The transformation of the U.S. electric grid sparked a wide adoption of various Smart Grid technologies and enhanced connectivity. This elevated the importance of cyber security for all members of the ecosystem—from small to large electric utilities to the Smart Grid vendors serving these utilities. As the attack surface of the electric grid increases, so does the sophistication and determination of adversaries, ranging from individual hackers to nation states. If cyber security risks facing our nation’s electric grid go unaddressed, a major cyber event impacting electricity delivery to millions of people is quite probable.

How Vantage Point helps energy companies build and maintain secure software

Building a cyber risk-management program is a complex endeavor that requires an experienced partner to help you navigate the challenges and maximize the return on your security investment. Vantage Point has a long and distinguished history in energy sector application security and vulnerability assessment, having worked with large investor-owned utilities (IOUs), rural electric cooperatives, and Smart Grid vendors serving electric utilities.

In partnership with NRECA and DOE, Vantage Point created the Guide to Developing a Cyber Security and Risk Mitigation Plan, to help utilities address cyber security risks holistically and systematically. The plan has been widely praised by the U.S. Department of Energy (DOE). Vantage Point also helped write the DOE’s Electric Subsector Cybersecurity Capability Maturity Model (ES-C2M2).

Vantage Point empowers utilities to address mandatory NERC Critical Infrastructure Protection (CIP) compliance requirements for annual Cyber Vulnerability Assessment (CVA) audits. Vantage Point combines this process with creating a foundation for a comprehensive end-to-end risk-based mitigation approach to application security.

Vantage Point goes beyond vulnerability assessments. Below are just a few of the ways in which Vantage Point can strengthen your energy organization’s application security program:

• Gap Analysis & Remediation Planning. Understand the current state of your application security program and identify where gaps exist against defined best practices. This phase provides your organization with a custom remediation plan that’s based on your unique risk profile.
• Remediation Plan Execution. Mitigate your risks by executing the remediation plan customized for your company. This phase helps you establish a new application security program or fine-tune your existing program.
• Ongoing Program Execution. Continually execute and enhance your application security activities to maintain a security posture in which your organization’s risks stay within defined tolerance levels. This phase enables proper risk management and cost-effective compliance with existing and upcoming cyber security regulations.

Why secure software is essential to your energy company

As an industry-leading player, you need to develop or adopt new technologies that will give you a competitive advantage, increase your operational efficiency and effectiveness, and reduce costs—all while still taking appropriate security measures. The three biggest cyber security risks facing electric utilities today all involve adversaries impacting the reliability of electricity delivery:

• Compromising software and firmware that’s running on various Smart Grid components such as smart meters, demand/response systems, outage management systems, and so on.
• Gaining remote access to utility operational networks (through either technical weakness or social engineering).
• Compromising environments of third parties delivering products and services to electric utilities.

These security risks, if realized, could result in loss of life and/or limb, loss of shareholder value and regulatory fines. To address these security risks, Vantage Point recommends that electric utilities:

• Introduce security-aware software supply chain management processes.
• Define and operationalize a comprehensive software security initiative.
• Increase security awareness within the organization with comprehensive training.