Seven Ways VectorZero Serves Utilities

The recent cybersecurity strategy (released March ’23) by the Biden Administration calls for defending our critical infrastructure by modernizing networks and updating incident response plans. While its great to see the administration emphasize cybersecurity for utilities, the document itself is light on specifics. This leaves many utilities wondering exactly how they will implement improvements to their cybersecurity posture.

One way that utility companies solve complex challenges is by working with startups in innovation programs like Incubatenergy Labs. These programs are very useful since they help large organizations sift through significant amounts of information to find solutions that solve their most pressing challenges.

VectorZero was honored to be selected into Incubatenergy Labs’ 2023 cohort. The below seven (7) points summarize how our Active Data Vault? (ADV) product help utilities not just upgrade their cybersecurity resilience, but also boost innovation through streamlined data governance in their R&D partnerships:

1.??????Compliance – In addition to the March ’23 federal cybersecurity strategy, the administration issued an executive order in May ’21 which mandated that all critical infrastructure go Zero Trust by 2023. Despite the mandate, according to IBM Security’s 2022 Cost of a Data Breach Report, only 1 in 5 critical infrastructure organizations have adapted Zero Trust.

VectorZero’s ADV is built to be compliant with Zero Trust SP 800-207. Thus for compliance reasons alone, 4 out of 5 utilities should be considering how ADV can help them.

Furthermore, ADV is built to be compliant with NIST 800-53-5. This framework with thousands security controls is so comprehensive that the US government uses it to safeguard extremely high stakes data. This framework has many overlaps with NERC CIP, which ADV meets nearly all of the security controls of as well.

2.??????State of the Art Encryption – VectorZero counters many emergent threats with state of the art encryption known as confidential computing. You see, data exists in 3 states:

1) At rest

2) In transit

3) In use

Incumbent technologies encrypt data in the first two states, but not in use. This means when data is in process and memory, like when we run analytics, AI, or Machine Learning – data is vulnerable. VectorZero’s ADV plugs with vulnerability by encrypting data at all times, including runtime. This significantly increases the security of many existing tools.

3.??????Unlocking Innovation via Streamlined Data Governance -?The ability to encrypt data in use is not just a security feature, it is a powerful tool for innovation.

For example, if a utility wants to run a test using a startup’s AI algorithm on real-world data, it can be very challenging to get lawyers to agree on proper data policy. With Active Data Vault?, 3rd parties can run their code on utilities’ real-world datasets without the employees of the startup ever being able to see the dataset itself.

This would be technically enforced through encryption, so only the startup’s code sees the utility’s data. Imagine how this capability can fast track legal discussions around data governance, and thus fast track innovation!

4.??????Flexibility & Ease of Implementation – While its imperative for solutions to be secure & complaint, it’s equally important that operators can implement the upgrade without a burdensome process. These factors were top of mind in the design of ADV.

First, ADV is highly flexible does not require utilities to change their existing tools & applications. Many programs such Splunk, EMS, ERPs, SCADA Systems, Load Management, Billing, and more should all simply integrate with ADV.

Second, ADV is easy to implement with just a few clicks by non-technical users. The intuitive UI/UX requires little to no training & can be up and running in minutes.

5.??????Evading & Remediating Advanced Persistent Threats – In 2022 Utilities were plagued by Advanced Persistent Threats. These are long running hacks where utilities breach a network and then conduct recon, pry for further access, and wait to strike until data is at its most vulnerable.

According to IBM Security’s 2022 Cost of a Data Breach Report, it took utilities an average of 204 days to detect a breach. Then, it took another 69 average days to remediate those breaches, meaning that the average shelf life of a breach was 273 total days.

VectorZero ADV can A) help avoid these breaches with considerable defenses and B) in the unlikely event something gets past our considerable defense, we can remediate breaches in minutes not months.

These two outcomes are both achievable through the same feature, known as ephemeral infrastructure. Ephemeral infrastructure is a fancy way of saying a temporary moving target defense. It works like this:

1)?????Boot up an entire infrastructure in a single click. Minutes later, it is ready for use.

2)?????Run any application or program you desire.

3)?????Whenever you want certainty your network is clean, save data offline or in a concurrent infrastructure. Then deprovision your ADV.

4)?????Boot another brand new clean, patched, and updated infrastructure.

5)?????Pull saved data and users from secure storage, resume operations.

Voila! No hackers can have a 273 foothold when your network is constantly being reborn.

6.??????Isolating Sensitive Data in Secure Storage – Utilities should have a general idea what they need to secure. Whether that’s related to sensitive operations like:

·??????SCADA Systems

·??????Grid overload protection

·??????Billing

·??????Business continuity

Or perhaps they are looking to secure key data such as:

·??????Schematics

·??????Personally Identifiable Information (PII)

·??????Incident response plans (including cybersecurity)

·??????Data lakes

·??????Configuration files

·??????Meter data

·??????Archived data

Whatever would potentially be vulnerable to ransomware or espionage should be compartmentalized and secured in a high-assurance Active Data Vault? enclave. This tightly controls the data and makes nearly impossible to compromise.

7.??????Ransomware & Espionage – Speaking of ransomware & espionage, let’s take a moment to look at the impact of breaches.

Ransomware – According to Verizon’s 2022 Data Breach Investigations report, 179 utilities had a confirmed data disclosure incident in 2022. If we multiply that by IBM’s 2022 estimated average cost per breach, which was $4.82 million, the math is:

179 breaches x $4.82mm = Estimated $863m lost in 2022

Espionage – Perhaps worse that the financial aspect is that IBM reported 22% of 2022 attacks were espionage related and thus executed by sophisticated and well-funded state actors. How does one go toe to toe with such an imposing threat?

With people who have relevant experience of course. VectorZero’s CTO Sean Grimaldi served as a technical officer in the CIA for 13 years. Furthermore, all of our engineers & developers served in the US intelligence community. We specifically built ADV to stand tall against the high stakes threats they faced and experienced.

With the above seven (7) points, VectorZero can quickly & affordably upgrade any utilities cybersecurity posture. So if you want to keep your utility off the front pages with headlines about a multi-million dollar hack, or worse, a hack that jeopardizes human safety, please contact VectorZero today.?

By Andrew Blume

[email protected]