Utilities already have to focus on maintaining their resilience in the face of natural disasters and other threats to the grid. But now smart grid is posing cyber security threats that could further affect a utility’s ability to recover. What sorts of new risk analysis and emergency framework policies need to be in place to prevent catastrophic damage to machinery, supply chain or the digital network?
Utilities face three top resiliency challenges today. One is the aging infrastructure, the second is the ever fluctuating weather, and the third is an entirely new and growing concern: technology and cyber security.
The value introduced by smart meters also comes with serious risk. Data privacy is now a grave concern as homeowners and companies begin to question whether their meters could be hacked.
What utilities then need to balance is the ability to not only prevent failures and attacks but bounce back in the event of an attack. But as the Smart Grid aims to link meters across the country, it poses new national security cyber concerns that utilities have never faced before. What’s more, no one utility alone has the capacity to stave off the attack of an entire nation state.
Utilities need public and private collaboration with the federal government in order to adequately address these risks, and as legislation like CISPA begins to move through Congress, executives, audit companies and boards are working through the questions of our preparedness, defense mechanisms, strategies and resources and putting it all at the top of mind of business and upper management.
Utilities must ask, “How do we deter, detect and react to threats?” Training needs to be implemented as a part of regular resiliency standards as a way of protecting the critical infrastructure. This is of the utmost importance because the critical infrastructure includes not just utilities, but also telecommunications, financial services, water and fuel, most of which are not regulated nearly to the degree as utilities.
Establishing standards and getting all parties collaborating and on the same page is key to working through proper defensive strategies.
Sanjog Aul: Welcome listeners, this is Sanjog Aul your host and the topic for our conversation is “Utility Resilience and Security.” And I have with me Mamatha Chamarthi. Mamatha is the Vice President and CIO of CMS Energy. Hello Mamatha, thank you for joining us. Now we’ve been talking a lot about Smart Grid and the challenges related with it, but probably the biggest aspects yet relate to the continued resilience and security of utilities. Smart Grid as a new technology introduces some entirely new concerns and threats we’ve never dealt with before, so it’s important that we discuss some solutions and also look at them not only as threats, but also as opportunities. So what are the top resiliency challenges that utilities are facing today?
Mamatha Chamarthi: The top resiliency challenges that any utility are facing today in the US are three broad challenges. The first one is aging physical infrastructure. These are the wires and the pipes. The second is weather related. These are hard to predict, and that’s a huge challenge. The third, which is growing and more risk is being introduced, is technology. As we implement the smart meters at our customer homes, these meters have two way communication capacity and capabilities, and these have enormous value that they offer to our customers.
“Smart Grid brings along with it a lot of value in terms of energy optimization, energy efficiencies and the value that we can provide to the customer, and the value and risk need to be carefully balanced.”
But along with the value they also bring risk. What if someone hacks into the smart meter? So there is a concern around data privacy out there. Would people know when our customer or particular resident is at home or not at home? Would they know when a business is running and not running? So that’s a huge concern out there of data privacy, and also, what if someone hacks into the grid through the smart meter? So that is the risk aspect of it. On the value, Smart Grid brings along with it a lot of value in terms of energy optimization, energy efficiencies and the value that we can provide to the customer, and the value and risk need to be carefully balanced. That is the challenge that the utility industry has in terms of technology.
Sanjog: When we look at resiliency as a term, resiliency is where you could also have a natural disaster, and the utility is the first one to get affected, and that’s the first one people expect to bring back. Should we define resiliency not just in terms of failure but as being able to bounce back quickly?
Mamatha: Yes, absolutely. When you look at resiliency, it’s not just bouncing back quickly, but it is also making sure we have the right kind of infrastructure to prevent the failure. So we need to again balance both preventing it as well as bouncing back quickly. And especially in light of a cyber attack, we are looking at a nation state potentially attacking our nation’s critical infrastructure. So no one utility by themselves cannot really bounce back quicker or prevent scenario failure.
“When you look at resiliency, it’s not just bouncing back quickly, but it is also making sure we have the right kin of infrastructure to prevent the failure.”
It should be a combination of public/private partnership and collaboration not only across the utility, but collaboration with the federal government that will bring us the right kind of capabilities to face this enemy, because this is a new kind of enemy that we are looking at, and it is equal to a physical attack, but it is cyber warfare that we are looking at, and our utilities by themselves cannot stand to that kind of warfare; it has to be a collaboration. And that is the reason why I was in Washington DC last week endorsing Mike Rogers and Dutch Ruppers Berger’s bill on information sharing. I’ll give you an example as to why we as a company are endorsing the CISPA (Cyber Intelligence Sharing and Protection Act) bill.
“This is a new kind of enemy that we are looking at, and it is equal to a physical attack, but it is cyber warfare that we are looking at, and our utilities by themselves cannot stand to that kind of warfare; it has to be a collaboration.”
For the past few months, we’ve seen in our company a lot of activity coming from Turkey. So we know that this activity is coming from Turkey but we don’t have the intelligence that, “hey, by the way, this IP address that you are seeing from Turkey is actually China disguising themselves as Turkey coming in.” We don’t have that intelligence because we are not in the business of intelligence like the NSA is. That’s where this bill will help share that information with us. This way, we know exactly where the threat is coming from and what they are going after so that we have a better defense mechanism. So that will help us to not just prevent a failure but it will also help us bounce back quicker in case things happen. We can isolate it quicker because we know what they are going after.
Sanjog: Are there enough resources available to make such investments timely, and if we are still struggling to make a business case, do we think that the response is greater than the related investments to develop resiliency for it to be a worthwhile investment?
Mamatha: I think the risk that we are looking at definitely requires the right kind of investments. But for a single utility, even if they make 100 percent of their IT investment go towards private security, I don’t think they will be able to withstand this enemy or face the enemy, especially when it’s a nation state attacking the critical infrastructure. And that’s where there should be a very strong collaboration across the utility industry and the federal government.
“Everyone’s focusing on cyber security and asking questions around are we prepared? What kind of defense mechanisms do we have in place? Do we have the right kind of strategy? Do we have the right kind of talent?”
And I think the risk that we’re looking at has now made it right to the top of the executive level at the utility company, including not only audit committees in the utility industry, but also the board of management in every utility company. Therefore, everyone’s focusing on cyber security and asking questions around are we prepared? What kind of defense mechanisms do we have in place? Do we have the right kind of strategy? Do we have the right kind of talent? When the board starts asking you those kind of questions, the executive and the management team automatically starts focusing on the topic. So it is interesting in terms of cyber security. There is both a top-down and a bottom-up focus on this topic making sure that we as an industry are making the right kind of investments.
Sanjog: So that’s good news that you have corporate sponsorship or that even the government people are taking the right steps, because they recognize that this is essentially a resiliency and security issue, and there is a lot riding on it. With that said, now the spotlight is on folks like you who have to define and design intervention strategies that will be deployed to combat such resiliency, cyber security and other type of security issues. So if you were to create a playbook for building utility resilience, what would it look like?
Mamatha: Across the utility industry, we have multi-layered network segmentation. There are some best practices that we have. We have NERC, the National Electric Reliability Council, set standards for our critical infrastructure, and these are applicable across the utility industry, and every utility gets audited once every three years on the set standards, and we just recently ran through an audit.
“How do you deter, detect and react?”
So that helps protect the critical infrastructure, and there are some best practices with regards to network segmentation and having an overall strategy around cyber security about trying to deter the attack, detect it once someone is on the network or someone is trying to get into an application. How do you deter, detect and react? How do you react quickly and how do you recover quickly? So it’s a four pronged strategy in terms of cyber security and which is the best practice across the utility industry in addition to the set standards that we follow.
“For a single utility, even if they make 100 percent of their IT investment go towards private security, I don’t think they will be able to withstand this enemy.”
Sanjog: Because resiliency is an issue that’s spans multiple departments, who do you think should be responsible for maintaining the overall resiliency of the utility? Do you think they are clear on who the accountable party should be and how they should work in tandem to not only transform the current resiliency levels but also to refine it in a sustainable fashion?
Mamatha: Yes that issue does span multiple departments. So recently, we have seen a trend of more and more merging of IT and OT departments. And that is to make sure that the IT department over all becomes a custodian of cyber security, across the utility. So that is a trend that I have noticed not just with consumers, but across the industry we are slowly moving towards having the central custodian for cyber security that’s implementing standards and best practices across multiple departments. And who should be the accountable parties? There is also one other aspect out there, which is, could there potentially be a coordinated physical and cyber attack, and how prepared are businesses for those kind of coordinated attacks?
“Could there potentially be a coordinated physical and cyber attack, and how prepared are businesses for those kind of coordinated attacks?”
One of the best factors that every business should go through is to have a cross functional team that goes through business continuity and disaster recovery and also does those exercises in relation to a coordinated physical and cyber attack. This is an exercise we and other utilities do multiple times a year, and it would help check our preparedness in the event of a coordinated attack. So we’re seeing a trend in the IT department; the trend is becoming the general custodian for cyber security practices across the enterprise, and these kind of business continuity exercises, stable topic exercises and also simulated exercises would help across functional coordination.
Sanjog: What do you think would be the newest or most challenges we should expect in the near future? What can we do to be better prepared for those problems this time around?
Mamatha: I think when you compare to other challenges that the utility industry has, like the EG infrastructure or weather related, there is a certain timeline associated with those. A storm doesn’t last forever. The infrastructure is a tangible thing that you can come back after. But the cyber threat everyday morphs into something new. It’s such a dynamic step which does not have a fixed timeline, so then your threat is such a moving target. How do you prepare? And so that’s why I emphasize the whole collaboration across the industry and the whole public/private partnership towards information sharing, because as the threat keeps morphing, it is only the collaboration that will help us get the best defenses. Really go towards fortifying our nation better and be better prepared.
“A storm doesn’t last forever. The infrastructure is a tangible thing that you can come back after. But the cyber threat everyday morphs into something new.”
Sanjog: We know government is watching this very closely, but how much regulation do you think is enough to actually help to meet the end goal, which is to make utilities resilient and secure?
Mamatha: I think more regulation is not synonymous to more protection. We’re not the only other critical infrastructure industry that has mandatory, enforceable standards through enactment. Critical infrastructure not only empowers our industry, but it also covers telecom, financial services, water and fuel. So of all of the critical infrastructure industries, we are the most regulated to date. And if you take the example of Hurricane Sandy, what it has taught us is that the rest of the critical infrastructure industries have a critical dependency on power.
“Critical infrastructure not only empowers our industry, but it also covers telecom, financial services, water and fuel.”
Fuel was not running because there was no back up generation. For telecom, the cell phones were not working because there was no back up generation even there. So the other critical infrastructure industries have a dependency on us, and they are not as highly regulated as our industry. So we have done very well in terms of protection of our industry, but we depend on a supply chain, and they need to have some kind of regulation similar to what we have so that it will bring all of us onto the same page. So not overregulating us in the utility industry will help, but also bringing others to the same level will help bring the right kind of defense.