ANNABELLE LEE
Chief Cyber Security Specialist, Nevermore Security
SUMMARY
Annabelle’s experience comprises over 40 years of technical experience in IT system design and implementation and over 25 years of cyber security design, specification development, and testing. Over the last 15 years, she has focused on cyber security for the energy sector. Over her career she has authored or co-authored many documents on cyber security, cryptography, and testing. She began her career in private industry concentrating on IT systems specifications, software testing, and quality assurance.
KEY EXPERIENCE
Annabelle provided technical oversight to the various projects within the Cyber Security Program at the Electric Power Research Institute (EPRI). This included being the lead for coordination and strategic planning across the EPRI sectors of Generation, Nuclear, and Power Delivery and Utilization. She led the development of an overall cyber security strategy for EPRI, focusing on applied research.
Annabelle developed a report that provides guidance to utilities on developing an overall cyber security strategy, developing a risk management process (including a risk assessment process), and selecting and tailoring cyber security requirements for the electric sector.
Annabelle was co-chair, with a representative from the Office of Science and Technology Policy, of the Cyber Security and Information Assurance Interagency Working Group (CSIA IWG). This is a high-level group that reports to the National Science and Technology Council, under the White House. Annabelle was one of the primary authors of the Federal Plan for Cyber Security and Information Assurance Research and Development, published in 2006.
One area of critical importance to the security of the modernized grid is cryptography. Cryptographic techniques are used to ensure confidentiality, non-repudiation, and authentication. Annabelle developed a report that identified the design principles that are applicable to the Advanced Metering Infrastructure (AMI) and the management of cryptographic keys.
Annabelle led the development of a white paper that provides an overview of the Smart Energy Profile (SEP) 1.x specification and identifies security gaps, potential vulnerabilities, impacts, and mitigation strategies. Recommendations were made on how the SEP 1.x profile should be used in deployments.
Annabelle was the Director of the Cryptographic Module Validation Program (CMVP) at NIST. She provided technical and policy guidance for the program and participated in the technical review of submitted reports. Annabelle was the technical lead for the development of Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules. The document is required for the US Federal Government.
Annabelle was the only representative from the US participating in the Energy Expert Cyber Security Platform (Experts Group (EECSP-EG) that advised the European Commission (EC) on cyber security for the energy sector. The EECSP-EG provided guidance to the EC on policy and regulatory directions at European level, addressing the energy sector key points including infrastructural issues, security of supply, smart grids technologies and nuclear. The final report was published in 2017.
Annabelle was the Program Manager for the National Electric Sector Cybersecurity Organization Resource (NESCOR), a DOE funded public-private partnership. Annabelle led a team that developed cyber security failure scenarios for the electric sector. A cyber security failure scenario is a realistic event in which the failure to maintain confidentiality, integrity, and/or availability of sector cyber assets creates a negative impact on the generation, transmission, and/or delivery of power. Utilities, vendors, and researchers are using these worldwide as they address potential cyber security events.
Annabelle was the lead of the Cyber Security Working Group (CSWG) at the National Institute of Standards and Technology (NIST) that developed the NIST Interagency Report (NISTIR) 7628, Guidelines for Smart Grid Cyber Security. Over 150 individuals from around the world volunteered their time and expertise to develop this report. This was the first document to focus on the electric sector and includes a security architecture, security requirements, privacy requirements, and technical analyses of cyber security issues for the electric sector. The document was originally published in August 2010 and has been used and referenced extensively worldwide.
Typically, an enterprise architecture does not address cyber security, specifically the overall attack surface, attack vectors, potential vulnerabilities, and applicable mitigation strategies. The challenge is to develop a security architecture methodology that augments, rather than replaces, current enterprise architecture methodologies and is at a level that is useful to utilities. Annabelle developed a report that includes a cyber security architecture methodology that may be used by utilities for existing and planned system architectures. The objective is to provide a common methodology applicable to utilities of all sizes—from large investor- owned utilities to smaller cooperatives and municipalities.
The standardized security architecture methodology was applied to transmission and distribution substations and includes an approach for analyzing the attack surface. A companion document includes transmission and distribution substation reference cyber security architecture diagrams for legacy, transition, and future configurations.
Annabelle, in collaboration with NRECA, DOE, Carnegie Mellon University, and several utilities, developed guidance on applying the diverse existing cyber security guidance that is applicable to the electric sector. The goal was to provide a framework and comparative analyses of existing guidance that may be used by cyber security practitioners. The first objective was to provide an overview diagram of the cyber security documents that are referenced and their use in the different areas of an enterprise risk management process. The second objective is to provide a comparative analysis of the referenced documents. The document may be used by utilities that do not have cyber security technical expertise as a roadmap on moving forward. Two related documents include mapping of various requirements and standards and applying the ES-C2M2 to systems.
Annabelle, in conjunction with the Department of Energy (DOE), developed a risk assessment process that may be used by utilities. Included are high-level diagrams that illustrate the risk assessment process at the security requirements and security-control-selection stages, as well as for ongoing assessment and for assessing emerging changes. Also, the report illustrates how to use the content of the NESCOR cyber security failure scenarios and impact analyses document in the risk assessment process.
Annabelle participates in various federal and international cyber security and standards working groups for the electric sector. Annabelle has served on cyber security technical advisory committees for the North American Electric Standards Board (NAESB), the European Network and Information Security Agency (ENISA), and several DOE laboratory projects. At EPRI, she provided technical guidance to utilities on cyber security risk management, security design, and security architecture for control systems. Annabelle has been a guest speaker at many conferences, has written numerous articles published in journals, and has been interviewed extensively.
Annabelle was one of the authors of the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) that allows electric utilities and grid operators to assess their cybersecurity capabilities and prioritize their actions and investments to improve cybersecurity. The Maturity Model was developed as part of a White House initiative led by the Department of Energy in partnership with the Department of Homeland Security (DHS) and involved close collaboration with industry, other Federal agencies, and other stakeholders.
Annabelle was one of the authors of the Cybersecurity Procurement Language for Energy Delivery Systems guidance document published by the Energy Sector Control Systems Working Group (ESCSWG). The document provides baseline cybersecurity procurement language for use by asset owners, operators, integrators, and suppliers during the procurement process.
EPRI Performance Recognition Awards: 2011, 2012, 2013, 2015.
EPRI 2014 Chauncey Award for NESCOR.
Certificate of Appreciation, Federal Energy Regulatory Commission, Smart Grid Standards Technical Conference, January 2011.
Certificate of Appreciation for technical leadership in smart grid cyber security, Smart Grid Interoperability Panel, December 2010.
NIST Information Technology Laboratory Technical Leadership Award for the CSWG, 2010.
Plaque for “Outstanding support and dedication to the ONCIX, the U.S. Counterintelligence Community, and the U.S. Government”, National Counterintelligence Executive, August 2008.
Distinguished Service Plaque, Department of Homeland Security, Science and Technology Directorate, Sept. 2005.
Department of Commerce Silver Medal Award for Technical Leadership for the Cryptographic Module Validation Program, 2003.
Letter of Commendation, FBI Director, 1997.
M.A. Educational Psychology (major – Applied Statistics), Michigan State University, 1978 (completed course work for the doctorate.)
B.A. Psychology, Stanford University, 1972
Graduate courses, conferences, and seminars in computer science and cyber security.