Q: The recent Colonial Pipeline cyberattack shut down the U.S.’s largest gasoline conduit for several days. How does it fit with other cybersecurity trends you’ve observed?
Ted Koppel, the news anchor, published a book called “Lights Out” a few years ago where he argued the U.S. power grid wasn’t adequately prepared for a major cyberattack. The Colonial Pipeline event was similar to the kind of attack Koppel envisioned: adversaries were able to hack into systems, control critical files, and halt operations. This disrupted about half of the fuel on the East Coast, impacting people’s daily lives and sending government agencies scrambling. An attack on the power grid could be much more damaging, but the U.S. Department of Energy clearly sees it as a priority and recently announced a 100-day grid security push.
More broadly, the Colonial hack is consistent with a rise in phishing and ransomware attacks since Covid-19 that have affected healthcare, food processing, and other industries. The news isn’t all bad, though; the FBI has so far recovered more than half of the ransom in the Colonial hack, and many potential attacks on the grid have been successfully intercepted for years.
Q: Companies and governments are growing increasingly dependent on the cloud. What cybersecurity challenges does that pose, and how has Stem responded?
It’s true, and in many cases the need for organizations to sustain remote operations under Covid-19 has accelerated their “cloud journey.” From a security perspective, moving to the cloud means that everything needs to be re-architected; if your data center had a certain security paradigm before, for example, that paradigm needs to shift for the cloud. Various integrations come into play, and there are new vulnerabilities and implications for data security and encryption.
For many organizations, most of their cyber operations exist within certain physical perimeters – for example, a data center at a specific location. Even though many organizations are already using cloud services such as Amazon Web Services or Microsoft Azure, they often still have their own data centers with unique concerns and pain points around cybersecurity. Stem’s Athena® smart energy software relies entirely on the cloud to optimize our energy storage systems, and as a cloud-native solution provider, we understand cloud services and our clients’ concerns about them so we can collaborate in confidence.
In terms of Stem itself as a company, we’ve implemented a Cybersecurity Risk Management Program that’s grounded in NIST (National Institute of Standards and Technology) Best Practices and Guidelines and overseen by our board and executive team. We also practice what’s called “defense in depth,” using various layers of protection to maintain data security, and utilize a leading third party to provide comprehensive independent and layered security audit and compliance functions. And we constantly track developments like the new cybersecurity framework guidelines from the International Standards Organization (ISO) and International Electrotechnical Commission (IEC), as well as the Cybersecurity Maturity Model Certification (CMMC) coming out of the U.S. Department of Defense.
Q: What’s Stem’s take on the longer-term role cybersecurity will play with smart energy storage?
When we talk about cybersecurity, the basic framework from NIST, the relevant U.S. government entity, is five-fold: identify, protect, detect, respond, repeat. So first we identify what we’re trying to protect; then we protect it with tools such as firewalls, network security, and physical security; then we detect and respond to any intrusions; and finally, we repeat the process.
While 100% of risk can’t be eliminated, we proceed knowing that we can, and must, build systems that don’t allow intruders to take control of critical information and infrastructure. This is especially important since studies show it takes most organizations something like 70 or 80 days to identify a breach. The SolarWinds hack went undetected for months last year, for example, and the group behind it already appears to be re-targeting government agencies.
In terms of smart energy storage operations, the reality is that hackers are continually searching for any vulnerability they could exploit, and even though a facility’s or organization’s energy use might seem like relatively harmless information, it could still be used in building an attack.
Stem utilizes third-party managed detection and response solutions that give us a 360-degree view of the security of our energy storage systems and provide 24/7 real-time monitoring. This kind of vigilance – and what’s called “zero-trust network access” (ZTNA), where access is granted on a tightly defined, “need-to-know” basis – will only become more important and more sophisticated over time.
Q: Are there barriers you’ve seen to organizations becoming more cybersecure, and ways Stem can help with that process?
In some cases, we’ve seen companies and electric utilities that haven’t fully implemented modern cybersecurity practices. They may still have manual processes and rules and regulations that haven’t been updated for the current generation of technology. These are issues that can extend far beyond Stem’s scope of installing and operating energy storage systems, so we work with these companies to ensure secure integrations.
Most of Stem’s customers are deploying smart energy storage to support their sustainability and ESG goals, and some are using energy storage to offset the use of diesel backup generators using clean battery energy. Backup power is an element of cyber-resiliency and supports a customer’s overall cybersecurity mission.
Our goal is to collaborate with our customers and partners to provide exceptional service and give them integrated, secure solutions, near-zero touch deployments, and visibility into their energy operations and energy storage systems. For customers and partners that are still getting up the curve on cybersecurity, our approach is to be as flexible and adaptable as we can without introducing any new third-party risk. And as we continue to grow and evolve as a public company, we’re staying collaborative and engaged so we can address any potential issues proactively.