Julian Durand is Chief Security Officer and Senior Vice President of Product Management at Intertrust Technologies.
In the energy sector, distributed technology infrastructure is rapidly replacing the centralized systems of yesterday, thanks to its ability to enhance efficiency, flexibility and scalability. As a crucial component of smart grids and virtual power plants (VPPs), it enables real-time coordination of diverse energy resources, such as solar panels and wind turbines. This allows energy suppliers to balance supply and demand more efficiently, boost production and reduce reliance on monolithic power plants.
However, distributed technology infrastructures encompass vast, diffused IoT networks and often must facilitate integration of IT, which manages the flow of data with OT, which oversees physical infrastructure. Due to sheer complexity, this distributed approach to infrastructure also introduces serious vulnerabilities, particularly in terms of cybersecurity.
In this article, I’ll discuss these vulnerabilities and explain the fundamentals of a new, trust-based approach that addresses these problems.
An Increasingly Complex Energy Grid Creates More Vulnerabilities
If the energy industry is to reap the benefits of distributed architecture, the key areas of concern to address are:
1. A lack of a standard for zero trust-based data protection from the deep edge to the cloud that can run over any protocol.
2. The absence of interoperability. Different vendors use different security protocols in different ways, lacking the “plug and play” needed for simplicity and reduced attack surface.
3. A deficiency in compliance and robustness criteria for deep edge devices.
4. The absence of a common authorization protocol for commands and granular edge-enforced permissions.
These issues have serious implications for the stability and resilience of our energy grid, and in light of FBI reports that foreign states are planning cyberattacks on our critical infrastructure, such vulnerabilities are no joke. The only answer is to build trust into our systems. But before discussing how to do this, let's clarify the concept of "trust" itself.
Defining "Trust" In A System
In life, we define trust two ways. One is to say you trust a person because you have known them for a long time and can vouch for their character. But we also might trust someone simply because we know what they’re up to. For example, you might trust your kids aren’t watching R-rated movies with your Netflix subscription because you can see their viewing history and have enabled parental controls.
In the context of the energy sector’s infrastructure, it’s the latter kind of trust I’m referring to.
Fortunately, there are ways to address vulnerabilities that promote this kind of trust. Significant work has been done by the Trusted Energy Interoperability Alliance (TEIA), for example, to formulate standards that mitigate risks common to infrastructures with diverse devices and systems.
In the energy grid’s current state, each vendor has its own siloed security model/system. The TEIA aims to solve that with a common security layer that can run over any protocol, offering a virtual cryptographically secure and interoperable networking capability.
The formulation of such standards rests on three pillars: building trust from the ground up, enforcing it at the application layer and providing an authorization framework that facilitates zero trust without strangling operational efficiency.
Building Trust From The Ground Up
To support the kind of distributed technology architectures common in the energy sector, a trust model must be constructive, meaning that it can be built from the ground up, ensuring each new or pre-existing component is secure and verifiable. This approach affords greater interoperability and flexibility, reducing risks associated with vendor lock-in.
With a constructivist approach, the trust framework should:
• Be compatible with existing industry standards.
• Allow integration with firewalls, intrusion detection/prevention systems (IDS/IPS) and identity management systems.
• Accommodate legacy devices, which may not support modern security protocols.
This approach facilitates seamless integration of new systems and devices, enabling the energy ecosystem to grow and adapt over time, while remaining resilient. Furthermore, the ability to integrate multiple security layers allows the trust protocol to isolate critical systems and limit the impact of cyberattacks.
Enforcing Trust At The Application Layer
The ability to construct a trusted system piece by piece from the ground up is largely made possible by an approach based on application layer protocols. Operating at the top layer of the OSI model, these protocols not only ensure that data is transferred correctly between applications, but also allow for integration of pre-existing security layers.
In a previous article, I discussed how the recommended application layer approach integrates principles like cryptographic algorithms that require minimal computational resources, as well as dynamic key management, which prevents security keys compromises in constantly changing environments. While I initially discussed this in the context of integrating IT and OT departments, these principles apply equally to any highly distributed or siloed technology environment, such as energy infrastructure.
Trust But Verify With An Efficient Authorization Framework
An application layer protocol founded on zero trust principles is necessary in any system with a wide attack surface. The guiding philosophy is that every action taken by a user or device must be authenticated, authorized and continuously validated. It’s not unlike the "trust but verify" approach NATO took toward the USSR in the Cold War’s final stages. We trusted they were honoring the treaties because we established protocols to verify that they were—we certainly didn’t take them at their word.
To align with the "never trust, always verify" principle, the protocol should establish robust authentication mechanisms to define who can access which resources and under what conditions. But, it’s equally critical that it does this without stifling efficiency. While the protocol should continuously monitor and log all access requests and actions, it should also leverage AI to detect and prioritize activities that are most likely to represent security threats.
Conclusion
By integrating these key points, a standardized trust protocol can effectively address the security vulnerabilities of distributed technology in the energy sector, ensuring a secure, resilient and interoperable energy infrastructure. The TEIA approach offers an excellent example of how the energy sector can continue to innovate, exploring new avenues for efficiency and renewable production, while hardening itself against increasingly sophisticated threats.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

1 year ago
47












English (US)