SAVANNAH, Ga. — As SERC Reliability held the first in-person meeting of its Members and Board of Directors since the outbreak of the COVID-19 pandemic this week, ERO Insider’s Holden Mann sat down with CEO Jason Blake to discuss how the coronavirus has changed regional entity’s culture and the challenges that lie ahead for the ERO Enterprise. The following exchange has been edited for clarity.
ERO Insider: As this is SERC’s first in-person meeting in almost two years, it seems appropriate to start by talking about some of the lessons you’ve learned from the changes to how SERC operates over the last few years. What kind of efficiencies have you discovered during the shift to remote work, and what are the things that you’ve found really need to be done in person?
Jason Blake: Well, it’s so commingled — I think some of the things that we’ve learned and the opportunities that we’ve had are also so intertwined with [the feeling of], “Oh, my goodness, I miss doing that.”
In terms of lessons learned [and] efficiency gains, [there’s] the way we do our monitoring and our audits. We’ve learned that for certain audits, we can be quite effective doing things virtually, so that’s a bit of a game changer. We may not need to bring everyone on site to conduct a certain audit. And we really pride ourselves on being risk based, so … if it’s a lower-risk type engagement, we should try to utilize these new tools of virtual engagements.
With that said, there are certain things that are hard to do virtually. You know, being able to walk down substations, or just the human interaction with the audit engagement that I believe is critically important. Our auditors don’t want to be seen as a cop out to give you a ticket, but rather an expert coming in to evaluate your programs and identify ways you can get better. And there’s so much value that happens with just the humanization that occurs when you’re in person.
It just feels very different than if we’re on a WebEx or [Microsoft Teams] call. You see body language, and then on top of that, you have the opportunity to have additional conversations in the hallway to seek clarification.
Q: How about SERC itself, and the working culture?
A: It’s really [been] wonderful to be able to move toward recognizing and establishing work life balance [and] creating the type of work environment where people can work remotely twice a week — [which is] our policy — yet, not wanting to let go of the value that we have.
It’s really important to our culture and who we are to be able to get together. I think there’s creativity, there’s connection, there’s just massive efficiency gains by being able to dip in someone’s office and ask a benign question, [which] you might not ever ask if you had to set up a WebEx or Teams [meeting]. And I think that there’s probably a [similar] concept with stakeholders: certain things they may never ask because they’re not in front of us.
I think the way we do our workshops and things like that, opening those up to be hybrid where people attend virtually … has some benefit to it as well for those that can’t make it. Trying to allow as may people [as possible] to hear the lessons learned we’re trying to share, or that type of outreach, I think has proven well. It’s also sparked a little innovation. We have e-learning modules that are on our website; we have an outreach and assistance team that’s voluntary, [where] if an entity’s struggling with something they can call us.
Q: You have a lot of veteran staff who had to adjust to working remotely during the pandemic. But you must also now have a significant cohort that joined during the pandemic and don’t know what it’s like to work in-person at SERC. Has it been a bit of a shock for them, going back to the office?
A: I think one of the great things about people is we’re adaptable. We had a large percentage of our workforce who really struggled when we went full remote; of course, you also have some individuals that felt quite comfortable quickly. We’re all wired in our own ways.
There are definitely upsides about being able to work remotely: all kinds of family-related things become simpler. That’s why I’m so big on the hybrid [model], to help people with work-life balance while also realizing the benefits of returning to the office. It’s been two years, effectively, so we want to make sure people are comfortable with the new world we live in.
We are focused on having people recall what it was like to be together that we so valued before the pandemic. It’s been really refreshing to see the energy in the hallways: people standing in another person’s [doorway] having a conversation, laughing, or talking about work or whatever. But we had to be very thoughtful about trying to bring people in and understanding that we’re going to have different risk tolerances. So we are being thoughtful as we possibly can, while still trying to do what’s best for our mission.
Q: Cybersecurity and cyber hygiene became a major concern early in the pandemic. (See PPE, Testing Top Coronavirus Concerns for NERC.) How did this risk affect your work at SERC, both in the early stages of remote work and ongoing?
A: I think the biggest thing is, it just makes us re-evaluate lots of basic, underlying assumptions. It makes us think about the types of devices we’re disseminating to staff: How well protected are they? How locked down are they? Same with [smart phones]: everyone has one with them, right? Do we have those as secure and as locked down as we possibly can?
So there’s definitely focused energy there, which would have needed to occur regardless because of the nature of what we do. People want to be mobile with their information, regardless of whether they’re in the office for a set amount of time or not. One thing that [we’ve] noticed is the phishing [attacks], the smishing — which is when they do it via text — and all kinds of other things. We just learned that QR codes can be corrupted … and that can be a way to get into your system.
Cyber attackers have gotten so creative, and it’s constantly moving and evolving … [and] it only takes one person to make a mistake, which is scary. One person opening something or downloading something that they could potentially spread. So it’s training, training, training, and practice. We do drills; we have an IT department that enjoys trying to catch people, and they do a really good job. But it’s vigilance, and it’s exhausting because you can’t let your guard down.
Q: One of the things we heard about in the meeting today is the escalating cyber risk caused by the conflict between Ukraine and Russia. (See “Cybersecurity and Ukraine,” SERC Board of Directors/Members Briefs: March 30, 2022.) How do you see SERC’s mission in the bulk power system, not just as a regulator but as a resource for the ecosystem or the utilities? How can you be a productive part of that system?
A: With things like cyber, you have known risks, you have emerging risks and you have unknown risks. There are things that we know are out there, but we also know that the adversaries are getting more sophisticated and motivated; the threats are getting more complex; geopolitical tensions are volatile. So there has to be a great deal that you don’t know about.
I have a medical analogy that I’ve used quite a bit. The first [step] is preventative medicine: you go to your doctor. Your doctor doesn’t want you to get sick, and so they say, eat these types of things, exercise, practice this type of hygiene and so on. This is the best of what we know now, and if you do this, it will reduce the likelihood of you getting ill. So we have an outreach team and assistance team, which does exactly that. They set up workshops about emerging issues, or about proven mitigation strategies.
The second [stage] is like your annual checkup. If your doctor knows about known risks and who you are and your potential issues that you could get sick [from], and they run a periodic annual checkup, you leave feeling a little bit more confident and in a better situation. I think the analogy there goes to our monitoring team. They use the reliability standards, the [Critical Infrastructure Protection] standards, which are robust, to make sure you have controls in place … [and] have a very strong and secure posture.
The third part of my analogy ties to the emergency room … and that is when something has occurred and you’re having challenges. Sometimes it could be nothing more than allergies, [but] sometimes, you may have a programmatic issue. And there’s where I see our role. I think this is one of the most important roles that we have.
It’s not just about fining — that’s important, because we want to send a message that this is not all right. But what I believe is most important are ensuring effective mitigation plans are in place. We don’t want to just check a box; we really want to get in there, roll our sleeves up and understand the root cause to make sure we’re setting our entities up so that we’re not only addressing the issue, but that it’s sustainable for the future.
Q: One of the other things that you talked about was the ERO’s transformation: we’re pivoting to renewable resources, and there’s a lot more public attention being paid to the question of reliability and resilience, especially after last year’s events in Texas. Can you talk about the coming challenges for the ERO and regional entities like SERC?
A: I think what we’re seeing is the maturation of the ERO model. Generally speaking, when things first started out, I think our model was much more centered around compliance. And at some point, I think around 2010 or 2011, we became more focused on understanding the why — why are we doing this? I have a hard time believing anybody wakes up and says, “I can’t wait to be compliant today!” I think the why is, “I can’t wait to wake up and make sure that the grid is reliable and secure.” It powers communities; it’s vital to the health and safety of my hometown, a big city, the economy.
And once you come to realize that, then you move to the concept [that] these are tools. Compliance is incredibly important, but it’s a tool to ensure things are reliable and secure. The standards are designed to [ensure] good utility practice. You need to do these things to make sure you’re secure and resilient. So once you can see the big picture, then you start evaluating — what other tools you have, that you [may be] already using, but maybe not in the most effective way.
I believe the regions — SERC and NERC and other regions — have done a really nice job on upping their collective game with the long-term reliability assessment, seasonal assessments and those things. But we cannot draw up those reports, or observe things such as the Odessa event or the [winter storms] in Texas and just write up a really good report and set it on the shelf.
It’s incumbent on us not only to make sure that our stakeholders know. … You have state legislators, you have policymakers [who are] making really complicated decisions. They’re struggling with ideas that have real reliability [and] security implications, and we really do need to improve our capabilities and ability to get in front of them and make sure that as an independent resource, [we’re] just explaining … the challenges … the opportunities, [and] the limitations … so that they can make their decisions. It’s not about driving decisions in any way whatsoever, but just making sure they are in the best position possible.