Tom Alrich – consultant on cybersecurity regulation especially for the electric power industry

Dear Colleagues:

Greetings from the dead of winter. Again. There has been too much snow and plenty of cold BUT, unlike in Texas last year, the power distribution systems – both electricity and natural gas – have kept us warm (as of Sunday the 6th; I hope those aren’t famous last words).

We continue with the “Friday Lunch,” a CWRU tradition since 1989. I would like to think we’ll be able to have some in-person meetings sometime during the term, but it doesn’t look like a discussion with people eating lunch in relatively close quarters is a good idea yet. For now, we’ll continue presenting experts from campus and sometimes beyond to discuss important issues for the university, local community, nation or the international stage. This Friday’s topic involves, among other things, how sure we can be that the power systems will help us stay warm.

This Week’s Program

In the good old days of, say, two decades ago, the big threats involved energy sources becoming too expensive, or maybe overgrown trees in northern Ohio causing a high-voltage line to shut down and the local utility’s alarm system failing, causing 50 million people to lose power. Weather events remain a major concern, especially if the industry and policy-makers do little to anticipate them, as in Texas a year ago with Winter Storm Uri. But we now have to worry about a much newer type of risk, from what we might call cyber-insecurity.

Thus in May of last year, hackers seeking ransom caused Colonial Pipeline, “which controls nearly half the gasoline, jet fuel and diesel flowing along the East Coast, to shut off the spigot.” It did so because the hack disabled the pipeline’s ability to bill for deliveries of product, which meant it could not pay the shippers. Then there are continual reports of Russian actors having already seeded the U.S. electric grid with malware. There are risks to electric grid generation, transmission, and distribution systems; and the Government Accountability Office reports that, “distribution systems – which carry electricity from transmission systems to consumers and are primarily regulated by states… are growing more vulnerable, in part because their industrial control systems increasingly allow remote access and connect to business networks.” In a world of tightly and widely linked systems a flaw can spread quickly, sort of like a – well, a virus.

So what can be done about cyber-security threats to power distribution? There are three basic approaches in such situations. One is to have experts of some sort develop voluntary standards that generators, transmission providers, and so on choose to follow, as has been done for a wide range of consumer products. A second is to collect and distribute a great deal of information so that, when problems emerge, they can be addressed quickly to mitigate spread. President Biden’s Executive Order 14028 on cybersecurity has a section on “Removing Barriers to Sharing Threat Information,” intended to facilitate that approach. The third is to issue regulations, with the force of law, ordering firms or agencies to take specific defensive measures. For example, in August the Transportation Security Administration (TSA) issued new regulations in response to the Colonial Pipeline hack (pipelines count as common carriers of products, like railroads or trucks, so fall under the TSA).

A lot of what little I know about this topic comes from reading my friend Tom Alrich’s blog. Tom has worked on these issues for more than a decade and can explain the amazing alphabet soup of problems, organizations, and processes (NERC-CIP, SBOMs, VEX – it goes on). He can explain how major software development often involves combining over a hundred pre-existing components, each with its own known or unknown vulnerabilities, and so the Software Component Transparency Initiative and the calls to fix problems with the National Vulnerability Database (NVD). In this talk he will emphasize the challenges of regulation, illustrated by the problems with TSA’s response to the Colonial Pipeline hack. But I hope we can have a discussion that helps us understand the scope of the challenge.

Though it may make me pine for the days of the Whole Earth Catalog and wood-burning stoves.

Signing In

This semester’s discussions will begin at 12:30 p.m., the usual time. The meeting will be set up as from Noon to 2:00 p.m., so people are not all signing in at the same time and to allow for the discussion to run a bit long. Each week we will send out this newsletter with information about the topic. It will also include a link to register (for free) for the discussion. Every Monday the same information will be posted on our website: fridaylunch.case.edu.

If you register, you will automatically receive from the Zoom system the link to join the meeting. This week’s link for registration is:

https://cwru.zoom.us/meeting/register/tJEtd-ytqj0jGNTT8kGMUhKmkDlkzW2Tka4R

After registering, you will receive a confirmation email containing information about joining the meeting.

Please e-mail padg@case.edu if you have questions about how the Zoom version of the Friday Lunch will work or any other suggestions. Or call at 216 368-2426 and we’ll try to get back to you. We are very pleased to be partnering this semester with the Siegal Lifelong Learning Program to share information about the discussions.

Best wishes for safety and security for you and yours,

Joe White
Luxenberg Family Professor of Public Policy and Director, Center for Policy Studies

About Our Guest

Tom Alrich is a well-known independent consultant and blogger about cybersecurity regulations and supply chain cybersecurity, for electric power and other industries. Tom has consulted in these areas since 2008, working previously for Honeywell and Deloitte. Since 2018, Tom has been an independent consultant. Tom has especially focused on software supply chain cybersecurity in the past two years, and is an active volunteer participant in the Software Component Transparency Initiative of the National Technology and Information Administration of the Department of Commerce (this effort has now moved under the Cybersecurity and Infrastructure Security Agency of DHS). This work includes being co-leader of the ongoing Software Bill of Materials Proof of Concept for the electric power industry, sponsored by CISA and Idaho National Laboratories, part of the Department of Energy.

Tom lives in Evanston, Illinois and has a BA in Economics from the University of Chicago.

Schedule of Friday Lunch Upcoming Topics and Speakers:

February 18: TBA

February 25: The Impact of the COVID-19 Pandemic on Election Administration, Voting Options, and Turnout in the 2020 U.S. Election. With Paul S. Herrnson, Ph.D., Professor of Political Science, University of Connecticut.

March 4: The Present and Future of Cryptocurrency. With Peter Zimmerman, Ph.D., Research Economist, Federal Reserve Bank of Cleveland.

March 11: Spring Break

March 18: Inflation. With Mark Sniderman, Ph.D., Executive in Residence and Adjunct Professor of Economics, Weatherhead School of Management; former Executive Vice President, Federal Reserve Bank of Cleveland.

March 25: Covid-19 Through Covid-22: The More Things Change the More They Stay the Same? Wtih Mark Cameron, Ph.D., Associate Professor of Population and Quantitative Health Sciences.

April 1: The French Presidential Election. Wtih Patrick Chamorel, Ph.D., Senior Resident Scholar and Lecturer, Stanford in Washington, Stanford University.

April 8: Greening the Grid: The Energy Storage Challenge. With Robert F. Savinell, Ph.D, Distinguished University Professor and George S. Dively Professor of Chemical Engineering.

April 15: TBA

April 22: TBA