{"id":1178,"date":"2022-02-11T18:08:23","date_gmt":"2022-02-11T18:08:23","guid":{"rendered":"https:\/\/artsci.case.edu\/fridaylunch\/?p=1178"},"modified":"2024-06-10T18:17:10","modified_gmt":"2024-06-10T18:17:10","slug":"what-if-anything-have-we-learned-from-cybersecurity-regulation-so-far","status":"publish","type":"post","link":"https:\/\/artsci.case.edu\/fridaylunch\/2022\/02\/11\/what-if-anything-have-we-learned-from-cybersecurity-regulation-so-far\/","title":{"rendered":"What, if Anything, Have We Learned From Cybersecurity Regulation So Far?"},"content":{"rendered":"\n\n\n
\n\n\n\n
\"college
\nCenter for Policy Studies
\nPublic Affairs Discussion Group<\/span><\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n
<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n
\n\n\n\n
What, if Anything, Have We Learned From Cybersecurity Regulation So Far?<\/strong><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n
\n

\"headshot\"<\/p>\n

Tom Alrich – consultant on cybersecurity regulation especially for the electric power industry<\/strong><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n
Friday February 11, 2022
\n12:30-1:30 p.m.
\nOnline Zoom Meeting<\/strong><\/span><\/p>\n

Dear Colleagues:<\/p>\n

Greetings from the dead of winter. Again. There has been too much snow and plenty of cold BUT, unlike in Texas last year, the power distribution systems \u2013 both electricity and natural gas \u2013 have kept us warm (as of Sunday the 6th; I hope those aren\u2019t famous last words).<\/p>\n

We continue with the\u00a0\u201cFriday Lunch,\u201d a CWRU tradition since 1989<\/strong>. I would like to think we\u2019ll be able to have some in-person meetings sometime during the term, but it doesn\u2019t look like a discussion with people eating lunch in relatively close quarters is a good idea yet. For now, we\u2019ll continue presenting experts from campus and sometimes beyond to discuss important issues for the university, local community, nation or the international stage.\u00a0This Friday\u2019s topic involves, among other things, how sure we can be that the power systems will help us stay warm.<\/strong><\/span><\/p>\n

This Week\u2019s Program<\/h3>\n

In the good old days of, say, two decades ago,<\/strong>\u00a0the big threats involved energy sources becoming too expensive, or maybe<\/span>\u00a0overgrown trees in northern Ohio<\/span><\/a>\u00a0causing a high-voltage line to shut down and the local utility\u2019s alarm system failing, causing 50 million people to lose power. Weather events remain a major concern, especially if the industry and policy-makers do little to anticipate them, as<\/span>\u00a0in Texas a year ago<\/span><\/a>\u00a0with Winter Storm Uri. But we now have to worry about a much newer type of risk, from what we might call\u00a0cyber-insecurity<\/strong>.<\/p>\n

Thus in May of last year, hackers seeking ransom caused Colonial Pipeline, \u201c<\/span>which controls nearly half the gasoline, jet fuel and diesel flowing along the East Coast, to shut off the spigot<\/span><\/a>.\u201d It did so because the hack disabled the pipeline\u2019s<\/span>\u00a0ability to bill<\/span><\/a>\u00a0for deliveries of product, which meant it could not pay the shippers. Then there are continual reports of Russian actors having<\/span>\u00a0already seeded the U.S. electric grid with malware<\/span><\/a>. There are risks to electric grid generation, transmission, and distribution systems; and the Government Accountability Office reports that, \u201cdistribution systems \u2013 which carry electricity from transmission systems to consumers and are primarily regulated by states\u2026<\/span>\u00a0are growing more vulnerable<\/span><\/a>, in part because their industrial control systems increasingly allow remote access and connect to business networks.\u201d In a world of tightly and widely linked systems a flaw can spread quickly, sort of like a \u2013 well, a virus.<\/p>\n

So what can be done about cyber-security threats to power distribution? There are three basic approaches in such situations. One is to have experts of some sort develop voluntary standards that generators, transmission providers, and so on choose to follow, as has been done for a<\/span>\u00a0wide range of consumer products<\/span><\/a>. A second is to collect and distribute a great deal of information so that, when problems emerge, they can be addressed quickly to mitigate spread. President Biden\u2019s<\/span>\u00a0Executive Order 14028<\/span><\/a>\u00a0on cybersecurity has a section on \u201cRemoving Barriers to Sharing Threat Information,\u201d intended to facilitate that approach. The third is to issue regulations, with the force of law, ordering firms or agencies to take specific defensive measures. For example, in August the Transportation Security Administration (TSA) issued<\/span>\u00a0new regulations<\/span><\/a>\u00a0in response to the Colonial Pipeline hack (pipelines count as common carriers of products, like railroads or trucks, so fall under the TSA).<\/p>\n

A lot of what little I know about this topic comes from reading my friend Tom Alrich\u2019s<\/span>\u00a0blog<\/span><\/a>. Tom has worked on these issues for more than a decade and can explain the amazing alphabet soup of problems, organizations, and processes (NERC-CIP, SBOMs, VEX \u2013 it goes on). He can explain how major software development often involves combining over a hundred pre-existing components, each with its own known or unknown vulnerabilities, and so the<\/span>\u00a0Software Component Transparency Initiative<\/span><\/a>\u00a0and the calls to fix problems with the National Vulnerability Database (<\/span>NVD<\/span><\/a>). In this talk he will emphasize the challenges of regulation, illustrated by the problems with TSA\u2019s response to the Colonial Pipeline hack. But I hope we can have a discussion that helps us understand the scope of the challenge.<\/p>\n

Though\u00a0it may make me pine for the days of the Whole Earth Catalog and wood-burning stoves<\/strong>.<\/span><\/p>\n

Signing In<\/h3>\n

This semester’s discussions will begin at 12:30 p.m., the usual time. The meeting will be set up as from Noon to 2:00 p.m., so people are not all signing in at the same time and to allow for the discussion to run a bit long.\u00a0Each week we will send out this newsletter with information about the topic. It will also include a link to register (for free) for the discussion.<\/strong>\u00a0Every Monday the same information will be posted on our website:<\/span>\u00a0fridaylunch.case.edu<\/span><\/a>.<\/p>\n

If you register, you will automatically receive from the Zoom system the link to join the meeting. This week’s link for registration is:<\/span><\/p>\n

https:\/\/cwru.zoom.us\/meeting\/register\/tJEtd-ytqj0jGNTT8kGMUhKmkDlkzW2Tka4R<\/span><\/a><\/p>\n

After registering, you will receive a confirmation email containing information about joining the meeting.<\/p>\n

Please e-mail<\/span>\u00a0padg@case.edu<\/span><\/a>\u00a0if you have questions about how the Zoom version of the Friday Lunch will work or any other suggestions. Or call at 216 368-2426 and we’ll try to get back to you. We are very pleased to be partnering this semester with the<\/span>\u00a0Siegal Lifelong Learning Program<\/span><\/a><\/strong>\u00a0to share information about the discussions.<\/p>\n

Best wishes for safety and security for you and yours,<\/p>\n

Joe White
\nLuxenberg Family Professor of Public Policy and Director, Center for Policy Studies<\/span><\/p>\n

\n

About Our Guest<\/span><\/h3>\n

Tom Alrich<\/strong>\u00a0is a well-known independent consultant and<\/span>\u00a0blogger<\/span><\/a>\u00a0about cybersecurity regulations and supply chain cybersecurity, for electric power and other industries. Tom has consulted in these areas since 2008, working previously for Honeywell and Deloitte. Since 2018, Tom has been an independent consultant. Tom has especially focused on software supply chain cybersecurity in the past two years, and is an active volunteer participant in the Software Component Transparency Initiative of the National Technology and Information Administration of the Department of Commerce (this effort has now moved under the Cybersecurity and Infrastructure Security Agency of DHS). This work includes being co-leader of the ongoing Software Bill of Materials Proof of Concept for the electric power industry, sponsored by CISA and Idaho National Laboratories, part of the Department of Energy.<\/p>\n

Tom lives in Evanston, Illinois and has a BA in Economics from the University of Chicago.<\/span><\/p>\n

Schedule of Friday Lunch Upcoming Topics and Speakers:<\/strong><\/p>\n

February 18: TBA<\/strong><\/p>\n

February 25: The Impact of the COVID-19 Pandemic on Election Administration, Voting Options, and Turnout in the 2020 U.S. Election.<\/strong>\u00a0With\u00a0Paul S. Herrnson, Ph.D.<\/strong>, Professor of Political Science, University of Connecticut.<\/p>\n

March 4: The Present and Future of Cryptocurrency.<\/strong>\u00a0With\u00a0Peter Zimmerman, Ph.D.<\/strong>, Research Economist, Federal Reserve Bank of Cleveland.<\/p>\n

March 11: Spring Break<\/strong><\/p>\n

March 18: Inflation.<\/strong>\u00a0With\u00a0Mark Sniderman, Ph.D.<\/strong>, Executive in Residence and Adjunct Professor of Economics, Weatherhead School of Management; former Executive Vice President, Federal Reserve Bank of Cleveland.<\/p>\n

March 25: Covid-19 Through Covid-22: The More Things Change the More They Stay the Same?<\/strong>\u00a0Wtih\u00a0Mark Cameron, Ph.D.<\/strong>, Associate Professor of Population and Quantitative Health Sciences.<\/p>\n

April 1: The French Presidential Election.<\/strong>\u00a0Wtih\u00a0Patrick Chamorel, Ph.D.<\/strong>, Senior Resident Scholar and Lecturer, Stanford in Washington, Stanford University.<\/p>\n

April 8: Greening the Grid: The Energy Storage Challenge.<\/strong>\u00a0With\u00a0Robert F. Savinell, Ph.D<\/strong>, Distinguished University Professor and George S. Dively Professor of Chemical Engineering.<\/p>\n

April 15: TBA<\/strong><\/p>\n

April 22: TBA<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n
<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n
\n

Visit the\u00a0Public Affairs Discussion Group Web Site.<\/span><\/a><\/p>\n

Center for Policy Studies | Mather House 111 | 11201 Euclid Avenue |
\nCleveland, Ohio 44106-7109 |\u00a0Phone: 216.368.6730 |\u00a0padg@case.edu<\/u><\/span><\/a>\u00a0|
\nPart of the:\u00a0College of Arts and Sciences<\/u><\/span><\/a><\/p>\n

\u00a9 2022 Case Western Reserve University |
\nCleveland, Ohio 44106 | 216.368.2000 |\u00a0legal notice<\/u><\/span><\/a><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Center for Policy Studies
\nPublic Affairs Discussion Group<\/strong><\/p>\n

What, if Anything, Have We Learned From Cybersecurity Regulation So Far?<\/strong><\/p>\n

Tom Alrich – consultant on cybersecurity regulation especially for the electric power industry<\/strong><\/p>\n

Friday February 11, 2022
\n12:30-1:30 p.m.
\nOnline Zoom Meeting<\/strong><\/p>\n

Dear Colleagues:<\/p>\n

Greetings from the dead of winter. Again. There has been too much snow and plenty of cold BUT, unlike in Texas last year, the power distribution systems \u2013 both electricity and natural gas \u2013 have kept us warm (as of Sunday the 6th;<\/p>\n

Continue reading… What, if Anything, Have We Learned From Cybersecurity Regulation So Far?<\/span><\/a><\/p>\n","protected":false},"author":19,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":""},"categories":[1],"tags":[],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/artsci.case.edu\/fridaylunch\/wp-json\/wp\/v2\/posts\/1178"}],"collection":[{"href":"https:\/\/artsci.case.edu\/fridaylunch\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/artsci.case.edu\/fridaylunch\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/artsci.case.edu\/fridaylunch\/wp-json\/wp\/v2\/users\/19"}],"replies":[{"embeddable":true,"href":"https:\/\/artsci.case.edu\/fridaylunch\/wp-json\/wp\/v2\/comments?post=1178"}],"version-history":[{"count":1,"href":"https:\/\/artsci.case.edu\/fridaylunch\/wp-json\/wp\/v2\/posts\/1178\/revisions"}],"predecessor-version":[{"id":1180,"href":"https:\/\/artsci.case.edu\/fridaylunch\/wp-json\/wp\/v2\/posts\/1178\/revisions\/1180"}],"wp:attachment":[{"href":"https:\/\/artsci.case.edu\/fridaylunch\/wp-json\/wp\/v2\/media?parent=1178"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/artsci.case.edu\/fridaylunch\/wp-json\/wp\/v2\/categories?post=1178"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/artsci.case.edu\/fridaylunch\/wp-json\/wp\/v2\/tags?post=1178"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}