Public Power Daily Logo

Cyber, physical security are an increasing challenge for utilities, members of APPA task force tell reporters


From the November 18, 2013 issue of Public Power Daily

Originally published November 18, 2013

By Jeannine Anderson
Editor

Public power utilities, along with the rest of the U.S. electric utility industry, are changing some of their basic operating procedures to try to guard against cyber and physical attacks, members of a new APPA task force on security told reporters Nov. 14. The threats are constantly evolving, though, and the industry is unlikely to be able to thwart every one of them, said members of the task force, called the Cybersecurity and Physical Preparedness Committee (CAPP). The officials spoke at a press briefing for reporters that took place at APPA's headquarters in Washington, D.C., where members of CAPP were holding their first face-to-face meeting.

"We recognize that reliability is really Job 1 for utilities," said APPA President and CEO Mark Crisson. In recent years, he said, utilities' traditional worries about the physical security of their facilities have been equalled, or overtaken by, worries about cyber threats. Those threats are changing all the time, Crisson said.

In a speech at APPA's Legal Seminar in October, Crisson said it is a good idea for utilities to look at their operations—including SCADA, distribution automation and advanced metering—and examine whether these operations share any systems with a utility's enterprise departments or information technology departments, such as accounting, human resources or the utility’s website. "Make sure that one doesn’t provide a back door to the other," he recommended. (See Public Power Daily, Oct. 24.)

The CAPP task force, made up of personnel from roughly 20 APPA member utilities, was formed earlier this year. It includes chief executives, government relations staff, operations staff, public affairs professionals and others who have expertise in cyber and physical security.

Trying to understand the growing risks is part of a utility's risk management efforts, and adapting to those risks "is a matter of best practices," said John DiStasio, general manager and CEO of the Sacramento Municipal Utility District in California. The risks come in two categories, he said: vulnerabilities and imminent threats. For pinpointing vulnerabilities, he recommended the Department of Energy's cybersecurity maturity model and a self-assessment tool developed by the North American Electric Reliability Corp.

"You can go through this and make a detailed assessment of your risks," he said.

For imminent threats, utilities need to "make sure we have actionable information" to help them protect their systems, DiStasio said.

At the Anchorage Municipal Light and Power Department in Alaska, "we've moved all the back doors" that could let hackers into the utility's operating system, said Jim Posey, the utility's general manager. "We make sure the operating system and business system never meet."

The Anchorage utility has installed its own fiber optic lines between substations to beef up security, Posey said. If you are relying on a third-party fiber optic cable, they "can switch circuits on you in the middle of the night," he said.

Anchorage also avoids the use of jump drives, Posey said.

"Some jump drives can be pre-loaded with malware, so we don't let people use jump drives," he said. "There are no jump drive ports on our computers." The utility will add jump drive capability in certain instances, but is very careful about monitoring the use of these drives, and it installs its own equipment, he said.

"Security is inversely proportional to convenience," said Branndon Kelley, vice president of IT and chief information officer for American Municipal Power.

Physical and cyber threats "are real," Kelley said, but it can be hard to convince employees that they need to adopt new procedures that they perceive as making their jobs more difficult. Separating a utility's business side from its operations side "creates challenges for employees," so employees need to be educated to develop a security-conscious mindset, he said.

"You can never spend enough money in this field," he added.

How can a utility decide when it has spent enough? asked a reporter.

There is no real answer to that, replied Kelley.

"You are constantly in a reactive mode," he explained. "You take proactive steps, but you are always reacting. We can say, 'We'll spend X,' but by the end of the year we may think we should have spent three times X."

"Who is being inconvenienced?" asked the reporter.

"The engineering department, the billing department, pretty much anyone who needs to touch generating data," replied Kelley. Those people need two computers now, instead of one, he said.

Utilities cannot protect against every type of potential attack, said Benjamin Beberness, chief information officer for the Snohomish County Public Utility District in Washington. "This is more about recovery," he said. As with severe storms, "we can't prevent them, so we need to get better at recovering from them," Beberness said.

Knowing how to recover from an emergency is especially important, agreed Posey. "You just can't prevent everything," he said.

Utilities need to make rational decisions about how to mitigate risks, said Allen Mosher, vice president for policy analysis and reliability standards at APPA. "You can't compare a small municipal system and a large system that serves 100 megawatts of load," he said.

Preparedness exercises like the GridEx II drill that was conducted by utilities across the country on Nov. 13 and 14, "are very important," Mosher said. "Things never work the way you had anticipated."

The Nov. 13-14 drill is described in a New York Times article, "Attack Ravages Power Grid. (Just a Test.)" Among the events simulated during the exercise: at one utility, a fifth of the utility's customers lost power after "attackers" used guns and bombs against a power plant and transformer, the Times reported. "There were certainly surprises for us," the utility's president said. "I sat up straight in my chair." Data from the exercise will be analyzed in the coming weeks, the newspaper said.

Ratings

Be the first to rate this item!

Please Sign in to rate this.

Comments

  Add Your Comment

(1000 of 1000 characters remaining)

Senior Vice President, Publishing 
Jeanne Wickline LaBella
202/467-2948
JLaBella@publicpower.org

Editorial Director
Robert Varela
202/467-2947
RVarela@publicpower.org

Editor, Public Power Daily
Jeannine Anderson
202/467-2977
JAnderson@publicpower.org

Communications Assistant
Fallon W. Forbush
202/467-2958
FForbush@publicpower.org

Manager, Integrated Media 
David L. Blaylock
202/467-2946
DBlaylock@publicpower.org

Integrated Media Editor 
Laura D’Alessandro 
202/467-2955 
LDAlessandro@publicpower.org