Two cybersecurity experts join the podcast to discuss ways to safeguard energy systems from attacks, and the role state legislatures play through their oversight of public utility commissions. Since the start of 2021, states introduced nearly 500 bills and passed 99 measures related to energy security as of August 2022.
Safeguarding energy systems from cyberattacks in a growing concern in the U.S. The Colonial pipeline ransomware attack a few years ago and some other high-profile incidents caught the public’s attention. But as the guests on this podcast point out, energy systems are facing an increasing number of attacks.
On the podcast to discuss the situation are Lynn Constantini, a cybersecurity expert with the National Association of Regulatory Utility Commissioners, and Patrick Miller, CEO and owner of Ampere Industrial Security who brings more than 35 years of experience in the security field to the discussion.
While the federal government has some regulatory authority over utilities, state legislatures have a key role in this area through their oversight of public utility commissions. Since the start of 2021, states introduced nearly 500 bills and passed 99 measures related to energy security as of August 2022.
Constantini and Miller discussed the rise in threats and attacks, the type of attacks that are most common and the difference between attacks on information technology, or IT, and operational technology, or OT. They also discussed the steps states already have taken to counter cyberattacks.
Resources
Reader: Note that CIP in this transcript is an acronym for critical infrastructure protection.
Ed: Hello and welcome to “Our American States,” a podcast from the National Conference of State Legislatures. I’m your host, Ed Smith.
NG: Cybersecurity is an essential ingredient to reliable and utility services. So, within their states, PUC’s have an essential role in cybersecurity.
Ed: That was Lynn Constantini, a cybersecurity expert with the National Association of Regulatory Utility Commissioners. Also joining the discussion is Patrick Miller, CEO and Owner of Ampere Industrial Security who brings more than 35 years of experience in the security field to the discussion. Our conversation focused on cybersecurity of energy systems, systems that are increasingly being targeted by a variety of attacks. While the federal government has some regulatory authority over utilities, state legislatures have a key role in this through their oversite of public utility commissions. Since the start of 2021, states introduced nearly 500 bills and passed 99 measures related to energy security as of August 2022. Constantini and Miller discussed the rise in threats and attacks, the types of attacks that are most common and the difference between attacks on information technology, or IT, and operational technology, or OT. They also discussed the steps states already have taken to counter cyberattacks.
Here is our discussion.
Lynn and Patrick, welcome to the podcast.
LC: Thanks, Ed. I’m happy to be here.
PM: Thank you for having me.
Ed: Just to get started, I wondered if each of you might give a brief explanation of your organization, your role there and how it fits into this wider conversation of cybersecurity in the energy sphere. And, Lynn, why don’t you kick it off.
LC: Well, the National Association of Regulatory Utility Commissioners or NARUC is a nonprofit organization that represents state public utility commissions or PUCs who regulate utilities like electric, natural gas, water and transportation within their states. The mission of a PUC is to ensure reliable, safe, adequate utility service at fair and reasonable rates. Cybersecurity is an essential ingredient to reliable utility services so within their states, PUCs have an essential role in cybersecurity. NARUC’s mission then is to help improve the quality and effectiveness of public utility regulation. One way we do that is by providing education, training, information and technical assistance to our members. I’m the technical assistance group, part of the technical assistance group rather the Center for Partnerships and Innovation. I’m the deputy director and I specialize in the areas of cybersecurity, energy resilience and emergency response.
Ed: And, Patrick, how about you. This is your own company as I understand. Tell us a little bit about that.
PM: Yes. I am president and CEO of Ampere Industrial Security. We are a specialized consulting firm. Our focus is on OT or operational technologies, ICS, industrial control systems. We do both cyber and physical security. Our firm works with industrial organizations kind of asset owners to manage their intersection of security with regulations and standards to keep them ahead of their adversaries and their auditors. As for my background, I was one of the original architects of the NERC CIP standards along with Lynn. I was the first NERC CIP regulator in the country. I’ve helped various U.S. states, Canadian provinces, various countries around the world with critical infrastructure, security and regulatory issues.
Ed: Well, Patrick, let me stick with you for a minute. Can you talk a little bit about sort of big picture of how the cybersecurity landscape has changed in the last five years or last several years.
PM: Yes certainly. I don’t think we could have foreseen where we are now five years ago so things have changed significantly from kind of what we expected. I think the first of which is that infrastructure is being actively attacked and this didn’t used to be the case. It used to be that if you had tried to attack someone’s critical infrastructure like their electric system or their water system or their aviation system things like that, then there was a very real likelihood that you’d have everything from bombs or tanks or airplanes. Some sort of really kinetic response, you know, on your territory or at your doorstep. And it was a significant deterrent for a long time. And I think what really changed the picture was the attack on, well multiple attacks, on the Ukraine where we did see Russia take control over their environment to actually do in some cases kind of irreparable damage damaging some of their systems in a way that they had to be replaced. Like they couldn’t be just fixed for example. It was a full attack on their power system and it took out you know power in December at a bad time. So, when we thought that this kind of thing was off limits, it didn’t just happen once. It’s happened twice and since then it has happened in other territories as well. So that was something that I think we didn’t really expect to change or change as much or quickly as it did.
The second key issue is digital transformation. It’s definitely gaining steam and it is moving in a direction opposite of where our legacy environment is or was which was essentially frozen in time. So, we have this legacy install base everywhere of analog equipment that runs all of our critical infrastructure. An then we have this bunch of new digital stuff that’s being inserted into the mix and in some cases, it is replacing the analog gear and, in another place, it is just kind of augmented it or being bolted on or added into the mix in creative ways. And what you end up with is kind of a divergence in dichotomy of these technologies at both legacy and future at the same place in the same operation and it is challenging in many ways you know from support and other approaches. I think the last piece that is somewhat kind of along those same lines, but it is more about the technological innovation and disruption. We have everything from supply chains where “made in” really just means assembled in all cases and this goes for hardware, software and even services. We have artificial intelligence. We have machine learning. Aggregation of analytics and services and what used to be done in one location can now be done from anywhere everywhere. It just doesn’t matter. And we have smart everything now in all the operations so you know everything from sensing and all kinds of different processes. They are all digitized. And then probably the last piece there is the concept of the scary concept frankly of utility or critical operations running in the cloud versus on premises and this is just frightening for many.
Ed: Well, I think for a lot of us who are not deep into this world, it’s all frightening. Lynn, let me ask you that. What should concern us those of us who are on the outside if you will in terms of threats to utilities. What kind of attacks keep you up at night?
(TM): 7:03
LC: That’s a really difficult question to answer. You know from my perspective; any threat really has the potential to disrupt the reliable safe provisioning of utility services. And they are all worthy of worry. Take ransomware for example. The threat is one of opportunity rather than a really targeted attack. Yet, if successful, ransomware attack can grind utility services to a halt. We saw just that in the colonial pipeline ransomware attack just a few years ago. But as Patrick said, we know we face well-resourced, committed adversaries who are intent on harming the U.S. Critical infrastructures that rely on industrial control systems like the electric grid or pipelines are now viewed as ripe targets because of the impact that their loss would have on society. And so particularly the threats that I worry about are those insidious attacks that can result in loss of operational integrity that can cause systems to misoperate without the operator realizing it.
You know, I worry about systemic vulnerabilities like those deeply opaque supply chains. We saw that happen in the Solar Winds cyberattack several years ago. And then lastly, I really worry about targeted attacks against operational safety systems where the goal is to deliberately hurt humans. And we know our adversaries are looking at all three of those types of attacks.
Ed: Patrick, how about for you? Are there types of attacks that seem more likely than others and I don’t know if that varies by country or what, but.
PM: Yeah, any geopolitical situation whether it’s a geographic location or political stance. Whether it’s right leaning or left leaning whatever it might be, democracy, dictatorship. All of those things come into play. Of course, I do think though from what I’ve seen on the global scale that nation state threats while they are the highest impact without question, they are also the rarest in occurrence. In order to put that degree of resources into an attack, it takes very determined adversary to do a very specific thing. So those are fairly rare. Really to be honest, the day-to-day impact of things like general or organized cybercrime is by far the widest impact to any of our systems. This of course is everything from like targeted fishing, business email compromise, theft of money or business identity – that kind of thing. And of course, as we mentioned ransomware. This is the scourge of our existence at the moment. And one of the interesting challenges with ransomware is that although it is really designed to affect the IT systems because typically ransomware doesn’t run on industrial systems, they are just different kinds of computers. However, there are so many dependencies between those operational technologies and the IT environment that we end up having these indirect but really serious impacts like spillover impacts and we saw that with Colonial pipeline with their operational side being shut down as a result of the attack on the IT side. So even run-of-the-mill ransomware stuff can impact a utility’s ability to operate unless they have designed things very well and done some good preparations, good separation and incident response. But these are the attacks that keep me up at night the ones that are more commonplace and can come from anywhere at any time, you know, whether it’s a kid in a basement or an organized crime ring. They are prolific. They are easy to get. They are inexpensive. They are easy to execute. We’ve got to keep those from impacting our systems.
Ed: Now, Patrick, you mentioned IT and OT and I have a basic understanding of that and I emphasize the basic part. Maybe you could explain that to the listeners and why it’s so important in this discussion.
PM: Sure, Ed. That’s a key distinction. Great question. So, IT is information technology. It’s the systems that really kind of run the money or enterprise side of your organization. It’s your website, customer portal, HR platform, finance, accounting systems, workstation servers, databases, laptops. You know, all those things, email systems that you use to run your business operation and make the business money and manage its people and that kind of thing.
OT is operational technology or sometimes called ICS, or industrial control systems. These are all the industrial technology components and these things used to be like physical or analog. They’d be like a spring or a float, a valve – these kinds of things and now they are digital, but they are still operational technologies. So, these can be like sensors or actuators or you know temperature and this kind of stuff. And it will talk to another computer that says hey temperature is this, open this valve. Or you know this breaker opens because of a certain electrical condition. But those are purpose-built technologies. They are typically not very smart. They don’t do anything other than what they were designed to do so they don’t run anything else other than kind of some simple logic that says do this thing. We’ve done this because digital technology is actually better at doing this work than the analog stuff. It requires less calibration. It’s more reliable. But it also comes with a lot of the same kind of vulnerabilities that anything with a chipset comes with. So, while they are better and they operate more efficiently, they do come with a little bit of additional risk as a result.
Ed: Sure. That makes a lot of sense. Thank you for that. I know more now than I did two minutes ago. Lynn, when you think about these threats particularly in the utility area, do you see big gaps in the utility’s ability to meet these threats and is there something legislatures can do to help their utilities with that?
(TM): 12:48
LC: One misconception that we really have to address is that there is a one size fits all solution. There isn’t. Every utility is different and even with the systems that they are operating as Patrick just pointed out are very different IT versus OT. But even with that, every utility should be paying attention to understanding and mitigating cybersecurity threats. So, a lot of standards, frameworks and guidelines exist to help utilities do that. Some utility’s sectors like electricity and pipelines have mandatory and enforceable standards for some utilities. But other sectors have taken a less prescriptive approach to regulation. I think state legislatures can really help clarify the roles and authorities for oversight of utility cybersecurity within their states. If authorities aren’t clear, to clarify those authorities. I think legislatures can also provide clear expectations for regulators regarding the regulators oversight of industry cyberrisk management practices and ensure that the agency that the legislator tasks with implementing those policies like a public utility commission has the resources it needs to do so both dollars and manpower.
Lastly, I think you know it would be really helpful if legislatures have a firm understanding of the dividing line between federal and state authorities for cybersecurity in the utility’s space. For example, the electric sector has mandatory cybersecurity requirements then there are sub-standards that Patrick mentioned. These are set by the Federal Energy Regulatory Commission and enforced by the North American Electric Reliability Corporation. The CIP standards apply only to utilities considered part of the bulk electric system a hundred KV and above. That dividing line is drawn in the Federal Power Act and that dividing line is important because it clearly places the authority and the responsibility for cybersecurity of the electric distribution system directly on a state. So, for a state, it’s not a nice to do or should do thing. Cybersecurity of the distribution system is a must do thing. And even so every state does not do the same thing when it comes to cybersecurity. Some would point to that variability as a detriment or a gap perhaps as you put it.
Ed: I am not surprised every state doesn’t do it the same way because as long as I’ve been covering states, they never do anything the same way anywhere. That can be an advantage in some cases and maybe not so much in other cases. Now let me ask you about this. As I understand it PUC regulators cover some utilities, but not others. And I’m wondering if you could explain that structure and how it might affect how legislatures handle this, how they think about cybersecurity and I guess also does this mean that some utilities are more likely to be threatened than others. Does that play into it at all?
LC: Sure. You are absolutely right. Generally, the jurisdiction of the public utility commission extends only to public utilities meaning investor-owned utilities. Not all utilities are IOUs. Some are owned by the municipalities that they serve. And others are owned and governed by the customers that they serve. So, PUCs can order jurisdiction of utilities to do things like improve cybersecurity for example. But they cannot order munis using co-ops to do the same thing. Now I’m speaking in generalities here. In some cases, public utilities commissions do have some authority over munis using co-ops, but typically that’s really not the case. So just like the divide between federal and state jurisdiction, critics argue that the differences in oversight structures within a state represent gaps or potential weaknesses within the utility ecosystem within that state. Now I’m not going to debate that point, but I think for legislatures I think it means they need to be cognizant of the jurisdictional boundaries. Remain really informed about the potential cyberrisks facing utilities within their state and work together with their public utility commission and others within the state to really understand how utilities are managing their cybersecurity risks. And speaking of risk profile if I might, I think munis using co-ops are generally small. They are typically serving relatively small populations. Again, there are some exceptions, but some are big. But the vast majority are not.
Critics suggest that these smaller utilities are under-resourced and don’t generally make cybersecurity a priority. But on the other hand, proponents are claiming that these utilities have a much lower risk profile and don’t need to spend as much on cybersecurity. And I think both have merit and I think this also suggests that for a state legislature or a public utility commission, we really need to appreciate those differences in the appreciation of risk. Where cyber budgets are indeed small, they should be used to really make the biggest impact meaning buying down the biggest risks that utilities are facing within the state. Again, focusing on information. Understanding what risks utilities are facing and creating appropriate expectations within the state for how utilities are expected to manage that risk I think is really important.
Ed: So, Patrick, let me ask you are their standard tools that utilities can use or are using to deal with these cybersecurity threats?Is there kind of a toolbox they can go to that will help them do this without having to reinvent the wheel?
PM: The short answer is yes. The longer answer is there are so many tools that it is it really is just mind-blowingly complex for most of them that are coming at this from a new to cybersecurity perspective. And no, you don’t need to go out and buy every single security widget or tool out there and most of them even if you bought them, you may be not fully implemented or maybe not get trained on it so it isn’t really as useful for your company. And honestly you know if I only had like let’s say a hundred dollars to spend on cybersecurity, the first thing I would do is train my people because with trained people they are remarkably skilled especially in the electric power space, gas space with these infrastructures. They are really good at working with what they have and the more they know and the better they understand how to apply cybersecurity to their unique situation ah even better. I’ve seen municipalities and co-ops they are incredibly resourceful. With the rate, knowledge and skills, they can come up with some really creative solutions on a budget. That doesn’t mean don’t give them money of course because they are definitely underfunded and under-resourced in terms of the number of humans and capabilities to do this job every day against nation state level adversaries. So, it really if I only had so much to spend, I would train the people up so they could take what they have and use it in really smart and creative ways because they are really good at that.
(TM): 20:29
Ed: Lynn, let me ask you do you see ways that state lawmakers, our audience of course, can facilitate the adoption of some of the better cybersecurity practices?
LC: Interesting NARUC, the Department of Energy and industry are right now working together to think through that very issue focused on electric distributions system, utilities and the distributed energy resources that connect to them. So first and foremost, the question is what should those cybersecurity practices be. As we’ve already mentioned, there are a lot of cybersecurity standards. But which of them are most applicable to the electric distribution grid. Which of them buy down the most risk and how costly will they be to implement. I think these are really important questions that we have to grabble with. And we are hoping that the end results of this activity will be the creation of a set of cybersecurity baselines that are of interest to states who might be considering their next steps around cybersecurity for utilities. When the baselines are available, I would suggest that state policymakers and energy officials, legislatures, public utility commissions, governors, reps, etc. consider meeting to discuss whether and how those baselines fit in to their own policies and regulatory oversight structures within the state. We still have a lot to do here, but as they say definitely watch this space.
Ed: Well so getting different parts of government together seems like an important element of that, I think that’s true in so many cases. Lynn, let me stay with you for just a second. When God forbid a cyberattack does occur, do you see common strategies that will help communities deal with that and help get the energy system back online and that sort of thing? And are there things that state legislators again, can do to help make sure there is some sort of plan in place?
LC: I think if we limit the idea of a community right now to utilities, I think the answer is robust cyber incidence response planning. Utilities should have plans that define internal roles and responsibilities for responding to cyber incidents as well as having detailed steps in those plans that make it very clear what steps to take as well as when to take those steps in the event an incident occurs. Incident response plans have to be current. They have to be trained to and they have to be exercised often. So how can legislatures help. Well, I would say get involved. Be proactive. Work with PUCs to ensure utility’s plans are detailed and sufficient. For example, do the plans include details on when and how utilities will communicate with customers following a cyber event. Another way to get involved is to participate in those incident response exercises. It helps clarify roles and responsibilities, authorities. It helps build information sharing channels. And it also helps set expectations. So most importantly, I think everyone needs to stay informed and work together.
Ed: Patrick, let me ask you. As you look around, particularly the states and I know you do a lot of international work, but looking at the US, so you see places where laws or regulations have been put into effect that really would will be effective in improving utility’s ability to respond to a cyberattack?
PM: Oh yeah. Absolutely. And states are, well some states, are taking this seriously and they are doing their own thing. They’ve led the charge really. In some states like California, of course, come to mind as an example of leading the charge especially for things like cybersecurity. This has definitely been an area for their utilities. This kind of approach at least definitely has an impact. It can have a significant impact and I think it will move the needle in a positive manner especially for the state in question. It also has the tendency to move the needle not only for that state, but for adjacent states or frankly all states because it takes the idea that they are pushing from theoretical to actual. You know, it is not a question of could this state actually do this or would they, they did. And it’s been done and it is being done and if you are operating in that state then you have to comply. So that will definitely have an impact in a direct way.
Also, for those utilities that have multi-state operations for example, it becomes much more challenging for them to try to maintain different operations for different states. So, they try to normalize on what their high-water mark is. Now I think the challenging or possible downside to this is that you end up with a patch mark of different state approaches. And from all the utility perspectives, this makes it more expensive overall. It also makes things like different technologies and different services that support these companies more challenged to try to meet this difficult patchwork of approaches and solutions too. So, your service providers can provide one thing or they have to provide fifty things or fifty plus things for example. So, it does raise the overall cost and expense and frankly the friction. So that said, should it be done – yeah, sure because it needs to be done. Inevitably we see things like this happening as part of the standard legislative process at the federal level like all of the situations where this patchwork effort is inevitable, we end up with these kind of different approaches, different directions and then there is some federalized norm that comes in at a minimum baseline of acceptable risk. And then all the states can kind of add to that as they see fit.
So as a natural process, yeah, there are some doing this and then there are some leading the charge of doing great stuff and we are really kind of right now in the process of standard curve for how these things unfold.
Ed: We are going to wrap up here and I’d like to ask you any other thoughts you would like to share with our listeners including I think as we have discussed, how they can better inform themselves on this topic and educate themselves. Lynn, why don’t you go ahead.
LC: I think I’d like to end by returning to the beginning one of the first things we talked about and that’s the changing cybersecurity landscape. You know as we noted this landscape changes quickly. It changes constantly and it’s going to continue to do so. We all have to be diligent, but we have to stay flexible. We not only need to be able to address today’s threats, but we also need to have that flexibility to be able to respond to emerging threats. Training and education especially for policymakers and regulators who aren’t on the frontlines and aren’t necessarily especially technical, but nevertheless have really essential roles in cybersecurity for their state’s utility ecosystem, it’s really important. NARUC provides a lot of cybersecurity resources for its members on its website. They are available to anyone and I think state legislatures will find them equally as useful. We hold webinars too that state policymakers are welcome to attend. And lastly, I’ll mention that NARUC conducts in person cybersecurity training for its members. NCSL has a standing invitation to participate.
Ed: Well, thank you very much. And, Patrick, how about you? You get the last word here.
PM: Fantastic. I agree with Lynn on all points for the training components and I’ve been part of those workshops. They are fantastic. So as a state legislator you can’t get a better more effective resource targeted directly at your level. It’s got great content just for you. So, a solid plug for the work that NARUC is doing that. That’s it. I want to pick up on what Lynn mentioned around the changing threat and vulnerability landscape. This is only going to accelerate with things like artificial intelligence and machine learning entering the picture. I think what we most struggle with though is that we are not going to be able to stop this innovation. Now legislation says like tap the brakes or quit. That often has unintended consequences and it really just pushes things to a darker more criminal market. You know so Pandora’s Box is opened and what makes this what makes much more sense here is to make friends with all of these technologies and kind of teach them good manners. Just saying stop altogether that’s going to have some negative unintended consequences really while the technology just races forward. So better examples I’ve seen for this kind of existential cyber risk is to use other areas where we have had similar risk profiles and we’ve I don’t want to say solved the problems, but we’ve gotten much better at it. One of the fairly good examples is fire. We still have fires whether they are intentional or unintentional. They still happen and they can still cause property damage and death. At the same time, we’ve minimalized that down to an acceptable level and I don’t want to say that acceptable in a cruel or insensitive way, but it’s at a place where it is manageable. And we’ve done that through things like building codes and sprinkler systems. We’ve used fire extinguishers, smoke detectors. We’ve used inspections by the fire marshal. We’ve got a ready and responsive fire department that’s publicly funded for example. So, lots of these different approaches from different areas versus kind of one silver bullet that says like a company or an endpoint is fully responsible for this. But more how do we build this so that in the future we’ve designed everything in such a way that it is much more resilient and it can operate through a problem. And that takes you know some creative and smart thinking around how we design the rules for the cyber road going forward. And we need to get those things like building codes in place using approaches like cyber informed engineering for example. And really before we start thinking about pinning responsibility on parties or altogether forbidding certain approaches and we should be looking for these other examples and some successful options like fire or other areas similar to that. You know it can be done. And I think regulation has a key role to play here and it will be essential to leveling the playing field you know from a minimal acceptable risk where you must be this tall to ride the ride perspective. Getting that right is going to take an educated open and collaborative approach.
Ed: Well, I want to thank both of you. I have to say that I feel a little bit better knowing people who are as astute as the two of you are on top of this problem. And I thank you very much for taking the time. Take care.
LC: Thank you, Ed. It’s been a pleasure.
PM: Yeah. Thanks.
(TM): 31:18
Ed: I’ve been talking with Lynn Constantini of the National Association of Regulatory Utility Commissioners and Patrick Miller, CEO and Owner of Ampere Industrial Security about cybersecurity for energy systems. Thanks for listening.
You can check out all the podcasts from the National Conference of State Legislatures by searching for NCSL podcasts wherever you get your podcasts. Tim Storey, NCSL’s CEO hosts “Legislatures: The Inside Storey” where he focuses on leadership and legislatures. The “Our American States” podcast dives into some of the most challenging public policy issues facing legislators. On “Across the Aisle” host Kelley Griffin tells stories of bipartisanship. Also check out our special series “Building Democracy” on the history of legislatures.