Grids designed years ago strain to adopt modern information and communications technology. IT and OT converge. Compliance burdens increase. And the lights must stay on. Utilities need security.
UTC helps its member utilities build holistic security programs:
- People are often your first and last line of defense. Inspire and educate them!
- Hardware is vital to protect your infrastructure. Do you know your supply chain?
Software is incredibly sophisticated but must be installed and managed correctly.
Want to engage with the UTC Security Team? Contact us at firstname.lastname@example.org.
Nadya Bartol CISSP CGEIT
Vice President, Industry Affairs and Cybersecurity Strategist
Nadya Bartol leads UTC cybersecurity initiatives world-wide and provides strategic cybersecurity advice to utilities cybersecurity leaders. She was one of the primary forces behind the initiation, justification, development, and completion of the first global standard addressing security risks associated with supplier relationships, ISO/IEC 27036. Before joining UTC, Nadya worked at a global management and technology consulting company where she was responsible for leading multidisciplinary teams to capture, develop, and deliver cybersecurity services to US government and commercial clients.
Bob Lockhart CISSP
Manager, Cybersecurity Programs
Bob Lockhart has five years’ experience in electricity grid cybersecurity, with 23 years’ total experience in information security. He was previously Navigant’s research director of transmission, distribution, smart metering, demand response, home energy, software, telecommunications, data analytics, and cybersecurity.
Security Assessment and Roadmap
UTC Security Assessments and Roadmaps:
- Establish the current status of security in a utility
- Identify security goals based on requirements, environment, and risk appetite
- Capture supply chain risks which may be obscure
- Design a tailored implementation plan
- Consider each utility’s goals and available resources individually
- Follow a well-honed and methodical approach:
- Network Diagrams
- Asset Inventories
- Operating Procedures
- High-level Review of Main Facility
- Interview Functional Mangers
- Interview Security Team
- Interview Senior Leadership
- Validate document review findings with interview responses
- Correlate findings with industry standards and models
- Identify Security Gaps
- Identify Resiliency Gaps
- Identify Baseline
- Identify Desired Security Postures
- Determine Areas of Improvement
- Develop Recommendations
- Use Standards, Best Practices, Expertise
- Organize/Prioritize Recommendations
- Deliver Results
Security Assessments and Roadmaps work best when based upon well-known standards. Your auditors will use those same standards, so why not get ahead of the game and build in compliance?
UTC Security Assessments are based upon recognized global standards:
- ES-C2M2: DoE Electricity Subsector Cybersecurity Capability & Maturity Model
- NIST Cybersecurity Framework
- NERC CIP v5: Reliability Standards for North American Bulk Energy Systems
- ISO/IEC 27001 and 27002: Information Security Management Systems
- ISO/IEC 27036: Information Security in Supplier Relationships
- NIST SP 800-53: Security and Privacy Controls for Federal Information Systems
- NIST SP 800-82: Guide to Industrial Control Systems (ICS) Security
- NIST IR 7628: Guidelines for Smart Grid Cybersecurity
Clients and assessment experts work together to determine the most appropriate standard for any given project.
Beyond assessments and roadmaps, UTC members enjoy the ability to consult with UTC staff or other members on specific issues:
- The UTC Security Team is always available to answer questions, discuss sticky issues, and suggest courses of action
- The UTC Security Committee forum allows any (core???) member to ask a question of their peers. Follow-up can be private or in lively forum discussions
- UTC and its partner suppliers can provide estimates for more detailed technical assistance.
UTC’s IT/OT Security Working Group enables members to exchange ideas as their IT and OT software converge.
Business Intelligence Reports show what information about your utility is readily available on the Internet, either in free or paid sites.
Carnegie Mellon University’s CERT Division of the Software Engineering Institute (SEI) was created in 1988 to coordinate response to internet security incidents. The CERT Division now has more than 150 cybersecurity professionals.
UTC partners with CMU to offer the CERT Division’s STEPfwd Simulation, Training, and Exercise Platform. STEPfwd presents innovative ways to compress the time it takes to build security expertise across a globally distributed workforce.
UTC members can access two distinct packages of the STEPfwd program:
- Technical information systems security package that speaks to the technical information security issues such as those associated with securing the network perimeter and infrastructure devices, network monitoring, wireless networks, IPV6, Domain Name Servers (DNS), and Radio Frequency Identification (RFID).
- Cybersecurity for managers package that speaks to broader security issues including risk management, cyber threats, and incident management fundamentals
Register for CMU STEPfwd courses (requires UTC membership)
(Not sure if this topic is ready for publication on our website)
UTC and Thomas Edison State University (TESU) offer the Graduate Certificate in Cybersecurity – Critical Infrastructure. UTC and its members developed this curriculum to prepare for the coming shortage in cybersecurity skills.
The 100% online curriculum can be completed in one year by full-time employees:
- Foundations of Cybersecurity
- Building Security-Protective Controls
- Monitoring and Detection
- Cybersecurity Risk Management
- System and Solution Lifecycle Cybersecurity Management
The courses blend IT and OT security with a focus on critical infrastructure sectors such as energy, water, gas and transportation.
Learn more at the TESU website.
UTC’s partnership with the SANS Institute offers its members discounted access to courses that utilities will find useful. SANS Institute is a globally recognized premier provider of Security training. UTC members enjoy discounted access to two SANS programs:
- OnDemand training provides access to 30 SANS Institute online courses
- SANS Secure the Human (STH) curriculum focuses on the weakest link in security – the human. STH targets broad user awareness across organizations. UTC members can move utilities towards a security culture where users know the right behaviors and exercise good judgement to protect utility resources.
SANS courses are tailored to multiple audiences like utilities, engineers, and end users
Register for SANS courses with UTC discount (requires UTC membership)
UTC and EnergySec combine to offer NERC CIP Foundations Training for utility cybersecurity professionals. EnergySec’s NERC CIP experts deliver training tailored to UTC member priorities.
EnergySec is a non-profit corporation formed to support energy sector organizations with the security of their critical technology infrastructures. NERC CIP Foundations Training focuses on NERC CIP 5 and beyond to provide utilities the information they need to transition to NERC CIP 5.
UTC members receive discounted access to EnergySec NERC CIP training. The discount applies to EnergySec training events and to UTC-hosted EnergySec classes.
Register with a 30% discount (requires UTC membership)
UTC delivered courses
UTC Supply Chain Training is a full-day course to help utilities and their technology partners secure critical infrastructures. Delivered by UTC and experts from industry and government, these workshops offer practical steps for utilities to protect their supply chains.
About UTC Supply Chain Training and Workshops:
- Delivered by Nadya Bartol, UTC VP of Industry Affairs and Cybersecurity Strategist
- Feature utility leaders and experts, sharing experience and lessons learned
- Presents dos and don’ts of managing security risks in supplier relationships
- Offered at UTC events and at EnergySec events
- Email to email@example.com if you would like to offer the course at your event
Register for UTC Supply Chain Training (requires UTC membership)
UTC’s Security, Risk, and Compliance Committee is chaired and run by member utilities. UTC members share their security risks and triumphs with other utilities in an unfettered and private environment.
UTC offers its utility member a community, a safe and confidential place to exchange ideas and concerns. Members have access to:
- Monthly Security Webinars
- Security Forum Discussions
- IT/OT Security Working Group
- Security Session at UTC Technology & Telecoms Conference
- The Annual Utility Security Summit
These standards and guidelines can help you map your journey to holistic security:
- Supply Chain Risk Management: Free UTC White Paper
- Cybersecurity Procurement Language for Energy Delivery from U.S. Department of Energy (DoE)
- NERC Critical Infrastructure Protection (CIP) Standards
- NIST Cybersecurity Framework
- NIST SP800-53: Security and Privacy Controls for Federal Information Systems and Organizations
- NIST SP800-82: Guide to Industrial Control Systems (ICS) Security
- NIST SP800-161: Supply Chain Risk Management
- NIST IR 7628 Series: Guidelines for Smart Grid Cybersecurity
- ES-C2M2: DoE’s Electricity Subsector Cybersecurity Capability Maturity Model
- ISO/IEC 27000 Series: Information Security Management Systems (requires license)
- ISO/IEC 27036: Information Security in Supplier Relationships (requires license)
Security is the 21st century reliability challenge and requires a holistic approach. Utilities need practical tools and information to secure their operations. To achieve this, UTC represents its members in activities such as:
- NIST Cybersecurity Framework
- Energy Sector Cybersecurity Framework Implementation Guidance
- NIST Framework and NERC CIP Mappings
- CSRIC WG4 Cybersecurity Risk management and Best Practices Report
- Security Guidelines for the Electricity Sector: Control System Electronic Connectivity
- Cybersecurity Procurement Language for Energy Delivery Systems
- DoE Cybersecurity for Energy Delivery Systems R&D Program
UTC participates in global standards bodies:
- IEC Conformity Assessment Board Working Group on Cybersecurity
- ISA/IEC security metrics standard
- Project Editor of ISO/IEC 27036, Information Security for Supplier Relationship
U.S. legislators and regulators regularly seek UTC input regarding utility security projects and research.
UTC Positions and public statements
Statement of Nadya Bartol before the (?? R&D Committee) (Link???)