By Rich Heidorn Jr.
WASHINGTON — Utilities aren’t getting the “actionable” intelligence they need to defend themselves against cyber threats, the head of the Large Public Power Council said Tuesday.
“The classification system relative to classified information came out of a national security perspective — appropriately so — but there’s certain pieces of information that we don’t need attribution on,” John Di Stasio, president of the LPPC, said in a press briefing. “We just need to know: What’s the threat, and what’s the nexus to my operations? I think sometimes the way the system is now, it’s very hard to parse out pieces of classified information. So … you don’t necessarily get something that’s actionable.
“We certainly get heightened security alerts: ‘Pay attention. Keep your eyes open.’ That’s something that we do anyway. But those alerts, in and of themselves, don’t tell you what actions you might need to take in your system.”
“We need actionable intelligence,” echoed Pat Pope, CEO of the Nebraska Public Power District. “We don’t really care who it was done to or who did it. We just need to know so we can protect our own systems.”
The two spoke at a press briefing in D.C., where they and other LPPC members had come to lobby Congress on tax policy for municipal bonds.
‘Core’ Challenge
NERC CEO Jim Robb said he agrees with the criticism.
“It’s one of the core challenges the [Electricity Information Sharing and Analysis Center] has,” Robb said in a press conference Wednesday. “We can’t release classified information, so we have to work with our government partners to get it to a declassified state to where it can be shared. … The issue has been talked about [and] discussed, but we haven’t been able to break the back of that one.”
Robb, who noted the E-ISAC is 18 months into a five-year plan to expand its staffing and capability, said it is attempting to be “innovative” by issuing “all-points bulletins” on emerging issues.
The CEO said the bulletins have a lower threshold than other alerts. “We don’t have to … kind of assemble the United Nations, if you will, of 7,000 security officers to have a conversation around something. It’s a good way to get a heads-up out to industry about emerging issues as they unfold. One of the things we’re trying to do is to make sure we’re getting information out to industry in a way that’s timely, helpful, but not necessarily wait for every ‘i’ to be dotted and ‘t’ to be crossed, because by that time, you’re probably too late to be helpful.”
Response to Ransomware
The public power executives were asked Tuesday how their companies would respond to ransomware attacks like those that have recently hit Baltimore and Atlanta.
Jackie Sargent, general manager of Austin Energy, said her utility would not pay ransom.
“We actually invested in cyber insurance this year,” she said. “You don’t want to get into … paying ransom because then it just encourages them to continue to do that. So, you have to make sure that [you are] making backups of your system [and that] you have isolation of those backups so that you can reinstate those systems.”
She added, “One of the advantages of being a municipal utility and being part of a city is that we have access to not only our [cyber] resources … but also the city’s resources to help us.”
Di Stasio said the LPPC attempted to help its members plan their responses to cyberattacks with a crisis communication workshop.
It “is really helpful for people to think through: ‘What should I have in place?’” Di Stasio said. “So, the first time I think about it isn’t when [an attack occurs and] somebody says: ‘OK, what are you going to do?’”