Cybersecurity and Physical Security

Hyland details ways that Association is helping members with security

While the shift to a culture of security in the power industry will not be an easy thing to do, the American Public Power Association is working to help member utilities beef up their security posture in a number of ways including entering cooperative agreements with the Department of Energy, said Michael Hyland, Senior Vice President, Engineering Services, at the Association.

He made his comments on Nov. 1 at the National Academies’ Committee on the Future of Electric Power in the U.S. for a discussion of how cyber security issues could shape electric power systems over the next 30 years. The event took place in Washington, D.C.

Hyland said that since he started his career in the power industry in the 1980s, the sector has experienced three cultures -- safety, reliability and now a transition to a culture of security.

The culture of safety started with the formation of the Occupational Safety and Health Administration in 1971 “and we started being held to certain standards and metrics.”

The move to a culture of reliability occurred shortly after based on the work of many science-based organizations such as the Electric Power Research Institute (EPRI) and the Institute of Electrical and Electronics Engineers (IEEE). This work formalized into a standard when IEEE released its Guide for Electric Power Distribution Reliability Indices (1366-1998).

“I think now we’re moving to this culture of security or resiliency,” Hyland said. But that transition “is not going to come easy,” he said.

“You can still go into offices in the United States” and see passwords on sticky notes or encounter people who save their passwords on their smart phones. “We need to change this culture,” Hyland said.

Meanwhile, some utilities continue to struggle with the culture of safety or the culture of reliability, Hyland pointed out.

Another speaker at the event, Brian Harrell, Assistant Director for Infrastructure Security within the newly renamed U.S. Cybersecurity and Infrastructure Security Agency (CISA), also addressed the culture of security.

“We need to gravitate towards where safety went years ago,” he said.

In industry, “typically, every single morning at eight o’clock that first staff meeting starts with a what? Some sort of a safety moment, right?”

What this results in is that “everyone is now a part of this conversation. It’s ingrained into what’s happening within the organization,” Harrell said.

“We need to move in that direction also for security where we add another forty-five seconds or another two minutes and we’re talking about phishing, we’re talking about tailgating, we’re talking about piggybacking, we’re talking about that pathway to violence, we’re talking about terrorism awareness, we’re talking about surveillance of very big critical infrastructure.”

Hyland details what the Association is doing in the area of security   

For the Association, “we struggle between what are the needs of our largest systems versus what are the needs of our medium-sized systems, what are the needs of our smallest systems,” Hyland noted.

Hyland detailed two cooperative agreements that the Association has entered with the DOE related to security.

Five years ago, the Association entered into a five-year, $1 million agreement with the DOE that relates to the physical side of operations: information, infrastructure, security and restoration.

“There we are practicing the majority of our mutual aid,” Hyland noted. In late October, the Association, with support from the DOE through the cooperative agreement, held a Public Power Mutual Aid Exercise in Syracuse, N.Y. The event was a functional tabletop exercise that included a Category 5 hurricane impacting the U.S. Virgin Islands, Puerto Rico, and the South East and North East Regions of the U.S.

“It is a very difficult scenario to handle, but we do handle the scenario because we’ve been practicing physical mutual aid for the longest time, which has put us on the path of entering into cyber mutual aid, which is what we are starting formulate and practice,” Hyland noted.

Building on the energy industries’ culture of mutual assistance, the Electricity Subsector Coordinating Council (ESCC) directed the formation of the Cyber Mutual Assistance (CMA) Program.

The CMA program is an industry framework developed at the direction of the ESCC to provide emergency cyber assistance within the electric power and natural gas industries.

Currently more than 150 entities, representing electric and natural gas investor-owned companies, public power utilities, electric cooperatives, Regional Transmission Organizations and Independent System Operators, and Canadian energy companies, participate in the CMA program.

The second cooperative agreement between the Association and the DOE was unveiled in 2016. Under that agreement, the DOE agreed to provide up to $15 million, subject to congressional appropriations, to support efforts by the Association and the National Rural Electric Cooperative Association to further enhance the culture of security within their utility members’ organizations.  

Association has developed a cybersecurity scorecard

As a result of the 2016 cooperative agreement with the DOE, the Association has developed a cybersecurity scorecard under a cooperative agreement with the Department of Energy and is a free tool to help public power utilities assess cybersecurity risks and shore up their defenses.

Based on the DOE’s Electricity Subsector Cybersecurity Capability Maturity Model, or C2M2, the scorecard gives utilities a starting point to address cyber risks. Additional information about the scorecard is available here.

Hyland emphasizes importance of DOE funding

“We would never have accomplished what we have in the past three years if it wasn’t for the Department of Energy funding,” Hyland said at the National Academies event.

“When you ask us to be responsible for two thousand utilities’ cybersecurity, we can’t do that alone. We need that government relationship, the academia relationship, the lab relationship,” as well as a relationship with the Electric Power Research Institute.

While the Association’s Demonstration of Energy and Efficiency Developments program has been in existence since 1980, “we’re talking a few million dollars a year” that the program can offer in terms of financial support to member utilities. “We need real money thrown at this to come up with solutions, and multiple solutions, not just one,” Hyland said.

Cooperative agreement funding “has been really game changing for us”

At a later point, Hyland said, “I think the funding of the cooperative agreement with the smaller municipals and the coops has been really game changing for us.”

As an example, he noted that the Association has a reliability analytics program for which Hyland and his colleague Alex Hofmann received a patent. Hofmann is Director, Energy & Environmental Services, at the Association.

“We probably have one of the largest outage datasets in the United States. We have over 475 utilities that give us every single outage and we went to the Department of Energy and we said, could we leverage this program we have to up the cyber game.”

In using the Interruption Cost Estimate (ICE) Calculator, which EPRI was part of, with the DOE, “we created a Ukraine scenario. So now anybody who’s in that program – the more than 475 utilities – can go into our eReliability tracker and they can simulate a ‘Ukraine-like’ outage on their system and give them what the cost of that outage was.”

This tool gives the participating utilities impactful data that allows them to go to their city council, mayor or “whoever’s running that utility and say, this is what it’s going to cost this community if we are down for eight hours, 12 hours, and it pushes it right out for them. That information is changing the way some of our small communities are looking at what would happen if they don’t do anything in cyber or hire the workforce in the cyber community,” Hyland said.

The Association on Nov. 18-20 is hosting its second annual cybersecurity summit in Nashville, Tenn.

Convergence of physical and cyber security and insider threats

Harrell noted that November is Critical Infrastructure, Security and Resilience month.

“Granted, we don’t want to just look at it for a single month out of the year – we’re focused on it year-round – but this month in particular we’re really going to be focused on a number of issues including insider threat, the convergence between physical and cyber security, soft targets and elections,” he said.

CISA is focused on the convergence between physical and cyber security. “The reason we are starting to move towards convergence is quite frankly industry is already starting to go in that direction as well,” he said.

“They understand that a chief security officer has the IT/OT physical and emergency management components within their purview and so we’re trying to do the exact same thing,” he said.

“It is no longer good enough to say that every other Tuesday we meet with cyber security so we’re good to go,” Harrell said.

“Today’s threat landscape is hybrid,” he said.

“We are convinced that the next major attack on critical infrastructure is going to have some sort of insider threat component to it, either directly or indirectly,” Harrell said. “Do we know who really is working within our organizations?”

The CISA official said that it is not good enough to say, “we do a background check. We do it every seven years.” Rather, continuous evaluations of employees are needed.

Harrell recognizes power industry efforts

Harrell also highlighted the steps that the electricity sector has taken on the security front.

“This industry has mandatory cyber security standards. They have the design basis threat,” he noted.

In addition, Harrell noted that “we’re about to do the fifth iteration of the grid security exercise.” GridEx V will take place Nov. 13-14.

Also, through the ESCC, the American Public Power Association, the Edison Electric Institute, the National Rural Electric Cooperative Association and others that comprise a number of CEOs in the sector, “they have really moved the needle when it comes cyber security, physical security issues for the grid.”

Meanwhile, Joy Ditto, president and CEO of the Utilities Technology Council (UTC), noted that in the 1980s, “we started to get into the digital world and utilities pretty rapidly started putting digital communications on top of their existing communications network.”

This allows “us to collect data on the grid. SCADA systems are kind of the first and greatest example of that type of technology layered on to the grid.” The networks were controlled by utilities for the most part.

“The nature of the digital overlay on to our existing networks varies by utility. As we progressed into today’s technology, we have other types of technologies that we have layered on to our networks,” she said, such as sensors and phasor measurement units, which are used for a variety of ways to collect information about how the grid is operating.

“I would argue that if we did not have this digital overlay on our grids,” it would be difficult to integrate variable resources like wind power, utility scale solar and utility scale storage “like we have been able to do.”

With respect to security and resilience, Ditto said that for the most part, “we have greater situational awareness in a blue sky day about our grids because of these communications technologies. We can see our systems better at a more granular level,” along with responding to variability in a more effective way.

“In a sense it’s made us more reliable, maybe even more resilient to regular storms. We harden our communications systems much more than the carriers do,” she said.

UTC is a Washington, D.C.-based trade association that creates a favorable business, regulatory and technological environment for electric, gas, and water utilities of all ownership types, including a number of American Public Power Association members, that own, manage or provide critical utility telecommunications systems.

The American Public Power Association’s Board of Directors recently appointed Ditto as the organization’s new President and CEO effective January 13. Ditto will succeed Sue Kelly, who is retiring in December 2019 after a five-year term as the Association President and CEO.