Second Cohort of Clean Energy Cybersecurity Accelerator Evaluates System Visibility

Evaluation Report of First Solution From Cohort 2 Now Available

July 24, 2024 | By Justin Daugherty | Contact media relations

Cohort 2: Uncovering Hidden Risks on Utility Networks text overlayed on dots background

Evolving cybersecurity risks to the U.S. energy sector can challenge rapidly transforming system architectures and technologies. To understand and adapt to cybersecurity threats utilities need first to understand their own environment.

The Clean Energy Cybersecurity Accelerator (CECA) program aims to expedite the deployment of emerging operational technology (OT) security technologies. Following the success of the first cohort, the second cohort of CECA convened to address the complexity of industrial control systems (ICS) and risks arising from incomplete system visibility.

A newly released summary report details the CECA evaluation of the runZero Platform. The National Renewable Energy Laboratory (NREL) evaluated the asset discovery capabilities of the runZero solution, documented and analyzed results, and identified gaps in functionality or capabilities. Solutions selected to participate in CECA cohorts are evaluated using the Advanced Research on Integrated Energy Systems (ARIES) Cyber Range, a platform allowing users to emulate and visualize energy systems.

“CECA offers a unique test bed of clean energy systems where researchers can perform independent third-party evaluations with no risk to customers,” said technical team lead Nick Blair. “This testing allows utilities to adopt new cybersecurity technologies that will help protect our evolving grid, with confidence.”

Testing runZero in CECA Cohort 2

The first solution tested in CECA Cohort 2 was the runZero Platform, a cyber asset attack surface management (CAASM) product by a company of the same name.

The runZero Platform aids organizations in identifying risks and misconfigurations within information (IT) and OT infrastructures. The product identifies assets on a network without disrupting operations and is designed to avoid common issues of security scanners.

CECA developed an evaluation strategy that explored the identified theme—hidden risk due to incomplete visibility—using varying scenarios. The evaluation plan showcased solution characteristics, including:

Time to identify all assets in the environment
How many assets the solution correctly identifies
The level of detail of the data collected by the solution
The amount of additional network traffic the solutions add
If and how the solution affects operations
If the solution notifies users of unexpected devices on a network
How the solution tracks changes to assets over time.

Solution characteristics were tested across four scenarios: Scenario 1 looked at how a solution performed when discovering an environment it had not previously identified. Scenario 2 focused on how a solution identified changes to a previously analyzed environment—CECA designed this scenario to understand how the solution adapted to and identified changes in the environment. Scenario 3 focused on understanding how the solution performed only using passive methods to determine network traffic and extract information. Finally, Scenario 4 evaluated the solution’s performance at scale, in an environment with several thousand devices.

The assessments showed that runZero consistently identified all internet-protocol-addressable assets in the environment and collected detailed information about each device and all open ports. Evaluations also showed no adverse effects on deployed ICS assets or ongoing supervisory control and data acquisition communications and processes. Evaluations show that runZero’s active scanning methods can improve visibility without affecting the performance of ICS assets.

“We are seeing more sophisticated attacks against critical infrastructure, particularly energy infrastructure,” said Rob King, runZero’s director of research. “Working with CECA allowed us to prove that active scanning of OT/ICS infrastructure can be done safely and effectively and is important to securing these vital systems.”

“It was interesting to see active scanning used safely,” Blair said. “Active identification methods have been taboo in OT systems—for good reason—for a long time. While we can't claim our findings apply universally, hopefully they can break the ice and allow these methods to be considered as an option.”

Asimily joined runZero as part of Cohort 2 in late spring—a report on their solution is forthcoming in late 2024.

Dive into a more detailed summary of the runZero evaluation and read the full report.

CECA is managed by NREL and sponsored by the Department of Energy (DOE) Office of Cybersecurity, Energy Security, and Emergency Response and utility partners in collaboration with DOE’s Office of Energy Efficiency and Renewable Energy.

Read more about CECA, program eligibility, and a summary of findings from Cohort 1, and subscribe to CECA email updates.