Three companies recently completed the inaugural cohort of the Clean Energy Cybersecurity
Accelerator™ (CECA): Sierra Nevada Corporation (SNC), Blue Ridge Networks (BRN), and
Xage Security (Xage). The CECA program is purpose-built to accelerate emerging cybersecurity
technologies into the market by demonstrating and evaluating them in groups, or cohorts,
defined by utilities’ prioritized threats or solution gaps.
The National Renewable Energy Laboratory (NREL) performed technical assessments of
the companies’ technologies that offer authentication and authorization solutions
for industrial control systems, the theme for Cohort 1. The CECA program is managed by NREL and sponsored by the U.S. Department of Energy’s
(DOE’s) Office of Cybersecurity, Energy Security, and Emergency Response and utility
industry partners Berkshire Hathaway Energy, Duke Energy, and Xcel Energy, in collaboration
with DOE’s Office of Energy Efficiency and Renewable Energy.
Cybersecurity researchers demonstrate the Advanced Research on Integrated Energy Systems
(ARIES) cyber range on NREL’s campus. The cyber range provides the ability to virtualize,
emulate, and visualize energy systems subjected to energy disruption scenarios. Photo by Werner Slocum, NREL
CECA Cohort 1 testing used NREL’s Advanced Research on Integrated Energy Systems (ARIES)
cyber range. Using the ARIES cyber range’s capability to virtualize and emulate energy
systems, Cohort 1 testing allows utilities to better understand how realistic threat
scenarios would affect their operations without putting their own networks, assets,
or customer information at risk.
Through CECA, the partners performed technical assessments on innovative technologies
in the energy sector that help solve urgent security gaps. The collaboration between
NREL, DOE, and utility partners proved a fast and effective way to assess the participants’
security devices’ abilities to address emulated threat scenarios in a utility environment.
CECA has been recognized by the White House Office of the National Cyber Director
in its National Cybersecurity Strategy as one of the programs created to address Strategic Objective 4.4: Secure Our Clean Energy Future. It was also recognized in the recently published White House National Cybersecurity Strategy Implementation Plan
Key Takeaways From CECA’s First Cohort
CECA’s assessments identified functionality gaps in authentication and authorization
solutions. Each company demonstrated that their solution protected against some threats
in the Cohort 1 testing environment, however, no one solution offered protection against
all threat scenarios. The assessments highlighted the need for utilities to strategically
deploy multiple solutions across multiple layers of their networks.
This first cohort also demonstrated the success in using the ARIES cyber range to
safely evaluate solutions and help inform utilities about which solutions are ready
to deploy and which can be further optimized through continued development.
To capture key takeaways from the participating solution providers themselves, we
spoke to each about their overall experience in being part of CECA Cohort 1.
Sierra Nevada Corporation
For Andrew MacDonald, director of cyber programs for SNC, the most important lesson
learned during this process was to walk when it comes to utilities, not run.
“We’ve learned we need to make our technology more bite size,” MacDonald said. “Our
product, Binary Armor, is designed for deep packet inspection, bidirectional communication,
whitelisting, and more. Integrating and operationalizing all these pieces is too much
for the utility all at once. Let’s start by solving the most straightforward problem
first with a product that can grow with the utility.”
“Our approach is to tackle access control first,” MacDonald said. “Then we can slowly
start adding additional cyber defenses to systems. During a possible attack, all the
operational technology remains active, and the lights stay on.”
Before expanding into the commercial market by working with utilities, SNC focused
on contracts with the U.S. Department of Defense, installing in Air Force bases where
it must interface with legacy systems. Because many utilities also have legacy systems,
SNC believes it is a good match.
SNC is grateful for the CECA experience, and MacDonald said it gave the company insightful
and targeted industry feedback on how Binary Armor can best solve customer needs.
“NREL also provided a gap analysis for us to provide easy product deployment improvements
that can have a very significant impact for industry,” he said. “In the process of
working with NREL, we learned it’s better to do the lowest common denominator incredibly
well and refine that as we go along.”
SNC is now in talks with Berkshire Hathaway Energy about working together.
“CECA provided insight into what utilities need the most right now,” MacDonald said.
“Cybersecurity is a complicated problem that has high priority, but there’s not a
single answer to solve it. It was a huge privilege to be in the inaugural CECA cohort.
The NREL team was very communicative and easy to work with. They are smart people;
they ask good questions—it was a great experience overall.”
Blue Ridge Networks
Technology offered by Blue Ridge Networks Inc. uses CyberCloak capabilities to essentially
hide networks in the information technology and operational technology spaces to prevent
breaches. The product, called LinkGuard, does not require any Internet Protocol network address changes, which makes installation
easier while segmenting the network, reducing exposure.
“If they can’t find it, they can’t hack it,” BRN Marketing Director Susan Powell said.
“It reduces the battle surface.”
The system can help utilities by allowing them to manage interconnection of control
systems from a central point or multiple points but remain segmented, isolated, and
secure.
According to BRN, it was easy for evaluators to install LinkGuard and understand where everything fits, and even with no prior experience, BRN was able
to walk them through what they needed to do and get the system configured and up and
working.
“It was a true honor to be selected,” BRN Senior Systems Engineer Rollo Knoll said.
“It’s like an industry award.”
Xage Security
For Xage Vice-President Kip Gering, just being selected for the CECA program was a
form of validation.
“We view ourselves as industry leaders,” he said, “both in cybersecurity and industrial
operations of utilities and renewables. We were excited to participate, especially
knowing the quality of cybersecurity expertise at NREL.”
Xage uses identity-based technology to enable secure access to operations. Fundamentally,
it allows operators the ability to create access and interaction policies for industrial
control system devices. Workers are able to view and access their authorized devices
through a web-based interface.
“For the end user, it’s more convenient because we give you single sign-on with multifactor
authentication to all operations,” Xage CEO Duncan Greatwood said. “It’s much safer
because if you quit your job, you’re not carrying the memory of passwords with you.
This system raises the standard for every piece of equipment including legacy OT assets.
One of the things that was very appealing to us in this CECA process is that it was
great to have something that went from the most abstract principles all the way into
structure with end users and their practical realities.”
Xage already works with renewable energy companies, and CECA helped them accelerate
that process, as well as broaden their reach with utilities.
“CECA can help provide insight on the attack vectors with the most direct relevance
to energy systems,” Greatwood said. “Demonstrating new cybersecurity capabilities
for a higher standard of protection is much needed for utility and clean energy operators.”
