Panelists at the National Association of Regulatory Utility Commissioners’ (NARUC) Winter Policy Summit on Monday encouraged attendees to take an active role in pushing utilities to invest in cybersecurity.

“It’s really worrying about the weakest link here when it [comes] to cyber. …  If our weakest link goes down, then we’re all in real trouble,” Deputy Secretary of Energy David Turk told the “Protecting the Homeland” panel at the summit’s general session. “And it strikes me [that] you all as commissioners … play an incredibly important role to make sure that you’re taking care of the weakest links … so people appreciate why we need to make the investments … from the get-go and build resilience [and cyber] in by design.”

Cyber the Responsibility of All

Turk and his fellow panelists said that recent high-profile cyberattacks such as the Colonial Pipeline ransomware attack and the hack of the SolarWinds Orion software have helped to shed light on the importance of cybersecurity. However, even as utilities that now say they are taking cybersecurity seriously, the leadership often still believes that addressing the threat means assigning it to specialists.

National Cyber Director Chris Inglis | NARUC

This is an outdated way of thinking that ignores the way hackers infiltrate organizations, National Cyber Director Chris Inglis said. He pointed out that the Colonial attack was possible because “a human being made a mistake [and] clicked on a link … not realizing that it’s somebody else’s code.” The lesson: No matter what kind of firewalls and other precautions a company’s security professionals put in place, the organization is still vulnerable unless every employee is committed to maintaining security.

“We still don’t have all the heads in the room … saying, ‘I have a role to play.’ Too often, we see this as the work of champions who have the word ‘cyber’ or ‘IT’ [information technology] in their job titles,” Inglis said. “Individuals making use of cyberspace make choices all day, every day, that then have … a heavy influence on how things proceed.”

Inglis acknowledged the difficulty and expense of adding new cybersecurity requirements to the existing grid but said that this is where regulators could play a role by ensuring that refusing the necessary investment is not an option for utilities.

“This is simply an investment we must make. No one doubts that there should be a third prong on the plug that you plug into the wall in a 110-volt system — we should have no less of a doubt that cyber should be built into everything that we do,” he said.

Private, Public Sectors Must Support Each Other

Berkshire Hathaway Energy CEO Bill Fehrman | NARUC

Bill Fehrman, CEO of Berkshire Hathaway Energy, agreed with the government representatives that “if a company cannot afford to properly protect their systems, then they should not be in business.” But he also observed that with the proliferation of cybersecurity threats, utilities — especially smaller municipal and rural electric providers — are facing heavier burdens than they have ever encountered before.

“We, across our networks, take about three and a half billion hits a day. About 10% of those are actual, legitimate business issues; the rest are the people … who are trying to get in and do things to us,” Fehrman said. “And today it’s much broader than just the hits on the network. It’s on our supply chain: we now worry about every single component that is in the … equipment that we buy. … Because of concerns of equipment coming, in particular, from China … we may have to spend more money to get equipment from more U.S.-friendly countries.”

The diversity of threats makes it paramount that utilities be able to share data quickly on security developments — a role that NERC’s Electricity Information Sharing and Analysis Center seeks to fill.

“We don’t need all 3,000 utilities in a room,” Fehrman said. “What we do need is a way to quickly come in, assess that information, and then through the information sharing mechanisms that we have get it pushed back out, so that even the smallest of the utilities have that information that they need, so that they can properly operate their systems.”

Inglis agreed with Fehrman that the electric sector occupies a unique position in national security, with private companies responsible for vital national infrastructure assets. He said that the government must recognize this and position itself accordingly to support the stakeholders in this space, rather than dictate how they ought to respond to the latest threats.

“In the realm of cyberspace, unlike just about every other national security issue of some consequence … the private sector is the supported entity,” Inglis said. “Most of the resources exist in the private sector: just about all the innovation … capacity building [and] operation is in the private sector. The government, therefore, if it’s going to be coherent, needs to be prepared for a particular purpose, which is to better support the private sector.”