Second Cohort of Clean Energy Cybersecurity Accelerator Evaluates System Visibility

Evolving cybersecurity risks to the U.S. energy sector can challenge rapidly transforming system architectures and technologies. To understand and adapt to cybersecurity threats utilities need first to understand their own environment.

The Clean Energy Cybersecurity Accelerator (CECA) program aims to expedite the deployment of emerging operational technology (OT) security technologies. Following the success of the first cohort, the second cohort of CECA convened to address the complexity of industrial control systems (ICS) and risks arising from incomplete system visibility.

A newly released summary report details the CECA evaluation of the runZero Platform. The National Renewable Energy Laboratory (NREL) evaluated the asset discovery capabilities of the runZero solution, documented and analyzed results, and identified gaps in functionality or capabilities. Solutions selected to participate in CECA cohorts are evaluated using the Advanced Research on Integrated Energy Systems (ARIES) Cyber Range, a platform allowing users to emulate and visualize energy systems.

“CECA offers a unique testbed of clean energy systems where researchers can perform independent third-party evaluations with no risk to customers,” said technical team lead Nick Blair. “This testing allows utilities to adopt new cybersecurity technologies that will help protect our evolving grid, with confidence.”

Testing runZero in CECA Cohort 2

The first solution tested in CECA Cohort 2 was the runZero Platform, a cyber asset attack surface management (CAASM) product by a company of the same name.

The runZero Platform aids organizations in identifying risks and misconfigurations within information (IT) and OT infrastructures. The product identifies assets on a network without disrupting operations and is designed to avoid common issues of security scanners.

CECA developed an evaluation strategy that explored the identified theme—hidden risk due to incomplete visibility—using varying scenarios. The evaluation plan showcased solution characteristics, including:

• Time to identify all assets in the environment
• How many assets the solution correctly identifies
• The level of detail of the data collected by the solution
• The amount of additional network traffic the solutions add
• If and how the solution affects operations
• If the solution notifies users of unexpected devices on a network
• How the solution tracks changes to assets over time

Solution characteristics were tested across four scenarios: Scenario 1 looked at how a solution performed when discovering an environment it had not previously identified. Scenario 2 focused on how a solution identified changes to a previously analyzed environment—CECA designed this scenario to understand how the solution adapted to and identified changes in the environment. Scenario 3 focused on understanding how the solution performed only using passive methods to determine network traffic and extract information. Finally, Scenario 4 evaluated the solution’s performance at scale, in an environment with several thousand devices.

The assessments showed that runZero consistently identified all internet-protocol-addressable assets in the environment and collected detailed information about each device and all open ports. Evaluations also showed no adverse effects on deployed ICS assets or ongoing supervisory control and data acquisition communications and processes. Evaluations show that runZero’s active scanning methods can improve visibility without affecting the performance of ICS assets.

“We are seeing more sophisticated attacks against critical infrastructure, particularly energy infrastructure,” said Rob King, runZero’s director of research. “Working with CECA allowed us to prove that active scanning of OT/ICS infrastructure can be done safely and effectively and is important to securing these vital systems.”

“It was interesting to see active scanning used safely,” Blair said. “Active identification methods have been taboo in OT systems—for good reason—for a long time. While we can`t claim our findings apply universally, hopefully they can break the ice and allow these methods to be considered as an option.”

Asimily joined runZero as part of Cohort 2 in late spring—a report on their solution is forthcoming in late 2024.  A more detailed summary of the runZero evaluation is in the full report.

CECA is managed by NREL and sponsored by the Department of Energy (DOE) Office of Cybersecurity, Energy Security, and Emergency Response and utility partners in collaboration with DOE’s Office of Energy Efficiency and Renewable Energy.

_{Source:  National Renewable Energy Laboratory}

--------------------------------------------

Upcoming conferences organized by SGO:

19th Microgrid Global Innovation Forum, September 24-25, 2024 | San Francisco

4th V2G Business, Policy and Technology Forum, October 22-24, 2024 | Detroit

Virtual Power Plant Forum, November 12-13, 2024 | San Francisco

6th EV Charging Infrastructure Summit - North America: East, January 28-29, 2025 | Atlanta