Utilities and public sector partner to combat cyber threats

Published on June 22, 2022 by Liz Carey

© Shutterstock

Electric utility companies may be on the front lines of infrastructure security, but combatting bad actors that threaten the power grid means working together with the public sector to share information.

During the Edison Electric Institute’s EEI 2022 conference in Orlando this week, cybersecurity experts discussed what actions the federal government is taking to protect companies from attacks on critical infrastructure, as well as what electric companies can do to protect themselves.

Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, or CISA, the federal agency responsible for leading the effort to reduce risks to cyber and physical infrastructure, said electric companies were key players in the fight against “bad actors.” And it will take businesses continuing to work with the federal government to combat cyberattacks that have grown increasingly sophisticated.

“We truly are all in it together. Government can’t do it alone. Industry can’t do it alone,” she said. “So it really has to be this collective cyberdefense, all in the foxhole together on the frontlines.”

Easterly said she’s working to turn information sharing into “information enabling” to ensure that industry has the tools and information it needs to strengthen the security and resilience of their networks, and that the federal government has the information it needs from industry to do the same.

One of the tools CISA has developed, she said, is the Joint Cyber Defense Collaborative (JCDC) that brings together the power of the federal government and connects it with the private sector to share information in real-time. The platform allows all participants to understand the threat environment in order to drive down risks to the nation.

Lynn Good, chair, president and CEO of Duke Energy, said bringing businesses into the JCDC will allow those in the industry to let the federal government know what they are seeing in the real world. Easterly said that kind of collaboration was critical, citing the SolarWinds cyberattack in 2020, and noted that attack was discovered not by the federal government but by a private company.

For Tom Fanning, chairman, president and CEO of Southern Company, attacks on his company’s network is a daily thing. He estimated Southern Company is attacked 3 million times a day.

Speaking with Bill Fehrman, president and CEO of Berkshire Hathaway Energy, during the Evolving Threats break-out session, Fanning discussed the need for the industry to collaborate with the government in order to protect critical infrastructure, as well as prepare for disasters.

Fehrman, the current co-chair of the CEO-led Electricity Subsector Coordinating Council – an organization that serves as the main liaison between the federal government and the electric power industry on disasters including cyberattacks – said protecting infrastructure means changing to a culture of safety and security. His company has instituted many security measures.

“We used to have a very strong focus on safety, just employee safety. Fast forward to today, and that line across our company is safe and secure,” he said. “We now put as much emphasis on the security of our people, our assets, our customers and our data as we do the safety of our customers and our employees.”

Fanning said that stepping outside of the electric utilities industry and working with other industries is important in maintaining the security of the energy grid.

“Just kind of living within the electricity silo and making sure that we were accountable to ourselves was important but not sufficient,” he said. “We knew that we had these inextricable links in the private sector… and then we had these interdependencies with the federal government. We started to formalize this idea that this culture of security couldn’t be just within an entity. It had to be in the broadest sense, a shared responsibility with a variety of people.”

That shared responsibility means sharing information with the FBI, CISA and others about the kinds of threats they are seeing.

Outside of cyber threats, energy infrastructure also faces physical threats, and companies need to examine their defenses when it comes to protecting transmission and distribution systems.

Working together companies can also be more resilient if a cyberattack or disaster does strike. More than just mutual aid, Fanning questioned whether there needs to be strategic reserves of equipment, such as transformers.

The onset of more detailed information sharing has transformed not only the relationships with the federal government, but the quality of the information received.

The evolution of information sharing has been dramatic over the past 24 months, Fehrman said. “It’s now beyond information sharing, it’s actual transmitting of information both ways between us and the government and getting actionable insights back.”

But still the sharing needs to continue to transform. “We’re at 20 miles per hour,” he said. “We need to be at 100 miles per hour. But we’re moving in the right direction.”

The collaboration and coordination between government and industries, he said, through tools like the JCDC, gives those on the frontlines quick access to actionable information.

Fanning said that companies should not only plan for how to keep bad actors out, but also what to do if bad actors get in, and to figure out how to do that with increasingly fewer digital resources.