Cyber Threats, Emerging Defenses


NARUC, NASUCA, EPRI, Utilities, Security Firms on Cyber

Fortnightly Magazine - December 2018

Hartford has a storied history of breakthrough innovations in manufacturing, technology, and public policy. The first written constitution in the Western Hemisphere, Samuel Colt's introduction of interchangeable parts into the modern assembly line, the world's first bicycle factory, the nation's first traffic safety laws, and the use of medical anesthetic all have their origins in Hartford.

The city recently found itself, once again, exploring solutions to one of our society's most important challenges: the protection of America's utility infrastructure. On October fifteenth, utility and energy professionals, utility commissioners, consumer advocates, security entrepreneurs, and other government officials and stakeholders convened at Upward Hartford, an energetic shared workspace for tech start-ups, for its inaugural Utility Infrastructure Security Conference.

Although a dreary New England damp reigned outside, the mood inside the conference was luminous as attendees from around the world arrived bright and early, with inquiring minds eager to explore the complexities of utility security.

NASUCA President and Connecticut Consumer Counsel Elin Swanson Katz, NARUC President and Connecticut Public Utilities Regulatory Authority Vice-Chair Jack Betkoski, and Upward Hartford CEO Shana Schlossberg opened the conference. They thanked those in attendance as well as highlighted the importance of the day's topic.

Observing that it is an essential and critical time for utility security, Katz warned that a cyberattack on energy infrastructure would cripple the nation and noted that Connecticut's utilities are subject to over one million malicious cyber-probes per day. Betkoski then introduced the keynote speaker, Douglas Little, the deputy assistant secretary for intergovernmental and external affairs at the Department of Energy.

Attendees had the opportunity to explore different utility security start-ups.

Little spoke as to the growing threat of cyberattacks on the nation's grid and the DOE's renewed emphasis on bolstering defenses to combat such attacks. "We must figure out how to out-innovate our adversaries," he said, noting the ever-changing and developing nature of cyberthreats and that utilities must strive to prevent, detect, and mitigate the sustained and consistently growing threat. A central theme of Little's remarks was the need for cooperation and communication among utilities, government agencies, and other stakeholders to stay abreast of new cyberattacks and the responses to them.

Following Little's address, Katz and Betkoski moderated a panel discussion of corporate utility representatives. The panel included Tony Marone, president of United Illuminating; Calvin Butler, CEO of Baltimore Gas and Electric; Norma Krayem, chair of the global cybersecurity and privacy policy and regulatory team at Holland & Knight; and Nick Santillo, chief digital infrastructure and security officer at American Water.

The panelists provided a broad corporate perspective and general consensus on utility cybersecurity and how best to tackle and prepare for a threat that will not diminish anytime soon. "We can never rest on our laurels," said Marone, observing that there will never be an absolute defense against cyberattacks.

The panel stressed the importance of utilities communicating with each other, regulators and advocates, corporate partners, and employees to ensure a robust defense at every level of operation.

Conference attendees take in the day’s robust discussions.

Krayem offered a poignant example, noting that Target's massive 2013 customer data breach had its origins not in Target's own systems, but in the downstream hack of an HVAC vendor in Target's supply chain. "We must assume breach and collectively use our wisdom to support each other," stated Santillo, underscoring the necessity of collaboration.

Marone also noted the importance of early and open communication with regulators and advocates in making investments to improve and protect utility data systems. Due to the confidential nature of cybersecurity, Marone observed that asking for money in this field is different than other infrastructure investments and often depends on trust-us assurances that may leave government officials skeptical, given that ratepayers must ultimately pay for security upgrades.

Butler agreed, observing that far too often conversations about cybersecurity occur after an incident occurs instead of before. "These are risks that will happen in perpetuity," he said, stressing the need for an open and dynamic conversation to address them. Krayem concurred, aptly describing the battle against cyberthreats as a constant education for utilities.

Following the panel, attendees had time to explore and interact with representatives from numerous security start-ups hailing from all over the globe. These individual sessions provided the opportunity for security entrepreneurs to connect with utility professionals and find common paths forward.

Baltimore Gas and Electric CEO Calvin Butler spoke about the ever- changing nature of cyber threats.

For example, XM Cyber, an Israeli start-up, pitched a strategy of defense by offense, offering a full breach and attack simulation that can identify vulnerabilities and potential points of entry within a data system. Observing that cyber-attackers are often present within a system for a long time and waiting for the prime opportunity to strike, XM Cyber allows users to continually shore up their cyber-defenses to prevent exposure.

CyberGym, another start-up in attendance, offered in-person, hands-on training for security professionals that is customized for specific industries. "When you're training for a boxing match, you're not going to do that online," stated one of CyberGym's representatives, recognizing the value of in-person training in an otherwise cyber-environment.

Easy Aerial displayed a range of fully autonomous drones that provide live HD video and data monitoring for perimeter security operations, such as critical energy and utility infrastructure that may be subject to attack.

The full range of security firms present at the conference included BlackRidge Technology, Cloudastructure, Crypta Labs, CryptoMove, Cybeats Technology, Cyberbit, CyberGym, CyberX, Easy Aerial, Sasa Software, GlobeKeeper, Indegy, Magos Systems, Network Perception, StackRox, Waterfall Security Solutions, Xage Security, and XM Cyber.

A panel of utility professionals all agreed on the need to bolster infrastructure security. From left to right, Tony Marone of United Illuminating, Calvin Butler of Baltimore Gas and Electric, Norma Krayem of Holland & Knight, Nick Santillo of American Water, Elin Katz of NASUCA.

As some attendees continued their exploration of the start-up booths, others stepped away for an amiable fireside chat between Alicia Moy-Gonzalez of pdvWireless and Joe Audet of Check Point on the important role of utility communication systems in ensuring robust security.

Stressing the need for real-time situational awareness, Moy-Gonzalez noted that some utilities have upward of seventeen different communication networks spread across their operations, allowing for many potential undetected entry points for hackers. "We're in a world where you can't trust anything," warned Audet. He and Moy-Gonzalez emphasized the need for accessible broadband and ground-up, comprehensive utility communications networks.

A break in the wet weather allowed attendees to assemble outside for a demonstration of Easy Aerial's drone technology. A packed crowd watched as the drone remotely left its case and took to the skies above Hartford, all while transmitting back to those below continuous video footage of themselves gazing upwards.

Over a lunch of falafel and hummus, Connecticut's Chief Information Officer, Mark Raymond, spoke of the need for greater resources to combat cyberthreats and advocated for a broad reconsideration of how to conduct business in the digital age, citing that the State of Connecticut is subject to over one billion malicious hacking attempts per month, yet only spends two million dollars per year on cybersecurity.

From left, NARUC President Jack Betkoski, Deputy Assistant Secretary Douglas Little of the U.S. Department of Energy, NASUCA President Elin Katz.

Nonetheless, Raymond noted that Connecticut has taken the most action of any state to bolster its cybersecurity and encouraged firms to report suspicious cyberactivity, even if it did not result in a loss of money or data, as information alone can help authorities determine the scope and severity of cybercrime.

Raymond's remarks were followed by a panel discussion moderated by Deana Dennis of the Electric Power Research Institute. It featured Chris Leigh, director and chief information security officer for Eversource Energy, and Christopher Jasin, director of corporate security, information and intelligence for Avangrid.

Leigh and Jasin both agreed that an intelligence-based approach and information sharing among utilities is the best way to combat emerging threats. Both panelists, however, observed that there is a current lack of certainty as to who owns the issue of cybersecurity, noting that responsibility for it is spread across numerous federal and state agencies.

Jasin advocated that utilities build off of existing security frameworks, such as the Joint Terrorism Task Force, as a way of holistically addressing the issue. Leigh offered the perspective that cyberthreats are an age-old problem - bad actors seeking to illicitly gain money and information or sow political and social chaos - cloaked in the trappings of the twenty-first century, and that any solution must be similarly modernized.

For the remainder of the afternoon, attendees explored Upward Hartford's dynamic space, visiting start-up booths missed during the morning, meeting with utility representatives, and discussing the issues of the day fueled by coffee and camaraderie.

A second fireside chat between Joseph Page of Waterfall Security Solutions and Noel Black of Southern Company incorporated many of the concepts explored throughout the conference. Page offered the view that cyberthreats are so hard to regulate against because they are constantly changing by their very nature and that the U.S. has yet to experience a compelling event that will catalyze aggressive cybersecurity and offense.

Highlighting the advanced cyber-offense of nations such as Russia, Iran and North Korea, Page pointed out that cyber-attackers are ultimately not interested in utility data, but in quiet command and control of utility infrastructure, a sobering thought that perfectly encapsulated what was at stake beneath the day's panels and conversations.

Overall, the conference demonstrated the substantial challenges that utilities must tackle in an increasingly technologized environment and the remarkable opportunities for innovation and collaboration therein.

"As technology makes us all interconnected," Katz told attendees, "it also makes our vulnerabilities interconnected." It also makes our solutions to those vulnerabilities interconnected as well, and the conference's spirit and success was a testament to that potential.