Cybersecurity is a hot button issue right now. Utilities are constantly under attack and policy makers are concerned. Meanwhile, President Obama is widely expected to bring up this contentious issue when he meets with the Chinese leadership this summer.
On Wednesday, Utility Dive attended the Deloitte Energy Conference and heard three cybersecurity experts speak on the issue at a panel called “Energy Cyber Security—Protecting Critical Infrastructure in an Age of Increasing Threats.” Dr. Christopher Bronk, a Fellow in Information Technology Policy at Rice University, Frank Mong, VP and General Manager of Enterprise Security Products Software at Hewlett-Packard Company, and Fred Hintermeister, Critical Infrastructure Protection and Cybersecurity Specialist at North American Electric Reliability Corporation, spoke about how utilities can prevent cyberattacks.
Here are the highlights of what they said.
1. Who: Dr. Christopher Bronk, Fellow in Information Technology Policy, Baker Institute for Public Policy, Rice University
What he said:
- "The internet has made it very easy for us to do distributed business all over the world. The great disadvantage is that the infrastructure upon which we’re relying is grossly insecure."
- “One thing I want to dispel right off the bat is that the U.S. federal government does not have a cyberdefense secret sauce that will save U.S. corporations. It does not."
- "Accept that you’re going to be compromised and that you as an industry are going to be compromised. You need to work together as much as possible. "
- "How much is your security component finding out and discovering things? This is the piece of cheese that I throw out there for executive leaders. If you have a cybergroup that is detecting problems with your organization, that’s a good thing. And for every one you find, you reward it and you’ll get more of them."
2. Who: Frank Mong, Vice President and General Manager, Enterprise Security Products Software at Hewlett-Packard Company
What he said:
- "We want to give everyone three things. 1) Context. Give you context on what’s happening in your environment. It’s the unknown that we’re looking for. 2) Control. Give you a sense of control. So if you have context, how do you control that environment? How do you control the situation and get the situation analysis you need to have? 3) Confidence. Give you the confidence you need to move forward as you want to evolve, as you want to expand, as you really want to explore the possibilities around technology."
- "The thing you should know is, you are probably breached already. There’s probably something in your environment that is sitting there incubating waiting to take action or is slowly taking action."
- "Research has shown that it takes on average 419 days for you to discover that you’ve actually been breached."
- "94% of the time, you’re not the one that finds out you’ve been breached. Somebody else finds out and tells you. And many times, they tell you via social media."
- "It takes 73% longer now for us to deal with an incident. What that really shows is that we don’t know how to plan for a breach. We don’t know how to respond in a good way. We don’t know how to find the source problem, we don’t know how to notify the right people if it involves customers and privacy issues."
- "And as we look at what’s happening and who’s doing this, the question of 'Who?' is getting really complicated. It’s not nation states, it’s not just hackers, it’s not hacktivism. It’s an ecosystem. It’s an ecosystem that’s driven by monetary exchange. People are so specialized, they have major groups that focus on specialties, whether it’s breach or discovery or exfiltration, they’ve got capabilities that are putting technology guys like us on our heels. They’re definitely innovating faster than we can handle."
- "[We’re] not just focused on the technology itself and throwing a firewall at you or a next-generation something at you, it’s really about, 'Hey, here’s the process of how they work, this is where they make money and our technology is focused on disrupting their process.' Making it harder for them to make money, making it more expensive to operate and enforcing this warfare into a place where I’m going to reduce your operating margins so that it doesn’t make sense for you to do something like this."
3. Who: Fred Hintermeister, Critical Infrastructure Protection and Cybersecurity Specialist, North American Electric Reliability Corporation
What he said:
- "What are some of the knowns? We know we’ve got an austere budget environment going forward. We know we’ve got an advanced and persistent threat out there. We know that we’ve got new changes coming ahead, so that the adversaries are dynamic. They’re not static. They change."
- "So with these knowns, where do we go for the low-hanging strategic fruit to pull off the reliability performance outcome we’ve all come to expect? Operators in this electrical sector have delivered 99 dot and above reliability performance at the bulk power system level for six decades. That’s a known. But in this environment going forward, it’s not the environment we just came through. So how can we continue to deliver that?"
- "I can tell you that most of those blue ribbon reports always circle back to something having to do with information sharing. And the reason they circle back to that is because it is cost effective and it delivers what I would call resilience value addition. That’s the concept I like to get people thinking about—how do we deliver the resilience value that builds into the reliability performance outcomes and gets us where we want to be?"
- "How do you create a trusted, collaborative environment that’s more than a roadside motel? It's a destination or resort that pulls in our entities and wants them to feel comfortable sharing their non-compliance security information with an organization they know as the regulator."
-
"The answer is: you go all the way up to the strategic level of the organization and you talk to the board and you engage in a dialogue and say, 'Hey, we’ve got to form a trusted collaborative environment which gives that comfort level for transformational change to happen in the sector down at the company level.' To allow C-levels to say, 'Hey, you know, we need a C-level with the security function. We need a CSO, not just in name but for real, with a staff behind them and a staff that’s maybe apart from the rest of our staff so that they can engage in giving these indications and warnings up through the ISAC (Information Sharing and Analysis Center) in a way that allows them to utilize to use that information for the good of the whole sector but, also, for the good of our corporate bottom line.' That’s the challenge."
Would you like to see more utility and energy news like this in your inbox on a daily basis? Subscribe to our Utility Dive email newsletter! You may also want to read Utility Dive's look at 6 smart grid startups to watch in 2013.