utility member a community, a safe and confidential place to exchange ideas and concerns. Members have access to:

  • Monthly Security Webinars
  • Security Forum Discussions
  • IT/OT Security Working Group
  • Security Session at UTC Technology & Telecoms Conference
  • The Annual Utility Security Summit

UTC Resources

Reference Library

These standards and guidelines can help you map your journey to holistic security:

Security Advocacy

Security is the 21st century reliability challenge and requires a holistic approach. Utilities need practical tools and information to secure their operations. To achieve this, UTC represents its members in activities such as:

  • NIST Cybersecurity Framework
  • Energy Sector Cybersecurity Framework Implementation Guidance
  • NIST Framework and NERC CIP Mappings
  • CSRIC WG4 Cybersecurity Risk management and Best Practices Report
  • Security Guidelines for the Electricity Sector: Control System Electronic Connectivity
  • Cybersecurity Procurement Language for Energy Delivery Systems
  • DoE Cybersecurity for Energy Delivery Systems R&D Program

UTC participates in global standards bodies:

  • IEC Conformity Assessment Board Working Group on Cybersecurity
  • ISA/IEC security metrics standard
  • Project Editor of ISO/IEC 27036, Information Security for Supplier Relationship

U.S. legislators and regulators regularly seek UTC input regarding utility security projects and research.

UTC Positions and public statements

Statement of Nadya Bartol before the Subcommittee on Oversight and Subcommittee on Energy Committee on Science, Space, and Technology U.S. House of Representatives

Statement of Nadya Bartol before the (?? R&D Committee) (Link???)

(Others… upcoming FERC statement???)

News and Events

Click here to review events