Session 1 (Day 2): Cybersecurity Requirements: Does Compliance Really Equal Security?
Panelists: Keith Porterfield (Moderator, Georgia System Operations Corp.), Annabelle Lee (Electric Power Research Institute), Lynne Ellyn (DTE Energy), Chris Villarreal (CA PUC), Anup Goyal (AT&T)
As I mentioned yesterday, I am currently learning about Smart Grid cybersecurity in my Energy Communications class, so I was really excited to hear from industry experts about the current issues and challenges in utility cybersecurity. This panel, which debated if simply complying with cybersecurity requirements actually protects critical infrastructure networks, largely agreed that compliance does not equal adequate security. So, compliance is important: you have to start somewhere, and high level cybersecurity guidelines or requirements are definitely necessary. However, each utility provider must identify its own unique risks and vulnerabilities, then build upon industry-wide compliance requirements to develop a dynamic, tailored end-to-end solution. Utilities need to learn from the lessons of the past--like the infamous Stuxnet worm situation--that attackers can just as easily come from an internal, "under the radar" source as they can swoop in from beyond the balancing authority in the form of a terrorist attack or full scale Cyber War. The new cybersecurity buzz-term is "Advanced Persistent Threats" which is a very realistic description--the threats are indeed highly advanced and constantly evolving. The panelist from DTE (Ellyn, who I found to be extremely interesting throughout the discussion) argued that not only is a focus on just prevention insufficient, but it is probably impossible. Therefore, utilities need to focus on anticipating and detecting threats, and reacting appropriately. Compliance with standards and regulations is not a one-time fix-all, it will be a continuous process. A great comment to illustrate this point was, "hackers do not have a checklist." Utilities cannot just expect to check off compliance measures, sit back, and wait for a disaster to occur (we all know it is not "if," but "when"). Compliance requirements that were implemented today but developed last year are not going to protect utilities (or telecom for that matter) from tomorrow's threats. One issue that is quite specific to the utility industry--that I find particularly interesting--is that much of the utility infrastructure is very old, 30-50 years old in some cases. How do you protect these assets from cyber attacks? How do you make sure analog, previous generation equipment does not create an entry point for attackers? In some cases, is analog infrastructure more secure than the smart grid? If so, will utilities delay or reject grid modernization? These are definitely questions that are troubling the industry right now, and it will be interesting to see the direction that utility providers take to ensure their critical assets are protected. Finally, utilities, regulators and vendors/suppliers need to foster a culture of cybersecurity, where the harsh realities of cyber attack are understood but there are ample incentives and opportunities to develop effective, dynamic solutions.
Session 2 (Day 2): Cybersecurity Overload: Meeting the Challenges of Implementation and Communication
Panelists: Michael Hyland (Moderator, American Public Power Association), Troy West (Cleco Corporation), Robert McClanahan (Arkansas Electric Cooperative), John Roukema (Silicon Valley Power), Tim Roxey (NERC), Paul De Martini (Cisco Systems)
I was extremely engaged in this panel as it addressed telecom cybersecurity issues and included panelists from small electric providers (and a cooperative!). This session addressed the challenge that utilities face in dealing with the impending explosion of "smart" devices and subsequent explosion and imposition of regulatory requirements--I think of this like the explosion of smartphones in the wireless industry and the subsequent explosion of cybersecurity fears. I really enjoyed the panelist from the electric cooperative (McClanahan), who commented that the greatest challenge to utilities besides trying to predict threats is trying to predict what the regulators will do next! Sir, we can relate in the telecom industry, where regulatory uncertainty is especially burdensome for the small providers. Basically, the onslaught of cybersecurity threats is only a fraction of the concerns--timely access to accurate information about threats and ongoing regulatory uncertainty greatly contribute to the overall cybersecurity anxiety attack. Disseminating information about attacks is particularly tricky because there are different security clearance levels for different types of information. One panelist candidly pointed out that some utility companies might not even have someone on staff who can get security clearance. According to Roxey (from NERC, another very engaging panelist), information sharing is extremely important but ultimately very difficult. Regarding telecom's role in utility cybersecurity, it is important to understand that cybersecurity is a threat for everyone. I am interested in learning more about the potential liabilities that a telecom company who provides service to utilities may face in situations where a network is breached resulting in an attack on the grid. I imagine this is partially why many utility providers are reluctant to trust commercial telecom providers--but--telecom providers have their own set of parallel cybersecurity challenges as well, where no telecom provider can safely leave any part of its network vulnerable to attack. There is indeed some fascinating interdependency between telecom and utilities in the cybersecurity arena. My favorite comment from this panel, by McClanahan, was "I don't have warfighters on my staff." In the face of a significant national security cyber threat, what role does a utility have to protect its assets and beyond? Do all utilities need to become national security mercenaries just because they are vulnerable to threats that could trigger a massive attack to the national grid infrastructure? Definitely some good food for thought here... I have no doubt that these are the precise issues that keep many utility managers and regulators awake at night.
Session 3 (Day 2): Managing the Mounds of Data: Get Ready for the New Energy Information Marketplace
Panelists: David Owens (Moderator, Edison Electric Institute), Lillie Coney (Electronic Privacy Information Center), Robin Lunt (NARUC), Mark Carpenter (Oncor), Rona Newmark (EMC Corp.), Kevin Messner (Association of Home Appliance Manufacturers)
I was very impressed by this panel--it ended up being the surprise hit of the summit for me. I am actually planning to continue this topic in a future post, because there is some research that I want to do to become more educated about telecom's Customer Proprietary Network Information ("CPNI") requirements and if they would be a good model for utilities to use going forward. This session was an extremely lively debate about how to ensure privacy and protection for utility customer information. There are increasing concerns that the Smart Grid will enable all kinds of malicious behavior if bad actors get ahold of Personally Indentifiable Information ("PII"). The common stereotype is the stalker who gets his or her hands on smart meter data and can then figure out when his or her prey is at home and what they are doing at every second. Although this scenario is not outside the scope of reality, if a stalker has access to smart meter information then they are probably already breaching the victim's privacy in some other way--smart meter data might not really add anything profound. There are clearly many more concerns in this topic, but the "stalker scenario" is definitely the most colorful and common example of smart meter privacy fears. There were some....*radical*... suggestions thrown around on this panel (that the government should require the equivalent of a "driver's license" for all Internet users, and each state should have its own set of data privacy regulations), and I kept thinking to myself "Isn't there some requirement in telecom that makes customer information protection really simple and straightforward?" Yes- CPNI. For some really rough background information, CPNI requirements were a priority for the FCC since 1998, but became reality after a "pretexting scandal" in 2006. Basically, CPNI requirements:
- Apply to ALL communications providers
- Carry serious consequences for noncompliance
- Serve as a compliance guideline, but encourage providers to tailor additional measures specific to their businesses
- Encourage providers to go way above and beyond the minimum requirements to protect customer information
My Final Thoughts:
I really enjoyed this conference and I met many interesting people, and I hope to attend and participate in future smart grid policy conferences. Coming from the telecom world almost exclusively, I gained a tremendous amount of knowledge about the utilities industry. There are so many topics that I hope to learn more about and monitor as the smart grid modernization efforts progress. I will definitely continue studying the overlays between telecom and utilities in the Smart Grid arena, and I intend to spend some time in the near future learning more about the utility regulatory process in general.
Many thanks to the Utilities Telecom Council for the wonderful opportunity to attend this conference!