November 22, 2024
MARC Panel: Cybersecurity Takes Training, Sharing
© ERO Insider
Utilities must train their employees and become less wary of sharing information with other companies, cybersecurity experts told MARC in Des Moines.

By Amanda Durish Cook

DES MOINES, Iowa — To mitigate cyberthreats to grid infrastructure, utilities must train their employees and become less wary of sharing information with other utilities, according to experts speaking at the Mid-America Regulatory Conference (MARC) on Monday.

Illinois Commerce Commissioner D. Ethan Kimbrel kicked off a panel on the subject with a reminder of last month’s ransomware attack on Johannesburg’s City Power, which encrypted the utility’s databases, applications and network, crippling its payment system.

Joe Randazzo, ITC Holdings’ director of networks and information security, said the most sophisticated “bear” (read: Russian) group of hackers can take as little as 18 minutes to gain access to a utility’s operational technology.

“A lot of times we’re fighting the ‘bears’ singlehandedly without the help of the federal government,” said Peter Grandgeorge, MidAmerican Energy program manager.

“Everybody in this room, whether you’re a vendor or a regulator, you’re a risk,” Grandgeorge said of the proliferation of phishing campaigns coming from compromised third-party emails.

“Most hackers are preying on the goodwill of people,” Randazzo agreed. “And hackers only need to be right once; employees have to be right 100% of the time. A person clicking on an email because they think they won a $50 Amazon gift card can have huge implications.”

MARC
SPP’s Sam Ellis (left) and ITC’s Joe Randazzo | © ERO Insider

Grandgeorge said when MidAmerican began conducting phishing tests among its employees a few years ago, the failure rate was at about 20%. He expects an upcoming test will yield just one or two failures out of the company’s approximately 3,750 employees.

“That sounds good, but we think it sounds terrible. Because it only takes one,” Grandgeorge said.

“I don’t want to say people are the weakest link, but if you can do phishing activities, you’ve plugged a big hole,” said Paul Hofman, vice president of IT at Central Iowa Power Cooperative.

Hofman said it’s preferable to provide cybersecurity training for an employee already well versed in utility operations than to a bring in a standard cybersecurity expert.

“You can’t just treat your operational technology like printers and PCs,” Hofman said, adding that one cybersecurity scan at his co-op set off several alarms to the exasperation of system operators.

Sam Ellis, SPP’s director of cybersecurity and controls, said finding talented people with cybersecurity experience is fast becoming a challenge as more positions open up.

Ellis also advocated for utility IT professionals to network among themselves to learn about different cybersecurity strategies. He said grid operators regularly share experiences at ISO/RTO Council meetings.

“There’s a saying that when you need a friend, it’s too late to make a friend,” Ellis said.

If SPP’s market system goes down, he said, “we feel confident that we can maintain reliability,” but the RTO has less confidence its system will continue to operate reliably if its energy management system is taken out. In that case, others — such as the transmission owners — still “have eyes on the system.”

MARC
Central Iowa Power Co-op’s Paul Hofman (left) and MidAmerican’s Peter Grandgeorge | © ERO Insider

Randazzo said cybersecurity intelligence is not regarded as the proprietary information it once was, and utilities are less “skittish” now about sharing threat possibilities with one another.

“This is a team effort,” he said. “We can share what we call IOCs: ‘indications of compromise.’”

Hofman said state utility commissions could help create a safe, secure space where utilities can confidentially share cybersecurity information without risking public exposure of sensitive materials.

Multiple panelists also urged utilities to submit cyberthreats to the Kansas City Regional Fusion Center, which can compare possible threats against its database of known ones.

Grandgeorge noted that cybersecurity can also require physical efforts, recounting that he’s taken FBI agents along on a wind tower climb to better understand how to regain control of hacked equipment. He said he didn’t consider the move an extraordinary measure after Chinese espionage agents were caught stealing seed corn in Iowa in 2016 in order to extract intellectual property from the genetically modified seeds.

FERC & FederalRegional Entities

Leave a Reply

Your email address will not be published. Required fields are marked *