Cybersecurity in a Turbulent World

Cybersecurity was the topic of a special edition in April as Dentons partnered with the Keystone Policy Center to hold its Smart Cities and Connected Communities Think Tank with Keystone's Key Conversations. The virtual gathering addressed cybersecurity concerns in the context of current global conflicts.

The energy and utilities industry has been on heightened alert since it is a known cyber target. U.S. cybersecurity agencies, the FBI, and the Department of Homeland Security have all shared high alerts covering cyberattack threat levels, preparedness, and response.

This panel of experts took a hard look at the cyber threats facing the energy and utilities industry today. Hosted by Dentons' US Energy Practice Chair Clint Vince, there is much to take in.

Partner, Dentons Venture Technology Group, Allison Bender: Cybersecurity has long been one of the top risks, if not the top risk facing companies, boards, in particular, the energy sector.

Since the pandemic, that has increased, cyber criminals have also been stuck at home.

We're facing a more complex geopolitical environment where the stakes are higher for potential nation, state, or proxy led attacks on U.S. critical infrastructure, including in energy, water or financial sectors, and elsewhere.

The energy sector has long been a preferred target of Russian and Iranian actors. The current administration has done a lot to advance cybersecurity, including President Biden's May 2021 Executive Order on Improving the Nation's Cybersecurity, which set out an ambitious agenda for policymakers and regulators in moving toward more of a zero trust environment, continuing to support the private sector.

The government is more focused on potential impacts to critical infrastructure. Two weeks ago, the FBI reached out to alert at least five energy companies and about twenty others, both energy and other sectors like the financial sector and the defense industrial base, that they are observing increased reconnaissance activity that suggests attacks are likely and imminent.

It's the beginning phases to moving in that direction. Being prepared, knowing where your vulnerabilities are, going through the process of making sure you've secured your networks and systems as much as possible is going to be critically important.

Last year, Secretary Mayorkas from Homeland Security started sounding the alarm on Killware, following an attempted hack at a water treatment facility to dump chemicals into the water supply, a level that would've increased to toxic. Congress is focusing on this issue.

They recently passed a new requirement that will require critical infrastructure entities to report incidents, coming out within twenty-four months after regulations are passed by CISA. We have existing reporting obligations, both under certain sectoral laws and regulations at the federal level, and under the energy sector authorities at state utility commissions.

Moderator Clint Vince: CISA's new requirements on automated incident reporting, bring us up to date on that.

Allison Bender: Information sharing, and public private partnership has always been a hallmark of the DHS and CISA mission. As threats have increased, the voluntary information sharing, the government's perspective is, it hasn't been enough.

Think back to December 2020 with SolarWinds and to three of the major ransomware attacks last year, where CNA Financial allegedly paid a forty million dollar ransom, JBS Foods and Colonial Pipeline, and the impact on critical infrastructure. We've seen a pivot in government that voluntary reporting is not enough.

The past perspective was if we can just make this automated, easier, and provide liability protection for those types of disclosures, it will reduce the speed for detection of new incidents. It will be a faster neighborhood watch.

There is a lot of information sharing, but the government isn't getting the information needed to truly protect national security on a regional and national basis. With the cyber incident reporting requirement for critical infrastructure, which does still require CISA's implementation through regulation, there will be a much higher burden on companies to make sure they can timely respond.

If it's a major incident, lawyers will likely be involved in advising companies on risk before those disclosures are made. We'll be watching closely as those regulations come forward.

Moderator Clint Vince: If you had two or three pieces of advice for utility CEOs and critical infrastructure leaders, what would be top of mind?

Allison Bender: One of the gap areas is making sure that one, legal is involved early, in order to preserve privilege and be part of the incident response team, not to stand in the way and delay the reaction, but to support you, should significant litigation arise.

Two, focusing on escalation criteria. When is it a significant enough incident that you need to report up, and how quickly do you need to do that? When do you need to engage the CEO?

When does the CEO need to plan to engage the board for those types of consultative questions?

Practicing that approach to making sure all the right stakeholders are at the table, that you're following a process that allows you to assert privilege, and you can escalate in a timely manner to allow your senior leadership and the board to conduct appropriate oversight and give the company strategic direction.

Clint Vince: Shanna, what are you seeing at CPS? What are the threats and how are you dealing with challenges?

General Counsel and Board Secretary, CPS Energy, Shanna Ramirez: We see the intensity of the threat picking up to a feverish pace. The level of education and sharing of intelligence by government agencies never has been better. We've spent a lot of time developing a good system for ingesting intelligence and sharing it.

The level of intelligence sharing has been almost overwhelming at this point. When you wrap that with the new compliance obligations, it's been a lot of information quickly as we prepare for a threat we know is coming.

I have seen greater awareness from the media, our community, and customers about the issue and what we're doing to mitigate against threats. A level of desire to engage with them actively as incident prep occurs that we haven't seen before. I have seen social engineering, long-term in the making, sophisticated, a lot of resources devoted to it.

We see the threat landscape now includes a host of legitimate websites that businesses would normally go to every day that are a part of the collection of intelligence that's being used against us.

Moderator Clint Vince: Are you able to talk generally about what you're coordinating with Joint Base San Antonio?

Shanna Ramirez: This strategic relationship has been one of the most beneficial for CPS Energy. We are municipally owned. We sit in the largest intelligence and cybersecurity community outside of Virginia, and we have Joint Base San Antonio.

We do not have the resources, the capabilities, the manpower, the expertise they have in the military. We have looked at all the ways we can focus on energy resiliency, which turns into community resiliency, which turns into force readiness for Joint Base San Antonio.

The one that's paid off the most has been buildings, structures, and frameworks that allow us to share intelligence on a real-time basis among government agencies, the military, and industry. The obstacles are high, even when everyone has the right clearance, getting that intelligence on a timeline that makes it actionable has been a struggle.

We push the testing of innovative technology, as well as the capabilities of our employees and military members to work on physical hardening. That may span from ballistic protection all the way to EMP hardening.

Starting from physical security but blending quickly into cyber and operations in general. We've focused on the IT/OT interchange for critical infrastructure like utilities, looking at that attack service, and figuring out how to minimize it.

Moderator Clint Vince: Shanna, what are two or three pieces of advice you would give to your CEO, board members or other utilities?

Shanna Ramirez: Number one is encourage you to explore this sort of strategic partnership, whether with local law enforcement, government agencies, industry partners, start to develop channels of communications and relationships. Be open to non-traditional setups. We are highly regulated and figured out a way to do it without sacrificing our security.

Moderator Clint Vince: We represent clients all over the country. One of the first questions I ask is what their relationship on cyber, especially for utilities? What's their relationship with local military facilities in their geographical area? I don't know of any other utility doing things with the level of coordination and depth CPS is with Joint Base San Antonio. We've seen incredible benefits for both parties of your relationship with Joint Base San Antonio.

Arshad Mansoor, the CEO of EPRI, made the comment that you cannot modernize the electric grid without modernizing communications. Rob, elaborate on that, and talk about what you've been doing with GridWise Alliance and other organizations?

CEO, Anterix, Rob Schwartz: We've recently completed a two-year program with the National Renewable Energy Lab, in which we went through a rigorous testing of what broadband communications can do to enable the rapid and secure deployment of low latency, very fast communications with all these distributed energy resources. In order to solve decarbonization problems, we have to connect all these new sources of energy, but at the same time that keeps increasing threats.

As we're increasing these distributed assets on the network, we can't use technologies of the past, the communications technologies that are inherently porous. They weren't developed with the knowledge of the threats we're facing from cyber. We brought together the utilities through something called the Utility Broadband Alliance which is a standalone profit entity to work on those problems.

GridWise Alliance is an association that has driven revolutionary thinking and is getting greater awareness within the federal government through a lot of work, especially within IIJA, the funding work that's identified areas where pools of stimulus funding can drive the important development within securing and modernizing the grid, protecting from incidents like wildfires and other natural disasters. Those are other areas where Anterix is working in bringing the community together to use private communications to solve vital problems.

Moderator Clint Vince: Francis, what are some of the cyber threats and preventive activities some of your members are confronting?

CEO, Electricity Canada, Francis Bradley: Let me approach it from overall critical infrastructure like electricity. We can be an attractive target during conflict, and we're in a period of conflict now.

We must ensure reliable electricity in a world where threat actors are more sophisticated and diverse, where there're new technologies and increased digitalization, which offers opportunities, but challenges, where there're extreme weather events and new supply chain risks. The security partnerships are critical.

This is especially important given threat actors don't recognize borders. Through forums like E-ISAC, the ESCC, we've proven avenues for working together on cybersecurity risks, to share threat information, develop best practices, and solve problems.

We work closely with diverse government partners, but one of the principal ones is the Canadian Center for Cybersecurity. It's the primary federal government point of contact on cybersecurity, operational manners for critical infrastructure partners, including foreign incident response, and coordination.

The Canadian electricity industry and governments regularly participate with American counterparts in exercises, and GridEx is a good example. Every other year, GridEx grid security exercise practices our response and recovery to major cyber and physical threats.

This helps us be prepared to collectively respond to security threats that face the integrated electricity grid. The most recent GridEx this past November, included full Canadian and America industry and government participation.

Moderator Clint Vince: Is there advice you would give to our critical infrastructure leaders on what we can do in protecting the grid?

Francis Bradley: The electricity companies generally are prepared to do our part in ensuring customers can depend on reliable and sustainable electricity. No one company or sector or government authority can do this alone. What can we do?

Continuing and deepening industry and government partnerships on security issues, collaboration with interdependent CI sectors like telecom, acceleration by governments and regulators on investment programs, and activities that improve the security posture of infrastructure.

Under that is promoting and training our security workforce, deepening support for intelligence sharing and incident response programs between industry and government, enabling more security investments by industry and security, and working to create or ensure more resilient supply chains. Finally, continued investment in research, development, and deployment of new technologies, and new practices to make the grid more secure.