NEW ORLEANS-The power grid industry is certainly vulnerable to cyberattacks, but that assault may not be a bold offensive led by brazen digital overlords.
More likely, the bad guys wouldn’t scale the proverbial wall. They would find small cracks or gaps that could then offer a path to a greater campaign of destruction.
“Bad guys always take the path of least resistance,” Paul Feldman, board director with EnergySec and a cybersecurity expert of many other titles, said during one of DistribuTECH’s megasessions Tuesday at the Ernest N. Morial Convention Center.
Feldman was one of three experts offering a 90-minute take on “Best Practices in Cybersecurity” at the event. He joined by Rick Mroz, a former New Jersey and federal regulator and now senior advisor for Protect Our Power, as well as Gary Johnson, senior director of cybersecurity and infrastructure for Evergy (created from the merger of Kansas City Power & Light and Westar Energy in Missouri and Kansas).
The North American Electric Reliability Corp.’s Critical Infrastructure Protection (or NERC CIP) is the law of the land for guarding against attacks from cyber and physical on the power grid. A major U.S. utility was recently fined $10 million for allegedly violating those protective standards.
And yet the DistribuTECH panel asserted that NERC CIP is simply a necessary baseline that cyber-aware companies need to exceed to be safe. They also can’t do it alone.
“We can all see that cybersecurity threats are going to evolve,” said Mroz, the POP advisor and former regulator. “It’s a threat like no other and it requires collaboration.”
Some 3,000 entities provide or distribute the power which American customers consume, and maybe 100 of the biggest entities are capitalized to invest in confronting the cyber challenges. That means maybe 2,900 utilities (including cooperatives and municipals) are out there with maybe one IT person (or less) to defend their part of the grid.
Johnson works for Evergy, a major utility willing and able to invest in its cybersecurity. Evergy constantly patrols of its own weaknesses and even brings in third parties to find those holes.
“Having someone else with a different point of view to assess threats makes a lot of sense,” Johnson said. “Usually they can find two or three things we missed.”
Build cyber defenses around fundamentals, he added. Patrol for anomalous behaviors at the edge of the system, but also educate employees on not giving the bad guy an opening.
One of the utility’s phishing exercises learned lessons by attacking itself. They gained enough information from one employee’s social media page to create a profile and use that to infiltrate.
“People are stupid” sometimes, Johnson quipped.
It could happen to anybody, the experts noted, so hyper awareness of emails is crucial. Multi-factor authentication is gaining momentum that could perhaps could do away with the need for passwords eventually.
The changing grid on the generation side is always a possible front. Mroz noted there was no standard around integration of manufactured devices, many of which come from overseas.
“We’re doing ourselves a disservice,” he said. “We should look at standards for deployment of devices with continued deployment of distributed energy resources.”