NCSL Podcasts

Security Challenges of Utilities in Rural America | OAS Episode 237

Episode Summary

On this episode, we focus on the challenges utilities in rural parts of the country face in trying to ensure the physical and cybersecurity of their facilities. Our guests are John Ransom, director of regulatory affairs for grid security for the National Rural Electric Cooperative Association, and Adrienne Lotto, senior vice president for grid security at the American Public Power Association.

Episode Notes

Electrical co-ops and public power utilities provide service to about a 100 million Americans, including many rural parts of the nation and counties with persistent poverty. They have many of the same concerns about both physical and cybersecurity as investor-owned utilities, but different challenges in terms of terrain, staffing and resources.

On this episode, we focus on those challenges and how utilities in rural parts of the country are coping. Our guests are John Ransom, director of regulatory affairs for grid security for the National Rural Electric Cooperative Association, and Adrienne Lotto, senior vice president for grid security at the American Public Power Association. 

John and Adrienne discussed some of those unique challenges, how they work with state regulators and how something like high turnover in state energy offices can complicate their efforts. 

Resources

Episode Transcription

 

Ed:      Hello and welcome to “Our American States,” a podcast from the National Conference of State Legislatures. I’m your host, Ed Smith. 

 

JR:       You know this is a national security issue. I mean we have more than 100 co-ops that are serving more than 100 military installations across the country. So, an impact to co-op services can have a real effect on our ability to respond during a national security event. 

 

Ed:      That was John Ransom, director of regulatory affairs for grid security for the National Rural Electric Cooperative Association and one of my guests on this episode. He is joined by Adrienne Lotto, senior vice president for grid security at the American Public Power Association. 

 

Electrical co-ops and public power utilities provide service to about 100 million Americans including many rural parts of the nation and countries with persistent poverty. They have many of the same concerns about both physical and cybersecurity as investor-owned utilities, but different challenges in terms of terrain, staffing and resources. John and Adrienne discussed some of those unique challenges, how they work with state regulators and how something like high turnover in state energy offices can complicate their efforts. Here is our discussion. Adrienne, John, welcome to the podcast.

 

AL:      Thank you so much for having us.

 

JR:       Glad to be here.

 

Ed:      Well, let me start by asking each of you to just talk briefly about your organization and your role there and Adrienne why don’t you go ahead and start.

 

AL:      Thanks, Ed. I represent American Public Power Association wherein we represent about 1,400 municipal utilities across all 49 states excluding Alaska. Our members are community owned electric systems and we also represent U.S. territories so that includes Puerto Rico, U.S. Virgin Islands, WAPA [Western area Power Administration], as well as remote areas including Guam Power and Authority. So, our membership is fairly diverse.

 

Ed:      And John, why don’t you tell us a little bit about the National Rural Electric Cooperative Association and your role there.

 

JR:       Sure. So NRECA is the National Trade Association representing about 900 local electric cooperatives. Our members are providing power to about 42 million Americans across 56% of the country. And that’s everything from suburbs to farming communities and like the municipals co-ops are not for profits. We are owned by the people that we serve so the people that are getting power in those suburbs and those farming communities are the same ones that own that infrastructure. In my role with NRECA, I serve as a Director of regulatory affairs. I cover cyber and fiscal security issues, which means that when there are new policies, regulations coming out at the federal level, we are working with Energy and Homeland Security, etc. to ensure that they are considering the unique needs of electrical cooperatives in those government actions that we are doing.

 

Ed:      Well John, let me stick with you for a minute. We are talking today of course about security for facilities in rural parts of the country and I wonder if you could talk about that. What the strengths and weaknesses are.

 

JR:       I think the first thing that I would say is that with 900 members, there’s not really a universal truth to the strengths and weaknesses across all of those members. But I think we do see some common things and a lot of you know across a lot of them. There are some challenges working in rural America. The regions that they are serving are often sparsely populated. That means they require more infrastructure per consumer. That’s more transmission line, more substations that they need to control and to monitor. A lot of this infrastructure is located in very remote and isolated areas. Many times, those cooperatives are trying to do all of that with a smaller staff. People are wearing multiple hats in many instances. Given the not-for-profit business model, it means that you know we don’t necessarily have access to a lot of the same resources for funding that some of our larger counterparts may have. So, every dollar that we spend is really passed along to the consumers at the end of the line.

 

            You know on the flipside of that though, not having a profit incentive means that we are able to focus on some of those core issues that our members prioritize. Things like liability and affordability. That’s especially important given that cooperatives are 92% of assisted poverty counts so keeping prices affordable is a major focus for us. When we think about strengths, I think the biggest thing that comes to my mind is the collaborative nature that cooperatives have. Cooperatives talk to each other. They share information. They share lessons learned. One of the core values that we have as a cooperative family is really co-ops helping co-ops and the spirit of mutual assistance. That means we are sharing resources and expertise and not just in things like storm restoration where a lot of people send crews halfway across the Country to support a response effort. It also includes things like pooling resources to get better access to things like safety training, IT services, marketing, comms, etc. And then the last thing that I would add there is given that we are owned by the people that we serve, there is a strong community focus for cooperatives. Our boards of directors are made up of those members that are end of the line power customers. So those decisions that they are making at the leadership level tend to serve the interest not only of the membership, the cooperative membership, but also just the broader community. 

 

            This means that we are building trust with our members and when it comes to things like justifying investments, it’s easier for us to make that case because you have somebody that you trust coming to you.

 

Ed:      And Adrienne, what’s your perspective of the security and public parody utilities position. What are some of the strengths and weaknesses there?

 

            TM:         06:28

 

AL:      John articulated a lot of them very, very well. It is substantially similar for our American Public Power Association members. The membership is very diverse at APPA and so to the question of what’s the security posture I would agree that there are a number of challenges, but also there is a collaborative effort that the municipalities utilize. Working across sometimes very remote footprint is difficult. The terrain itself can be difficult. Even communications can be difficult. Our utility workers and the workforces often in remote areas where there is no cell service. I would also add workforce challenges. Workforce and getting skilled labor and people interested in working inside an electric municipal utility is at times a challenge and our members are always trying to think of new and innovative ideas to get younger people interested in the electric sector in public power and they’ve done and we’ve done a lot of work in that area. And then as John articulated well, likewise, we have a mutual aid program wherein if a storm does occur. I should say when storms do occur, there is really a call to action. For example, most recently we had members all the way from the upper Northeast last year traveling all the way down into the Carolinas to support after Hurricane Milton and Helene. I believe that that is truly one of the most important parts of that resiliency and community in terms of public power that make the difference.

 

Ed:      Adrienne let me stick with you for a second. Aren’t there specific challenges to the rural areas and I think you alluded to this around security that are different from more urban areas, maybe things that a lot of listeners might be more familiar with. 

 

AL:      I think as we intimated earlier, remote nature of the grid the diversity upon which some of that infrastructure is built and exists can become quite challenging. You have a utility in New York City a squirrel is probably the most dangerous thing that could happen and often causes a halogen. We know we will often see from the EI site, the information the electricity information sharing analysis center regularly you’ll receive an alert, shots have been heard out and around infrastructure. More often than not, those remote areas are just individuals hunting, but nonetheless when you are operating around critical infrastructure that can be a threat and is something that we tend to look at and tend to spend time sometime and focus on. I also think the perimeter is changing around the grid. It used to be guns, gates and guards, right. A nuclear power plant in a particular area you’d have guns, gates and guards and that secures it. As distributed energy resources are proliferating the grid, we see more infrastructure in more remote parts of the grid that need additional security. So just thinking through staffing, capital planning on how to protect those areas, I think the use of technology also becomes critically important. You may not have an individual out by that site, but things like utilization of cameras, motion detection. That is also what our utilities are utilizing to reduce costs but keep the grid secure. So, I think continuing facing those challenges I think the municipalities and our members are certainly up for it, but it’s an ever-evolving target.

 

Ed:      John let me ask you in your role working in regulatory affairs given all of these unique challenges, I think it’s fair to say that facilities in these rural areas experience how does that affect how you work with legislators, with state regulators in terms of trying to get them to appreciate the very things that we were just talking about and help you will response, cyber security, risk analysis that sort of thing.

 

            TM:         10:45

 

JR:       So, I think what it really comes down to is starting at the basics and to build on something that Adrienne said just recognizing the diversity between all of the different utilities. IOU’s have a very different set of priorities than the municipalities. We are going to have a different set of priorities for the co-ops. That doesn’t mean that there isn’t an overlap between all of them. But even within just the cooperatives, priorities are going to be different from one utility to the next. So that means that when it comes to the state the folks at state government, they really need to be working to build a relationship with the cooperatives and vice versa in those states so that they can not only understand what those differences between them are, but why they are important. 

 

            You mentioned assessing risks you know when it comes to risk assessments, we feel really strongly that that needs to be a risk informed. Every utility is going to have a different set of threats that they are focused on. You know either based on their size, the customers that they are serving. You know if they are serving military base or something of that nature where they are getting their energy from. …  That means that how they address that risk is going to be different in every instance as well. There’s always different ways to reduce risks. The solution that you choose you now for your utility needs to represent the operation environment that you or that you are working in and so giving those operators the flexibility to find that solution that best fits their needs is really critical. I know you also mentioned response of coordination. Just a quick plug there as well. States can help improve that as well by bringing some of those utility members into state sponsored trainings and exercises. This lets you know lets industry and government build relationships with their counterparts before an incident happens so that when that bad day arrives you are not exchanging business cards in the emergency operations system. 

 

Ed:      So, John let me stick with you for second. So, when states do hand down these mandates around security and that sort of thing, are they responsive to the fact that co-ops and municipals are significantly different from the investor-owned utilities. Are you folks successful in getting them to give you leeway on that or how is that working out?

 

JR:       I mean unfortunately the answer depends. It varies from state to state. But one of the things that we noticed I think is that it really comes back to my earlier point about understanding those differences between the utilities because when it comes to something like cyber resources you have five lines of framework standards that are designed to be kind of a one size fits all solution for infrastructure common leaders and that includes a lot of security services security solutions that may be you know targeted to large well resourced operators that have an extensive cyber team, a lot of funding available to support it. That doesn’t necessary mean that you know those big expensive items the new technology or a deep venture cyber personnel or you know cyber vendors threat feeds and the like are the best solution in every instance. Because ultimately as I noted earlier, there’s multiple ways that you can secure your systems and so that may just mean limiting the number of devices that can be accessed remotely. Limiting the number of personnel that can access the terminals that can access those devices. Having something as basic as a cyber response plan or training for your employees. These are all things that are really effective in buying down risks. Working with those you know state government officials that to help them understand how viable some of the solutions are and that you don’t need to have you know the gold-plated solution in every instance to adequately secure your system. You can do that with a lot of common-sense mitigation measures that address the risks that you are seeing.

 

Ed:      We will be right back after this short break with the rest of our discussion.

 

            TM:         15:41

 

            I’m back with John Ransom from the National Rural Electric Cooperative Association and Adrienne Lotto with the American Public Power Association. Adrienne, I wanted to ask you on the same lines as John was talking about before the break, how your members approach these security issues given that they too have more limited resources than the larger investor-owned utilities?

 

AL:      I think John hit on another of them. Most states now have some sort of a state energy office wherein our utilities are directly working with their state energy offices both on a blue-sky day as well as then to ensure as John said relationships during an event should they occur. So, in terms of state energy offices, I think the challenge there remains that oftentimes we see a high level of turnover in the state energy offices with state officials. So, while the relationship may be established because the political nature of people turning over in the state energy offices and the results of change in elections, it’s really important as John mentioned to continue to build those relationships over time. A lot of state energy offices if they are not should be participating regularly with the utilities in their exercises. Certainly, last but not least, I think John articulated well regarding risk appetite. Each utility has a different risk appetite that is often informed by the customers, what they are serving, whether or not they are in a PUC or not. Are they a larger system or a smaller system. Are they regulated or are they not and so continuing to understand that mitigating risk. Risk mitigation efforts include a variety of approaches whether or not its training or technology. It depends on what the risk is that we are attempting to mitigate. It’s not a one size fits all approach. 

 

Ed:      And Adrienne, in your experience with these state energy offices and that’s a very interesting point that turnover has such a significant effect on the relationships, do you find flexibility at least in some places in terms of how the municipals and co-ops should respond as opposed to the investor-owned utility.

 

AL:      Our members work very closely because they are community owned so they work very closely with their state officials. Again, I think it’s really important that the relationships and the transfer of knowledge occur on a regular basis. Understanding as you mentioned earlier that there may be limited resources. That the cybersecurity risk is continuing to grow and evolve. That additional controls are usually being implemented on a regular basis by the utilities. That physical security risks may be different in remote areas and mitigated differently than in more densely populated area. You know there is this saying when we talk about physical security oh just build a 6-foot fence around it. Great I’ll bring an 8-foot ladder.

 

Ed:      And John, if you had to drill down, what would you say is the biggest logistical or financial obstacle that utilities in rural areas face for both their physical safety, their physical infrastructure and their cyberinfrastructure.

 

JR:       Adrienne did a great job of noting a couple of those issues and I think that those they are very similar of on the co-op side as well when it comes to things like thinking ahead for investments to things like physical security. But what it comes down to ultimately is that as I noted before, any investment is going to represent a cost that is passed onto people at the end of the line. But we have to make investments in these things so how do we ensure that we are making the right decisions, smart decisions that are representing the best value for the co-op and again that comes full circle to using other risk calculus that is appropriate to your entity. And when it comes to a lot of costs many of these things are necessarily one off either. They are part of persistent funding so again from the cyber perspective, hiring new staff personnel, subscribing to threat feeds these are all expensive investments. So, any ways that we can find to things that have broad more access to services through resource pooling or sharing information and thread intel. You know we need to have a lot of these in our toolbox so that we can offset some of those costs so that we can take advantage of the benefits that they give without making them inaccessible to some of the smaller utilities. The other thing I would say to hit on something that Adrienne mentioned earlier, workforce in rural areas is always a persistent challenge for us. It’s typically harder to work through talent to rural areas because they are further away from the concentrations of trained personnel. It can be really difficult to incentivize people to move out to the rural areas that may not have access to the same salary ranges or range of services that they might find in a larger city. Trying to bring some of that training and the workforce development out to the areas where they are needed would help reduce the distance between that talent pipeline and the areas where that talent is needed the most.

 

Ed:      John, another question I wanted to ask you and this is probably sort of like burying the lead. I used to be a journalist and maybe I could have asked this question first. What is at stake here?  What’s at stake if we do not adequately provide this sort of security for these utilities?

 

            TM:         21:34

 

JR:       That’s a great question and I mean I don’t think that it’s hyperbole to say that you know this is a national security issue. We have more than 100 co-ops that are serving more than 100 military installations across the Country. So, an impact to co-op services can have a real effect on our ability to respond during a national security event. But you more broadly than that, what does this mean for everybody, citizens. When the power goes out, people are at great risks. You have medially dependent populations that require electricity for medical devices. You have at risk populations that are more susceptible to extreme heat and cold events. And then you have just the everyday things that we take for granted. Everything from streetlamps to stoplights. You know when the power goes out, the risk goes up. We live in a society that is incredibly dependent on electricity for the you know the sake of our economic and personal safety. I mean it’s important to minimize those outages anywhere you know any way that we can.

 

Ed:      I’d like to ask each of you as we close here what your message would be to state legislators and maybe other state government officials about how they can best support rural utilities in terms of securing the infrastructure and John, why don’t you go ahead.

 

JR:       Sure. So, to keep the theme that I’ve been following here with a lot of my comments, its get to know the utilities in your state. Build a relationship with them. For our cooperatives many of them have statewide associations which are a great entry point to help make some of those connections with those utilities. You know if your state is considering a bill that will impact the energy sector within the state, bring some of those stakeholders that will be impacted by it to the table so that you can factor in those unique perspectives. Again, recognizing that it’s not the energy industry. It’s you know many different stakeholder groups within that industry. When you are considering new requirements especially for something like cybersecurity, ensure that they are aligned with existing resources and guidelines. It will not only help facilitate compliance of the utility side because they will be working with something that they are more familiar with. It will also help with things like harmonizing those requirements down the road with other requirements so that when an incident occurs, we are minimizing the administrative and compliance burden cyberteams so that they can keep focused on addressing the problem at hand and keeping the lights on.

 

Ed:      And Adrienne really the same question to you and you get the last word here.

 

AL:      Well thanks Ed first of all for having me. I really appreciate it. I think my colleague John articulated it quite well. My advice would be to communicate often. I would include with entire ecosystem of decisionmakers, stakeholders. Not just within the state government, but truly as John said. Reach out to the utilities within the footprint, ensure that you have a good relationship with them. If it’s on the regulatory side, get to know who that person is within the utility. If it’s on the emergency response side, get to understand who that person is. If it’s on the safety side, make sure you understand who that person is. Maybe it’s all the same person, but nonetheless it could be different people so communicating often and frequently is the key. As we say here in Washington, DC, make sure you have those decisionmakers around the table because it’s better to be at the table than on the menu.

 

Ed:      Well, I want to thank you both. This is such a critically important issue and I think that you both did a great job at explaining not only the dimensions of it, but also some of the unique characteristics of it. I appreciate you taking the time. Take care.

 

JR:       Thanks Ed

 

Ed:      I’ve been talking with John Ransom of the National Rural Electric Cooperative Association and Adrienne Lotto of the American Public Power Association about the unique challenge of securing the nation’s rural utilities. Thanks for listening.

 

You can check out all the podcasts from the National Conference of State Legislatures by searching for NCSL podcasts wherever you get your podcasts. This podcast “Our American States” dives into some of the most challenging public policy issues facing legislators. On “Across the Aisle” host Kelley Griffin tells stories of bipartisanship. Also check out our special series “Building Democracy” on the history of legislatures. 

 

TM:         26:24