March 28, 2024

The 2008 automation/it leadership series

by By Michael A. Marullo, Automation/IT Editor

AEGIS TECHNOLOGIES INC.



Robert Sill, CEO/President and Andrew Bartels, Chief Technology Officer/SVP



From the Publisher:
Welcome to the 2008 Automation/IT Leadership Series! Because there have been so many positive comments about this feature since it was introduced in 2007, it will again be a part of our editorial line-up for 2008. We have planned an exciting slate of interviews for the upcoming issues and look forward to hearing your feedback on this and/or other content throughout the coming year.
– Steven Desrochers, Publisher


Michael A. Marullo Automation/IT Editor



As many of you know, I’ve been on the record for a long time as a believer that true market leadership comprises many important attributes that go well beyond sheer size, sales volume, geographical presence or business acumen. Indeed, technological leadership – another very important leadership quality – sometimes originates in less conspicuous corners of the marketplace. After all, it wasn’t so very long ago that a little company developing a disk operating system for personal computers quietly became a modern-day “David” that would eventually take down more than one “Goliath” of the global computer industry.

Today, the electric utility industry is faced with the daunting task of reinventing itself from a business standpoint as well as from a technological perspective. Addressing the challenges and providing suitable, yet economical solutions will require a new wave of creativity and innovation, much of which will predictably come from those well-established, high-profile companies that we can all readily identify. However, some of it will come from less conspicuous sources. Any of these companies could arguably become the next Microsoft, but we won’t know for sure until it happens – if it happens. Meanwhile, it pays to remain vigilant!

For 2008, our Automation/Leadership Series will provide ongoing insights into the ideas, concepts, innovations and plans of both traditional and emerging leaders in the months ahead. Over the next few years, the entire utility industry will need to rethink automation in a far more pragmatic and urgent manner than has been typical in the past. At the same time, we feel it is prudent to broaden our perspective to consider bold alternatives and even unconventional solutions emanating from new and increasingly diverse sources.

Consistent with that view, our first interview of this new year is with Aegis Technologies, a Phoenix-based company. Aegis CEO, Robert Sill, and Andrew Bartels, the company’s CTO, bring a fresh perspective to the series in a candid exchange that focuses on some of the most onerous challenges of our times.
– Mike Marullo, Automation/IT Editor


EET&D: Since Aegis Technologies is a relatively young company and perhaps not a familiar name to some of our readers, perhaps a little background would be helpful as a backdrop for our discussion today. What was the genesis of the company, and how does its mission/vision relate to electric utilities?

Sill: Aegis Technologies was founded in 2002 as a direct result of the 9/11 terrorist attacks. We initially set out to create specific hardware/software solutions to protect the control systems that run U.S. industries. However, in our development process, we found that many organizations – utilities in particular – were already struggling with higher demands on their aging legacy control systems, and they were unable to assume the expense of costly security upgrades that did nothing to improve performance or margins. So, we decided to broaden our focus to also address these compelling problems, which are among the most serious challenges to maintaining safe, secure and reliable electric power networks around the world.

EET&D: I understand that you and Andrew, as well as some of your colleagues originally came from other industry segments. Which parts of that background do you feel are relevant for the utility sector?

Sill: Yes, Andrew and I both have an extensive background in financial systems – as do some of the others on our staff. Other than military applications, the financial world is arguably the longest standing and most rigorously tested commercial/industrial environment when it comes to security and related protective measures. Although we do recognize that the problems and solutions are somewhat different in the utility sector there is still a great deal of relevancy, especially as related to the technologies employed. For those who think that cyber-security is somehow uniquely a utility issue or that technology from other industries can’t transfer to utility systems effectively, I want to say that with time and the help of educational forums like this one, I’m confident that we will eventually dispel that notion and get on with dealing directly with the problems at hand.

EET&D: Robert, I know that my own impressions of Aegis prior to this interview were that it was mainly a cyber-security company, but now having done some research of my own, I see that you actually go well beyond the security dimension. Perhaps you’d like to elaborate on that some for our readers?

Sill: Sure, let me address that from a general business standpoint and then let Andrew add his views on a more technical level. Besides allowing utilities to meet NERC security recommendations before they become mandatory, our solutions also extend the life of legacy systems; delay the need for costly equipment replacement; improve speed, efficiency and diagnostics; retrofit seamlessly into existing control systems; and easily upgrade to protect a utility’s business and customers. Add-on applications are currently in development to further enhance performance and meet our customers’ changing needs.

Bartels: Yes, we’ve taken a unique approach to our technology design and architecture. It’s extremely modular and flexible, allowing us to bring non-security related business benefits in addition to those directly addressing the security issues. We’ve heard from many utilities that they would like to enhance the security of their systems, but simply cannot find the funds to do that. The monetary benefits brought by this combined approach are directly measurable and easily offset the real and perceived costs for adding security separately.

EET&D: We all know the rudiments of automation and IT for electric utilities – SCADA, GIS, CIS, outage management, metering, and so forth – but this time around there are some new dimensions to the equation. Indeed, the intertwined issues of security, declining infrastructure and an aging workforce will be at the heart of many if not most automation/IT discussions for a long time to come. Faced with these formidable new challenges, where does Aegis Technologies fit into addressing and helping overcome them?

Sill: Obviously there are no simple answers here, but let me try to address these one at a time from a high-level standpoint. Andrew might like to add some technical perspectives on
these topics as well. I’ll address security first, since that is an area where Aegis has considerable knowledge and experience and also where a substantial portion of our development has been and will continue to be targeted.

An average-sized utility will typically experience thousands of attempted hacks into their control systems every month, and that trend is on the rise. During the past few years, there have been over 80 confirmed cases of successful cyber-attacks resulting in temporary loss of services, equipment damage and substantial economic loss. While the crippling August 2003 blackout in the northeastern U.S. has NOT been publicly attributed to purposeful hacking, its occurrence dramatizes the worrisome reality that even minor disruptions can quickly cascade into serious failures.

Moreover, with the operations of most utilities increasingly tied to the Internet, these disruptions to control systems could come from virtually anywhere in the world. And since much of the equipment utilities use – particularly in mission-critical applications – is similar worldwide, virtually anyone with even a cursory knowledge of computers and communications can figure out how to manipulate the U.S. power grid hardware and software for purposes ranging from mischief to cyber-terrorism.

Bartels: Clearly, solution providers have an implicit mandate to identify and mitigate security risks in new systems going out the door and to ensure that their systems conform to the evolving security standards. However, we cannot afford to ignore the thousands of installations that represent the present backbone of grid monitoring and control while we work toward preventative measures for the future. Likewise, we must continue to invest in preventive measures so that we don’t keep perpetuating the problems.

Most control systems used today were not originally designed to defend against cyber attack. Moreover, the events of 9/11 increased the awareness to the inherent vulnerabilities of control systems connected to the Internet and remote telephone connections.

For these and other reasons, Aegis has dedicated itself to dealing with security in both the past and present tenses because we saw early on that there are both contemporary and legacy security issues in need of attention. In the first case, security protection must be designed in, and in the latter case it must be bolted on, so to speak. Our approach is to address both cases in the proper context and with the proper tools for the job.

EET&D: The recent passage of the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) guidelines is considered by many to be an important step in a long process of trying to ensure our nation’s energy sources are protected, but more still needs to be done if we want to keep the lights on. What are some of your thoughts regarding the relationship between this new regulatory intensity and what can be done to address these increasingly rigorous and potentially expensive directives?

Sill: The NERC CIP 002-009 Reliability Standards provide a framework for identifying and protecting critical cyber assets essential to the reliable operation of the nation’s bulk power system. They establish minimum requirements and use specific measures to determine compliance to each of the standards. Compliance will be based on meeting these requirements through a formal audit process. The multi-year implementation schedule requires that responsible entities be auditably compliant by the end of the second quarter of 2010, or by December 31, 2010, in certain cases dependent upon the classification of the responsible entity.

Aegis is staffed with people who are pioneers in cyber-security. We helped the banking industry establish and maintain what are among the highest standards of cyber-security for its vital businesses. Now, we are doing the same for the utility industry and for other connected segments of America’s infrastructure, including oil and gas, transportation, telecommunications, water resources – virtually any part of America’s economy that depends on power, or on which the power grid depends.

Bartels: I’m sure that some people will rightly question the relevancy of cyber-security standards in the banking industry for the utility sector, so I want to make clear up front that it is certainly a legitimate question to ask. However, we are talking about applying subject matter knowledge, proven techniques and technical expertise; we are not suggesting that utilities should accept products or other solution sets specifically designed to address problems in a different industry and/or use them in applications for which they were never intended.

Aegis has invested considerable time, money and resources in developing products designed specifically for the energy and utility marketplace. These are not just transplants from an unrelated business or technical environment. Although the resulting solutions exhibit many of the same features and benefits, we provide market- and application-specific solutions. Our Odyssey™ Product Series, for example, is specifically designed to help responsible entities achieve NERC CIP compliance by providing comprehensive, point-to-point security for the control system’s electronic perimeter while also improving overall system performance, whether the system is new or old.

EET&D: What about the declining infrastructure issue; how does that tie into what Aegis brings to the party beyond traditional security appliances?

Sill: We also recognized a similar duality with respect to T&D infrastructure decline; that is, there are both new and legacy dimensions to upgrading – and over time, replacing – the vast utility asset base to accommodate the rapidly increasing demands that will be placed on those assets over the next several decades. This complex set of challenges will have to be addressed incrementally and
carefully planned to prevent any disruptions while the transition is under way.

Meeting the challenge will also require a very delicate balance since we will have to contend with large numbers of assets reaching the end of their useful life expectancy simultaneously, right along with the automation/IT systems that monitor and control those assets. By taking steps to alleviate the dual pressures of functional obsolescence and security compliance, we can buy the time that will be needed to address and solve these problems with more comprehensive, longer-term solutions.

EET&D: What are some of the specific aspects of what I’d call a repair-or-replace problem, and how do you see your role in making sure that these formidable challenges will be met?

Sill: Most utilities are already faced with huge deferred maintenance costs in addition to the need for upgrades and replacements of their automation/IT infrastructure. It would be nice to just replace everything with state-of-the-art equipment, but I think we can safely say that is simply not going to happen, both for cost and various other reasons.

Faced with this reality, utilities must find ways to extend the useful life of these systems along with those of the assets they are charged with managing and protecting. In many cases, this will require tools that have not existed in the past. Aegis is a company that is dedicated to designing, developing and making those tools available to whomever may need them. We are not a systems supplier, but by working closely with automation/IT suppliers, system integrators and of course, the utilities themselves, we will be well positioned to do much of the heavy lifting needed to keep the grid up and running throughout the long transition period that lies ahead.

EET&D: Before we leave the infrastructure issues, legacy automation/IT systems are one area that probably deserves a lot more attention than it gets. So much of the security emphasis we hear and read about today is focused on the certification and compliance of new systems, yet there are thousands of existing installations that are functionally obsolete, not secure or both. What are your views on this situation and what do you feel can be done to help alleviate the inherent risks associated with legacy installations?

Bartels: Aegis Technologies has developed a solution that provides unprecedented security for low-speed serial communication lines like those found in legacy control systems. Contrary to the belief that it is impossible to securely encrypt data over low-speed serial communication without adversely impacting operations, Aegis’ technology encrypts data at a robust 2048-bit encryption level without adding latency to existing networks. But there’s also another issue I’d like to mention here that I think is worth bringing to light.

For whatever reason there seems to be a widely held – though perhaps not a consciously cultivated – view that when it comes to security, every company in the automation/IT business is assumed to have the requisite knowledge and experience to create an appropriate security environment for virtually any system or application. While most people readily acknowledge that the skills, experience and knowledge required to create an energy management system are different from those needed to design an outage management system, for some reason security is all too often relegated to garden-variety status.

What I want to clarify is that security challenges are best served by a combination of technological skills and application knowledge. These skills and knowledge are not necessarily present in every organization, so there is a definitive need for security specialists, especially considering the downside of failure to address and solve the technical problems whose existence is widely acknowledged by users, suppliers and regulators alike. Even the best-educated and skilled heart surgeon will probably
fall short when it comes to brain surgery,
so I think it follows that applying that same logic to solving security problems is dangerous at best.

EET&D: Last, but certainly not least, there is the aging workforce issue. Literally thousands of years of knowledge and experience will walk out the door of utilities over the next decade, and once gone they will be difficult – in many cases impossible – to replace in like kind. So, what many have agreed is one measure we can take to offset the impact of this loss is to extend the useful life of the assets that these industry veterans designed, built and maintained until we can capture that brain trust or replace the assets with more contemporary versions. How do you see this problem being addressed, and what role will Aegis play in the solution?

Sill: The simple fact is that there are fewer people entering the engineering field just at the time when they are needed most. And, as the existing workforce continues to retire in the future, the industry will be forced to operate with even fewer employees and will clearly require technology to fill the gap created by the net loss of talent. Put another way, the workload doesn’t diminish when employees retire. Our solution set addresses this issue by adding time and labor-saving centralized troubleshooting benefits that are designed to obviate the need for ‘rolling a truck’ to the substation to diagnose communications issues. Additionally, the compression feature allows more data to be transferred without interfering with vital control communications. Both the troubleshooting and compression features translate into time and money savings for the customer by allowing more automation of and fewer trips to the substation.

EET&D: Well, unfortunately I think we can all agree that there are plenty of problems to be solved and certainly an overwhelming need for the kind of solutions that Aegis was established to provide. I’m personally gratified to see that there are companies like yours bringing specialized expertise and experience that will help us all deal with the enormous tasks that lie ahead. And, I’m sure that our readers appreciate learning about how existing automation/IT investments can be secured and protected until next generation solutions can be put into place. In my opinion, 2008 marks a new beginning in automation, and I feel certain that your contributions will not go unnoticed. Thank you for sharing your time and thoughts with us.