html{display:none} Do IT Cryptographic Security Controls Work for Energy Systems? | Schweitzer Engineering Laboratories

Do IT Cryptographic Security Controls Work for Energy Systems?

Do IT Cryptographic Security Controls Work for Energy Systems?

Josh Carlson, Dragos, Inc.
Dan Gunter, Former Dragos, Inc.
Casey Roberts, Duke Energy Corp.
Colin Gordon and George Masters, Schweitzer Engineering Laboratories, Inc.

IT vs. OT: The Missing Discussion

A current trend in operational technology (OT) networks is the integration of “off-the-shelf” information technology (IT) cryptographic protocols directly into critical energy systems or their components. While the intentions are good—often in response to threats of unauthorized access to or the manipulation of commands and data—cryptographic security controls that are inappropriately or poorly applied can lead to a decline in reliability and availability and an inadvertent expansion of the attack surface.

Furthermore, most modern IT cryptographic security controls include encryption, which is a minimal priority security control for OT energy systems, and which cripples operators’ ability to monitor their systems for intrusions.

The discussion of whether the generalized application of cryptographic security controls actually “does more harm than good” is overdue.

Engineers from Duke Energy Corp., Dragos, and SEL—all with backgrounds in theoretical and applied cryptography in IT and OT environments—partnered to author this paper as an attempt to start that missing discussion and to propose a framework for applying cryptography in OT systems.

Companion Webinar

In the companion webinar, the authors below elaborate on the paper’s message from an end user, OEM, and vendor perspective.

Casey Roberts (Duke Energy Corp.)—Theory Vs. Lessons From the Real World

Colin Gordon (SEL)—Benefits, Challenges, and Guidelines

Dan Gunter (Former Dragos, Inc.)—Impacts and Considerations for Monitoring

Watch webinar

About Dragos, Inc.

Dragos has a global mission: to safeguard civilization from those trying to disrupt the industrial infrastructure we depend on every day. The practitioners who founded Dragos were drawn to this mission through decades of government and private sector experience.

Dragos codifies the knowledge of our cybersecurity experts into an integrated software platform that provides customers critical visibility into industrial control systems (ICS) and OT networks so that threats are identified and can be addressed before they become significant events. Our solutions protect organizations across a range of industries, including power and water utilities, energy, and manufacturing, and are optimized for emerging applications like the Industrial Internet of Things (IIOT).

Dragos is privately held and headquartered in the Washington, D.C., area with regional presence around the world, including Canada, Australia, New Zealand, Europe, and the Middle East.

About Duke Energy Corp.

Duke Energy Corp. is one of the largest electric power holding companies in the United States, providing electricity to 7.7 million retail customers in six states. They have approximately 51,000 megawatts of electric generating capacity in the Carolinas, the Midwest, and Florida—and natural gas distribution services serving more than 1.6 million customers in Ohio, Kentucky, Tennessee, and the Carolinas. Duke Energy’s commercial business owns and operates diverse power generation assets in North America, including a portfolio of renewable energy assets. Duke Energy seeks to transform their customers’ experience, modernizing their energy grid, generating cleaner energy, and expanding their natural gas infrastructure to create a smarter energy future for their customers.

About SEL

SEL’s mission is to make electric power safer, more reliable, and more economical, and each of our employee owners take this to heart.

SEL specializes in creating digital products and systems that protect, control, and automate power systems around the world. This technology prevents blackouts and improves power system reliability and safety at a reduced cost. SEL devices are manufactured in our four U.S. manufacturing centers, and our products are integrated into panels in our regional assembly factories. We also have offices around the world so we can stay close to our customers.

SEL is a 100 percent employee-owned company. We take pride in doing what is right for our employees, customers, power systems, and communities all over the world.

Request a Follow-Up

*Required

Request a Follow-Up