Prepare, Protect, Respond, Restore
Steve Mitnick is President of Lines Up, Inc., Editor-in-Chief of Public Utilities Fortnightly, author of “Lines Down: How We Pay, Use, Value Grid Electricity Amid the Storm,” formerly an expert witness that testified before utility regulatory commissions of six states, the District of Columbia, the Federal Energy Regulatory Commission, and in Canada, and a faculty member at Georgetown University teaching undergraduate microeconomics, macroeconomics and statistics. He’s all-in for the work we all must do to ensure our grid’s cybersecurity.
Didn't know what I didn't know about the electric industry's cybersecurity. Until talking to all these twenty-three experts for the cybersecurity special feature herein, I hadn't a clue that cybersecurity is best considered a component of grid security generally. And that, just like dealing with natural attacks on the grid — hurricanes, storms and floods, and just like dealing with man-made attacks on the grid — vandalism, terrorism and even acts of war, we need to prepare, protect and respond to restore the grid's essential service as rapidly as possible.
But, that wasn't it. There was more that we must all learn that's to be found in the cybersecurity special feature. For one, the electric industry must adopt a culture of cybersecurity just as we have a culture of safety. We've all been through hundreds of safety mini-lectures at the start of meetings. We're all aware that utilities strive for zero accidents and even track the number of days since the last mishap. Well, the same mindset is required so we can have a culture of cybersecurity. For it turns out that one of the greatest cybersecurity threats comes from utility employees carelessly clicking when they shouldn't and other personal practices. One of the three CEOs we interviewed for the cybersecurity special feature told us that an estimated ninety percent of cyberattacks would be prevented by good "cyber hygiene" by employees.
And here's another thing I learned after working on the special feature. It's not enough for the electric industry to prepare, protect and build the capabilities to respond and restore, for today's cyber threats. A senior leader at the Department of Homeland Security told us in his interview that, just as we invest in the grid for the next five, ten, twenty years and beyond, it's imperative that we invest in cybersecurity for the long haul. As the technologies in the hands of adversaries and their schemes evolve, so too must our resilience methods.
And still another thing. It's not enough to batten down the hatches at utility facilities. That's because the grid's equipment comes to us via a complex supply chain of thousands of vendors and sub-contractors scattered across the globe including questionable locales. Some of that equipment might have cybersecurity vulnerabilities unintentionally or otherwise. This is particularly concerning since equipment is oftentimes updated electronically by third-party personnel or worse, remotely.
Several of the experts said that somewhere sometime a cyberattack will succeed in its evil intent. So it only makes common sense that our industry trains, drills and invests in response and restoration. Strategies such as storing readily-available spare equipment and building a mutual assistance network for cybersecurity as has existed for storm response and restoration, these seem especially compelling.
I asked many of the experts, as you can read in the special feature, what should utility regulators do to support worthwhile investment in cybersecurity? And to recognize when further investment is unnecessary either upon the recommendation of the utility or another regulatory party. It's a challenge since the threat of cyberattacks is highly uncertain as well as highly dangerous. Complicated by the uncertain effect of investments in reducing the probability and potency of the threat. The answer to this crucial question seems to be, as is usually the case in regulatory consideration of proposed utility investments, that utilities and regulators working together with mutual respect is the most effective approach.
As I said, there were twenty-three experts on the industry's cybersecurity who spoke their minds in this special feature. Including Commissioners from Illinois and Pennsylvania, both of them nationally-recognized thought leaders on cybersecurity. And two staffers from the Illinois Commission's office of cybersecurity and risk management.
And including the co-founders of Fortress Information Security. In a prior life they created the company that accurately evaluated subprime mortgage credit as shown in the film The Big Short. Now they've created a digital platform for utilities to share evaluations of equipment vendor cybersecurity.
And including PwC's lead in this field. As did the Fortress folks and several others among our experts, he also talked about the importance of collaboration between utilities and with federal government agencies.
Electricity is our society's fulcrum. We all know that. So its continuity is critical. But, did you know that a successful direct attack on our grid isn't the only way to bring it down? The bad dudes can successfully attack our natural gas pipelines threatening the grid. Or they can successfully attack our water systems, or financial systems, or communications systems. So the continuity of these cousins of our industry is critical too.
All this is to say that the job of cybersecurity is big. And it's the responsibility of you and me and everybody in our industry to get it right. Read through the cybersecurity special feature in the following pages and then let's get to work.