PHILADELPHIA — Cybersecurity was the subject of two panels at the Edison Electric Institute’s 2019 conference this week. Here’s some highlights of what we heard.
Hawaiian Electric Industries CEO Connie Lau, who moderated a June 10 panel on grid security, said her utility is a cyber target in part because the Honolulu area is home to the Defense Department’s Indo-Pacific Command (USINDOPACOM).
“The U.S. watches 52% of the world’s surface from our little island,” she said. ” … If our adversaries wish to compromise INDOPACOM’s mission readiness, it’s unlikely they’re going to go directly after the DoD but more likely they might target the critical infrastructures that service those bases.”
“The good news is that our industry’s partnership with the government has never been stronger, led by ESCC [the Electricity Subsector Coordinating Council],” added Lau, who is chair of the president’s National Infrastructure Advisory Council. “Our sector’s coordinating council is considered the best around and a model for other sectors.”
Brian Harrell, the Department of Homeland Security’s assistant director for infrastructure security in the Cybersecurity and Infrastructure Security Agency (CISA), agreed.
“When you have CEOs in a room and we’re having conversations about storm restoration … whatever the issue is, we know that when we can engage the senior leaders, things all of a sudden happen. And we don’t necessarily see that in other critical infrastructure sectors.”
Harrell joined DHS after stints as NERC’s director of critical infrastructure protection programs, where he headed the Electricity Information Sharing and Analysis Center (E-ISAC), and as managing director of enterprise security for Duke Energy.
Harrell recalled when NERC began planning for its first GridEx in 2011, “not a whole lot of folks wanted to play in a cybersecurity exercise with their regulator. And now I think we’ve been able to get over that hill. … The reason we do this is for us to collectively — from a government and industry response — get better. To ask ourselves the hard questions under blue sky conditions and not necessarily when things go wrong. We do not want to be passing around business cards in the midst of [a] crisis.”
Harrell warned against the risk of “security fatigue.”
“We’re bored of talking about information sharing at this point. But in reality, it’s one of the most critical things we do,” he said.
He also called on the industry to become more proactive in anticipating threats. “We cannot [be] constantly bolting security on to some of our systems and plans that we have. We need to get ahead of the adversary.”
Adrienne Lotto, deputy assistant secretary in the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER), discussed DOE’s Cyber Analytics Tools and Techniques (CATT) and Cybersecurity for the OT Environment (CYOTE) projects, which hope to improve situational awareness.
“Threats for the sector today are forcing us to think differently and act differently to ensure what we are telling our systems to do is actually what’s happening out on those systems,” she said. “Right now, there’s no way to know with any degree of confidence that an app, a switch or a router or anything is doing precisely and only what you purchased it to do.”
A Pawn
Duke Energy Chief Information Security Officer Dennis Gilbert, who moderated a June 11 panel on the challenges of the interconnected grid, said his company, like other utilities, has become “a pawn in the geopolitical struggle.” He lamented hackers have turned the dark web into a marketplace for “cybercrime as a service.”
Robert M. Lee, CEO of cybersecurity company Dragos, said while experts have learned much about threats to industrial environments in the last five years, “a lot of our frameworks, regulation, best practices … [haven’t] adapted.”
“We’re actually using a lot of enterprise security strategies and then forcing them on the industrial side of the house. To actually take lessons learned, we’re going to have to do that as a community. We can’t just wait for [National Institute of Standards and Technology] to put out the latest thing or for [the] NERC CIP [standard] to be adapted. It’s going to be the electric sector leadership that steps up and takes their role and says here’s what we’re learning out in the field. And here is what we think the government can do on top of that.”
“What keeps me up at night is not Duke or Southern Co. going down; I think they have generally good security,” he continued. “What concerns me is distribution. [If hackers cause] a 30-minute power outage …. Congress is going to freak out because the public is going to freak out. They’ve heard everything from Ted Koppel’s book [Lights Out] to [predictions] about we’re all going to die. … If we don’t get a control on that narrative, the fear alone could outpace what we’re trying to accomplish.”
Frank J. Cilluffo, director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security, said industry and government have “spent five years sniffing each other. I think the trust is there now,” he said.
In addition to those from China and Russia, Cilluffo warned of risks from North Korea and Iran. “What they lack in ability, they make up in intent,” he said.
Steven Dougherty, global leader of IBM Security’s Energy, Environment and Utilities group, warned social engineering tactics are becoming more automated. “Look at the work that was done on BlackEnergy. That was a team of [about] 35 different coders who worked on that malware. The sophistication that we’re seeing in this space is significantly greater than in the past.”