Podcast: Episode #22 - Joy Ditto: The Evolution of Utility Cybersecurity with NERC CIP

June 1, 2023

In a recent episode of the PrOTect OT Cybersecurity podcast, Aaron conversed with Joy Ditto, a respected figure in the energy sector and President and CEO of Ditto Consulting. She advises companies on vital areas such as cyber and physical security, resilience, broadband, and clean energy development. Previously she has served as the President and CEO of the American Public Power Association and served on the Blue-Ribbon Panel to assess the Tennessee Valley Authority's response to a major winter storm.

Aaron and Joy reflected on the origins of NERC CIP, considering the critical New York blackout of the '60s. They recognized that the power industry's move towards integration, while advantageous, exposed the system's weakest links. This awareness led to the formation of the North American Electric Reliability Council, a venture to define best practices for the evolving bulk electric system. As the industry grew more complex with new power sources like wind, they noted that some entities weren't adhering to the best practices. This sparked late '90s discussions about federal backing for electric reliability standards on the bulk power system, primarily focused on physical reliability standards, not cybersecurity.

With the onset of President George W. Bush's tenure in 2001 and crises like the Enron scandal, broader market manipulation conversations began, leading to the Energy Policy Act of 2005. Many viewed reliability legislation as a key driver for the bill, particularly after the 2003 blackout. Joy discussed how cybersecurity only became part of the discussions in the months leading to the Act's passage in 2005. Eventually, the industry pushed for the inclusion of cybersecurity language in the Act. Subsequently, NERC transitioned from a council to a corporation, enabling it to implement the changes required by the new law.

Joy pointed out that the perception of "cyber stuff" being secondary to operational technology (OT) was due to a lack of understanding. The industry, however, began to appreciate the advantages of integrating more advanced technologies, leading to the realization that cybersecurity provisions were necessary. She mentioned a 2006 test conducted on the Aurora vulnerability, revealing a potential for remote disruptions to utilities' operations. Despite some skepticism about the test's validity, the results made their way to CNN, causing significant concerns within Congress and the administration. The utility industry responded by arguing against the need for additional legislation, emphasizing the distinction between operational technology and corporate IT interfaces.

Around 2010-2011, the industry faced concerns about physical security, particularly after an attack on the Metcalf substation in California. The industry advocated for balanced regulation and highlighted the Federal Energy Regulatory Commission's (FERC) ability to focus on specific areas such as physical security or cybersecurity. Despite the current regulatory model's imperfections, the industry's involvement has helped maintain technical expertise and understanding of the electric sector operations. This involvement has curbed excessive regulation, but the potential for more regulation always exists.

Joy also emphasized the iterative nature of the electric grid and cybersecurity. Developing these regulations involves ongoing engagement with industry participants, allowing for constant feedback and adjustment to create more effective and feasible standards. This iterative process ensures that the proposed rules and regulations are practical, reasonable, and can be realistically implemented by various entities, regardless of their size or capacity. It allows for constant negotiation and amendment, providing room for making necessary adjustments based on the unique needs and capacities of different organizations. The process also includes an opportunity for all parties involved to voice their opinions, concerns, and suggestions before finalizing the regulations.

This iterative approach, in Joy's view, also applies to the education and understanding of OT (Operational Technology) versus IT (Information Technology). She believes ongoing conversation and learning is needed at all levels to fully grasp the unique aspects of OT and its differentiation from IT, contributing to the development of more industry-specific regulations. There is frequent confusion about IT vs. OT, as well as convergence, amongst policymakers and decision-makers at utilities. Technical experts play a key role in translating the complex and specific jargon for including policymakers who require a simpler but fundamentally accurate understanding of these concepts.

This blog post only scratches the surface of the discussion. Listen to the full episode with Joy Ditto to glean more from her invaluable insights.