ATLANTA — NERC’s ninth annual GridSecCon was the biggest yet, as more than 600 attendees heard talks on drones, insider threats, supply chain risks and other topics. Here’s some of the highlights of the conference, which was organized by NERC’s Electricity Information Sharing and Analysis Center.
‘Prepared to be Overwhelmed?’
Brian Harrell, assistant director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, rallied the attendees, saying critical infrastructure owners must understand their “gaps” to protect against nation-state attacks.
“It’s on the margins, on the folds; it’s where you’re not looking that an adversary … is looking to exploit,” he said. “We should all understand that one day, we will be faced with a security event. Something will happen in our system. Let me ask this very key question: Are you prepared to be overwhelmed, when it’s the fog of war; there’s incomplete information; everyone is yelling on the radio at the same exact time? Maybe there;s blood on the ground. Are we prepared to be overwhelmed?”
Although DHS has moved past the post-9/11 antiterrorism mission on which it was founded, it cannot prevent sabotage of industrial control systems by itself, Harrell said.
“It takes patriots. It takes those with a vested interest in how we leave this country to our children. So I ask as we leave this conference … that you leave with a ‘to-do’ list, with a list of items that we can do to prepare the next generation, promote resilience, protect our critical infrastructure and work for the common good of national security.”
Harrell said he is surprised at how far behind other critical infrastructure sectors are in their cybersecurity measures compared with the electric industry. DHS is urging other sectors to adopt the model of the Electricity Subsector Coordinating Council (ESCC), which includes more than 30 CEOs of investor-owned utilities, public power companies, rural electric cooperatives and industry trade groups.
Because it is led by CEOs, Harrell said, “when we have a robust conversation around the table, and we say, ‘This is the plan; let’s go forward; let’s make things happen,’ it actually happens. Instead, the other model [without CEOs] is, ‘Let me go back to the shop … get concurrence, get some approvals and then we’ll see you next quarter,’” Harrell continued. “That is ineffective. It is slow. It is burdensome.”
Harrell also discussed insider threats, saying, “I am convinced that we have individuals within our companies that have the institutional knowledge as to how to bring us to our knees. They understand the keys to the kingdom. They understand what the crown jewels are.”
Conducting background checks every seven years isn’t enough protection, he said. “Do we have the technology in place to understand what data is leaving our system and going to somebody else’s Gmail?” he asked.
Fanning: AI Key to Defense Against Increasing Threats
Southern Co. CEO Tom Fanning, co-chair of the ESCC, said the rise of machine learning has resulted in an explosion of attacks against utilities and a need for robust artificial intelligence. Fanning said utilities have faced millions of attacks daily, including efforts to position, probe defenses and gain intelligence.
“Heretofore you can imagine a nondescript concrete building on the streets of Beijing, China, with armies of people banging keyboards trying to get in,” he said. “But as machines learn how to attack, we are now into trillions of [attacks] a day, and the success and failure of attack defense will be driven by how good your artificial intelligence is. It’s almost beyond human capability to … understand an attack and how to defend ourselves.”
Fanning said the Cyberspace Solarium Commission, a bipartisan group of members of Congress, former government officials and industry representatives authorized by Congress, will produce a report later this year or in early 2020 that will “reimagine how government and private industry work together” to address cyber threats.
“The concept of [information] sharing will be obviated in the not-too-distant future. Sharing is too slow,” he said. “I think we will consider an effort to join the data-sharing, knowledge-sharing and sharing of insight among and between the intelligence community, the defense community and private industry in a way that we have never seen before.”
Collaborating to Deal with Squirrels and Nation-states
Karen S. Evans, assistant secretary in the Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response, joked that her responsibilities span from “squirrels to nation-states.”
“My leadership’s greatest fear is when we are responding to a natural disaster, that that is when our country is most vulnerable. And that’s when we would be taken advantage of,” she said.
She said the relationships between industry, DOE and its national laboratories are crucial to protecting the grid. “The only reason why this is going to work is because of the partnerships that we have within the sector,” she said.
Zach Tudor, Idaho National Laboratory’s associate director for national and homeland security, had a similar message. “The reason we can speak with one voice is you’ve built a community of trust,” he told the audience.
Ross Johnson, president of Bridgehead Security Consulting, also stressed the value of collaboration, decrying organizations that have dropped out of industry groups because management didn’t understand the value.
“They’re crazy,” he said. “You don’t learn anything hanging around the office. You learn from meetings like this.”
Building on GridEx Lessons
Tim Conway, technical director for SANS Institute’s ICS and supervisory control and data acquisition programs, suggested utilities participate in NERC’s biennial GridEx to get tested by “surprise” scenarios and work in the off-years on the risks to which they are most vulnerable.
Conway said the industry can sound “schizophrenic.”
“We say these standards are a baseline minimum, indicating we should all be doing more. But because they’re changing so much, you’re not incentivized to do more because you’d be misallocating capital.”
Ben Miller, vice president for professional services and R&D for Dragos, a security firm focused solely on ICS, said, “There’s a difference between incident response planning and readiness.
“And largely what we’ve been testing to date with GridEx, I would say, is largely on the planning side. Being able to measure and understand readiness is a whole different ballgame.
“I do recognize that GridEx does do interdependency testing,” he continued. “I am suggesting from a threat assessment and threat understanding [perspective], we can sometimes close our eyes to the external facing threats that we don’t control because they’re hard to approach. That said, there’s still very realistic … scenarios that [suggest] some level of planning and discussion should happen outside of exercises.”
DER Risks and Benefits
Several speakers mentioned the potential risk from distributed energy resources.
“If we look at … our infrastructure … there’s visibility right at the edge that we don’t have for certain types of cyber issues,” said Ben Blakely, chief security officer for Hydro One. “You can’t manage scenarios that you’re not aware of.
“I’d be curious to see how other folks are doing in that space and also how it would be manifest in a certain scenario that would have impacts on the distribution and transmission system, and ultimately the customer,” he added.
Conway said DERs provide both risks (lower defenses) and potential benefits (the ability to island during disturbances). “We’re in this weird in-between zone right now,” he said.
Filtering out the ‘Noise’
Jason Stenstrom, Entergy’s director of detection and response, said heightened awareness of cyber risks has also increased the volume of the “noise” with which he must contend.
“Not to say that is bad, because we’re building the culture where people are being aware of all these potential threats, but it can create quite a bit of noise,” he said. “Our CEO … will hear something … and [the question] will come right down to our CIO and right down to me: ‘What are we doing about this?’ It may not even be relevant to our environments.”
Market Systems’ Vulnerability
Blakely was asked how vulnerable the grid would be if the Ontario Independent Electricity System Operator’s market systems were unavailable or corrupted.
“We actually exercised this a few years back in a GridEx scenario,” he responded. “And one of the things we identified was, sure, we understood the criticality of the settlements and markets processes, but we’re not applying the appropriate controls consistent with where the other crown jewels are — at that point in time, the ESP [electronic security perimeter]. So, we actually started to put plans in place to harden that portion of the infrastructure.”
Blakely said Ontario can operate the power system without the market functioning, having a way to process settlements afterward. Still, he said, “It’s absolutely concerning. I don’t think it’s fully explored.”
Gas-electric Nexus
Kathy Judge, head of U.S. physical security for National Grid, talked about the difference between reliability regulation of the oil and natural gas (ONG) industry and that of the electric grid, which answers to NERC.
“On the ONG side, we have many parents we have to answer to, and they don’t always agree in their approaches,” she said. “They each have their own regulations. … We have TSA [Transportation Security Administration] for pipeline security guidelines; we fall under the Department of Transportation under PHMSA [Pipeline and Hazardous Materials Safety Administration] regulations and DHS for [counterterrorism] standards. We’re under FERC in some situations. Each state regulates us, and then the U.S. Coast Guard [does so] as well. So, you can have a situation one week where you can have three different regulators come to look at the same site. So, not always ideal from an operational perspective.”
The positive: Gas regulations are “much less prescriptive” than NERC’s, Judge said. “We like that.”
Robert Mims joined Southern Co. as director of security for its gas, nuclear, generation and transmission operations, after the company’s acquisition of AGL Resources (now Southern Company Gas) in 2016. He confessed to having “NERC envy” when he was responsible for gas alone.
“I would see my electric peers and see all the resources they had to apply to the same problem that I did. But they’re serving 4.2 million customers with 30,000 employees, and they’ve got a team of 100 cybersecurity people. And I’m dealing with the same circumstances [with fewer resources] … so, it’s a challenge,” he said. “I don’t have regulations; I have pipeline security guidelines that are voluntary. If it takes a regulatory action to get me those resources, I’m all for it. That’s one way of looking at it.”
He recalled the 1965 blackout that led to NERC’s formation and the 2003 outage that caused Congress to authorize mandatory reliability standards for grid operators.
The gas industry knows “we’re one incident away [from mandatory regulations],” he said. “In the meantime, we’re going to keep working together, with a lot of industry collaboration, a lot of partnerships, and just understand our own risk and threats and doing what we think is the right thing for our companies to mitigate those risks.”
Not Sleepless in Idaho Falls
Several of the panel discussions included that hoary question, “What keeps you up at night?” Although the security of 5G technology concerns him, INL’s Tudor insists he sleeps well.
“I like to say, ‘I’m from Idaho Falls and I sleep like a baby, [thanks to] that fresh air and everything else,’” he said. “A lot of us have been here and doing this for a long time, and we’re really getting better. So, yeah, the adversaries are getting more sophisticated, but our community’s growing. We’re learning more, so it makes me hopeful every day. So, I don’t try to take it to bed with me. I just wake up energized to do more the next day.”
— Rich Heidorn Jr.