At ISC East last week in NY I moderated a panel on energy grid security and whether current approaches are enough to provide real security. It’s genuinely a question I have been looking for an answer to; depending on who you listen to we need to urgently take more actions (e.g. to address backdoors already placed in transformers coming from China) or we are okay because of the many layers of security already in place (a “defense-in-depth” approach. Especially as AI-driven threats, supply chain issues, and more sophisticated threat actors are now adding to previous concerns on critical infrastructure security.
I got a lot of great information from our panel, who represented the key stakeholders in critical infrastructure security. The network reliability manager for ConEd (Kirill Zolotov), the former Urban Architect and current head of DHS’s EMP Task Force (Maria Sumnicht), and the former CISO for FDNY (Deepak Mathur); in other words, experts in understanding the issue from perspective of supplier, consumer, and governance. Here’s some of the key points in our discussion:
- Security is top of mind for everyone. There is no lack of awareness by the people most responsible for our energy security. They (like most other security professionals) have to prioritize what threats to focus on, but they do so with good knowledge of potential threats.
- Security is engineered. This goes way beyond traditional methods like having segmented networks; for example, not allowing any network connection to key equipment. While this adds time and cost by someone physically having to go to the equipment to make changes it is also impervious to many types of cyber attack.
- Dialogue happens across operators and across countries. When an attack happens it is critical for information to flow quickly and effectively in order to mitigate it quickly. Within the energy sectors there are robust and established mechanisms for just that to happen.
- Standards are reactive. While this is true of many industries because they do not want to burden their members with additional costs for something that is speculative, in energy it is because there is wide-ranging diversity in the equipment and methods used that work against standardizing practices.
- Each operator operates independently. This was probably most concerning to me, because while one operator may have strict protocols and procedures, another may not. And because the grid is so highly interconnected, the “weakest link” has the potential to bring down a utility a few states away from it.
- Threats have existed for a long time. Whether it is the still-current threat from the Cold War era of an electro-magnetic pulse (EMP) taking out all electronics, a drone running copper cable across a transmission line, or an event that would cause breakers to blow across segments of the grid, this is an industry that has a history of securing their infrastructure against a wide range of threats. One former Deputy Director of the National Security Agency (NSA) judged that squirrels are the number-one threat to the U.S. electrical grid (approximately 50% of power outages are due to squirrels).
- AI opens a new dimension if it can act independently. Today’s impressive grid reliability comes (in part) from actions needing to be taken manually by humans. Keeping a “human in the loop” remains key to preventing AI from being the cause of a massive outage.
I went into this dialogue not knowing if I would come away more reassured or more concerned. The answer: I came away more informed. Yes there are serious and growing cybersecurity threats that could lead to catastrophe, but utility operators, regulators and other providing governance, and the end users are all diligent in their efforts to prevent this from happening (as they have for decades).
The security of the energy grid remains an essential challenge that demands ongoing and comprehensive action. While security is acknowledged as a top-of-mind concern and efforts are made to engineer it into systems, current practices are hampered by several systemic issues. The reliance on reactive standards means the industry is constantly playing catch-up against an evolving threat landscape, which includes long-existing threats that have unfortunately bred complacency. Furthermore, with each operator operating independently, the overall defense is fragmented, even as productive dialogue happens across operators and across countries, indicating a clear need for greater unified action. The emerging risk posed by Artificial Intelligence (AI), particularly if it gains the capacity to act independently in an offensive role, introduces a completely new dimension of threat that further stresses the need to transition from reactive measures to proactive, unified, and resilient grid-wide defense strategies.
