AICPA SOC Service Organizations - Certrec

Certrec Sentinel's Interview with Kenath Carver at Texas RE

Texas RE's Kenath Carver
Kenath Carver, Director of Cybersecurity Outreach and CIP Compliance at Texas RE

Kenath Carver has dedicated his professional career to the implementation and protection of Information Technology (IT) and Operational Technology (OT) infrastructures. Mr. Carver joined Texas Reliability Entity, Inc. (Texas RE), in February 2012 and has more than 15 years of Information Technology experience. Mr. Carver’s primary role at Texas RE has included leading, auditing, and performing outreach of the Critical Infrastructure Protection (CIP) Standards and Requirements. Mr. Carver leads numerous engagements, contributes to multiple outreach and training efforts at zero cost to the industry, and actively participates on many CIP- and cybersecurity-related working groups and task forces.

Before joining Texas RE, Mr. Carver started his IT career within the Critical Infrastructure Financial Services Sector (private banking industry) where he worked in a variety of roles, including dual roles as Senior IT Security Administrator and Helpdesk Manage, to support the bank by improving its reliable and secure IT infrastructure. Mr. Carver earned a Bachelor of Science in Computer Information Systems Software Engineering at Tarleton State University and holds an Associate Degree in Information Technology from Central Texas College. He currently is pursuing a Master of Science degree in Information Systems from Texas A&M University–Central Texas. He also holds the following certifications: CompTIA Network+, Security+, and Cybersecurity Analyst (CySA+); GIAC Critical Infrastructure Protection (GCIP), and ISC2 Systems Security Certified Practitioner (SSCP).

Kenath Carver Talks to Certrec Sentinel and Gives Insights into Cyber Security

Certrec Sentinel: You’ve been in this industry for over a decade. What, in your opinion, are the hottest cybersecurity threats at the present time?

Kenath Carver: Advanced Persistent Threats (APTs) are at the top of my list. APTs continue to evolve and exploit vulnerabilities with increased sophistication. Past and current vulnerabilities continue to be leveraged by APTs to try to achieve objectives. Examples of the most recent vulnerabilities include “PIPEDREAM,” “Log4j”, various ransomware, and the “SolarWinds Orion Code Compromise.” Fortunately, the NERC CIP Standards offer a baseline of cyber and physical security controls that promote the reduction of risk associated with these threats and vulnerabilities. For example, network security, security patching, malicious code prevention, security event monitoring, and supply chain risk management controls can all be found in various CIP Standards. Today, we are all in a “Shields Up” status because of Russia’s invasion of Ukraine, so it is important that organizations and entities continue to work towards strengthening their cyber and physical security posture.

Certrec Sentinel: What do you think are the biggest challenges standing in the way of mitigating these threats?

Kenath Carver: There could be numerous challenges that an organization or entity could face for any type of threat or vulnerability. The most common challenges can be grouped into three themes: budget, resources, and awareness. All three are dependent on risk. Each organization or entity must first ask themselves: “What is the risk that my organization would be impacted by these threats and vulnerabilities? What current or future internal controls does my organization have implemented to reduce the risk of these threats and vulnerabilities?” The answers to these questions, along with implementation of effective and efficient internal controls, are dependent on budget, resources, and continual awareness. When there is a balance and consistency between each theme, then there is an increased ability to mitigate these threats.

Certrec Sentinel: The national grid comprises many players, often private owners. What are the major challenges being faced to coordinate between these entities to make it a more cohesive effort?

Kenath Carver: The industry is already moving towards a more cohesive effort via the many Sector-based Information Sharing and Analysis Centers and regulatory, state, and federal partnerships. From a regulatory perspective, the ERO Enterprise strives to collaborate with industry to ensure the reliability and security of the Bulk Power System (BPS). We will continue to see collaboration and information sharing strengthening between the many players and owners as we are all in it together (#collaboration).

Certrec Sentinel: On October 14th, FERC issued a report providing recommendations to improve compliance with CIP reliability standards based on lessons learned from audits of registered entities for fiscal year 2022. Most of the protection measures adopted by entities were found to be satisfactory; however, some remaining potential noncompliance and security risks were addressed through recommendations in the report, including: misinterpretation of requirements related to a cybersecurity incident response plan; the use of protocols other than an antivirus to detect, deter, or prevent malware; and the failure to conduct comprehensive reviews of systems vulnerability. The report recommends actions, such as: a comprehensive malicious code prevention program and utilizing vulnerability assessment processes for assets within a BES cyber system; addressing risks posed by BES cyber assets that have reached the manufacturer-determined end of life or service, which are no longer supported by vendors; and reviewing and validating controls used to mitigate software vulnerabilities and malicious code on transient cyber assets managed by third parties.

Which recommendation in the report do you think is the most critical in terms of grid reliability, and which one do you think will pose the greatest implementation challenge in the months and years to come?

Kenath Carver: The most critical recommendation in terms of grid reliability is addressing risks associated with end of life/service BES Cyber Assets. Risks of threats and vulnerabilities can increase if there is no more support for functional stability and system hardening if security patching is no longer available to protect from known vulnerabilities. Consequently, the hardware and/or software may be deemed unreliable as inadequate performance can reduce reliability. Remember, the context here is Critical Infrastructure and BES Cyber Assets, which have a 15-minute impact to real-time operations. In general, maintaining any end of life/service hardware and/or software is costly and adds to operating costs. This recommendation could also pose the greatest implementation challenge due to the costs and impacts associated with upgrading. Upgrades must be effectively planned, tested, implemented, and monitored to ensure real-time operations are not negatively impacted. Keep in mind that simply upgrading alone may not be the only answer as organizations and/or entities may also experience many challenges with supply chain, including the identification and assessment of cybersecurity risks. In any case, I would recommend bolstering current implementations of the CIP Standards and leveraging the NIST controls framework (SP 800-53 Revision 5) to strengthen cyber and physical security posture.

Certrec Sentinel: Please provide a tip to aspiring professionals in the field of CIP compliance.

Kenath Carver: Let us start by removing one myth: you do not have to have a decade of experience to make a difference in this profession. This industry needs more individuals to help meet the demand and challenges associated with the reliability and security of our Critical Infrastructure. Whether an individual has prior IT/OT experience or not, they can learn and implement sound cyber and physical security practices. For aspiring professionals in the field of CIP compliance, I would say this…do not forget the basics…meaning detailed processes, procedures, and plans that document specific instructions for your organization. This is foundational to consistent implementation of compliance obligations and internal controls. Additionally, continually strive to achieve the highest level of achievement and protection when it comes to confidentiality, integrity, and availability (CIA Triad). I leave you with this final thought—we must continue to focus on more diverse candidate pools to help promote innovation and new ways of thinking to foster solutions to the unique opportunities facing the grid (e.g., growth of DERs, virtualization, and cloud services). Remember that our differences as individuals make us stronger as a team.

Certrec Sentinel would like to thank Kenath Carver for sharing his valuable time and knowledge with our readers.

Visit Texas RE’s website at