Utilities are taking actions to mitigate and manage cybersecurity threats, according to David Batz, director, Cyber & Infrastructure Security with the Edison Electric Institute (EEI).
Utilities recognize this is “a new world,” Batz said during TransmissionHub’s TransForum East in Arlington, Va., on Dec. 6. “This is not your parents’ utility anymore. There are new threats [and] new threat actors. Security is a marathon, except unlike a 26-mile marathon, I do not see an end in sight. It’s a marathon and we have to do [things] today to respond to today’s risks.”
Part of this is a need for a corporate culture change inside utilities, which should recognize that while they used to be successful “by being able to smash coal into dust…put it on wires and send to our load centers,” they now have to also be successful on cybersecurity and risk management issues.
In today’s world, cyber attacks and cyber hacking have become monetized and different ventures are using cyber attacks as a ways to generate income, Batz said, adding, “This poses a problem for law-abiding citizenry and creates a problem for the electric sector.”
Disgruntled insiders also pose a concern, he said. “We’ve seen that [in] the government, through the release of thousands and thousands of diplomatic cables,” he said. “We can see when one person decides to do something outside of the parameters of what is expected, some of the damage that can happen and so, not only is that true in government, but frankly, it’s true in the electric companies.”
On the industry’s response to the issue, Batz noted that EEI has launched the “EEI Threat Scenario Project,” which identified nine major threats as well as major mitigation elements that companies can employ to reduce the impact of such threats. Those elements were put into four categories, namely, preparedness, prevention, response and recovery.
“The whole point of this was to continue an engagement between the CEO, the CFO, the chief security officer [and] the chief information officer to say where are we doing well, where are we doing less well [and] what makes sense in terms of resource allocation,” he said.
Speaking with TransmissionHub after his presentation, Batz said the cybersecurity threat is real. The threat landscape is dynamic and utilities are taking actions to mitigate and manage the threat, he said.
“It’s important to remember that nobody, not the U.S. government, not any nation-state, can, with respect to cyber, reduce the threat to zero – nobody can do it,” he said. “So, today, utilities are actively engaged in implementing tools, processes, people, technologies [and] all of these things to manage the threat to an acceptable level.”
The introduction of smart grid technology brings benefits and challenges, he said.
There are opportunities to enhance the visibility by the utility into the operational state, particularly for the distribution network, to be able to say, there is an outage at this location and very quickly respond to the outage, Batz said.
“We saw reports of that out of Hurricane Sandy where certain utilities using information provided by their smart grid deployment were able to respond very quickly to local outages and reduce the time required to recover for the customer,” he said.
He also noted that while corporate culture changes are pretty challenging, it is important that they continue to happen with respect to cybersecurity.
“Some of the things that we’re doing is to help expand people’s imaginations to different threat actors,” he said. “Threat actors may be more than floods, wildfires [and] squirrels – there could be a cybersecurity element of an adversary.”