PNNL

As the complexity and connectivity of energy delivery systems (EDS) increase, the operational technology devices that help monitor and control the critical energy infrastructure requires a more consistent cybersecurity testing approach throughout their entire life cycle. This need for thorough cybersecurity testing has become particularly more pronounced with the greater integration and interactions with information technology devices, which have the potential of introducing added vulnerabilities.

Currently, there is no widely accepted cybersecurity-focused verification and validation (V&V) framework that can be adopted across a product’s lifecycle to effectively design, develop, integrate, and test the operational technology equipment used in the oil, natural gas, and electricity infrastructure, including the bulk electric and electric distribution systems. To assure the safe and reliable operation of the overall EDS infrastructure, it is crucial that stakeholders—including asset owners, vendors, integrators—evaluate operational technology cybersecurity requirements and perform a thorough cybersecurity-focused V&V of the EDS products that help operate our energy infrastructure. A securely developed and tested product can enhance the security, reliability, and resilience of the overall system, and safeguard its ability to withstand sophisticated cyber threats.

Approach

Pacific Northwest National Laboratory’s V&V Assuring Reliability and Security (VARS) project has developed the Risk-Informed Verification and Validation Recommendation (RIVVR), a web-based tool for U.S. critical infrastructure asset owners (both electric and oil and natural gas utilities), vendors, and cybersecurity consultants.

The RIVVR Tool

• recommends streamlined and cyber-risk informed V&V testing at different stages in a product’s life cycle
• calculates a cyber-risk metric for determining and prioritizing appropriate testing based on information obtained from utility companies, device manufacturers, and the cybersecurity community
• provides information on relevant standards, techniques, and tools
• provides industry accepted pre-procurement guidance and information about known vulnerabilities, useful to EDS asset owners procuring new products

Benefits

EDS asset owners often have limited cybersecurity resources for responding to threats. However, to be better prepared for potential future threats and effectively use the available resources, they need a proactive approach to cybersecurity tailored to their specific system and prioritized based on the relevant cyber-risks. The RIVVR tool drives secure design and development of EDS products, as well as makes the approach for V&V of their cybersecurity formal, more consistent, risk-informed, and tailored to the product domains and lifecycle phases. It is interactive, working with the end user to provide tailored recommendations for the specific device and system. Adoption of the RIVVR tool will lead to a significant reduction of potential vulnerabilities and consequently the risk exposure of EDS products, ultimately enhancing the security and reliability of the overall energy delivery system.