Focus on the CIO: Wise Guys on Cyberspies, the Dollar’s Demise

by Kristen Wright, associate editor

Hardly anyone in the U.S. government or utility industry will go on record in response to an April 8 report in The Wall Street Journal that foreign cyberspies penetrated the U.S. power grid; the article itself attributes unnamed senior intelligence officials.

Three top utility chief information officers (CIOs), however, said they’re scared but prepared, and they don’t know where the penetration occurred. Anyone keeping a list of possibilities may cross off Austin Energy, Cobb Electric Membership Cooperative (EMC) and Duke Energy.

“This is a topic that utilities don’t like to talk about,” said Andres Carvallo, CIO at Austin Energy in Texas. “I can tell you that cybersecurity, next to safety, is the No. 1 thing we worry about in the electric industry, so that would be the extent of what I’d say. I thought that those articles were very interesting. I don’t have any way to corroborate if they’re true or not. They’re certainly not true in Austin.”

The nation’s ninth-largest community-owned electric utility serves some 388,000 customers in the Texas capital and Travis and Williamson counties. Its portfolio includes nuclear, coal, natural gas and renewable energy sources that generate more than 2,600 MW.

Four states east, Cobb EMC is based in Marietta, Ga. It serves 190,000 residential and commercial customers, making it one of the largest co-ops among the nation’s 900.

Robert “Bob” Arnett is Cobb EMC’s CIO. He said it’s partly up to vendors to prevent cyberattacks, and they must be at the tops of their games. Industry insiders have confirmed cyberattacks on the grid, he said.

Bob Arnett, COBB EMC CIO Click here to enlarge image

“From the webinars I’ve attended, it’s more than probable–it’s already happened,” Arnett said. “I think the grid is definitely at risk, and we need to be aware of it.”

In addition to grid penetration, the Journal reported that government officials, not utility officials, made the discovery. If so, a question looms largely unanswered: Should cybersecurity be a utility or government responsibility?

“I think the private sector develops solutions better and cheaper,” Arnett said. “I just hope the government doesn’t get in the way.”

Andres Carvallo, Austin Energy CIO Click here to enlarge image

Northeast of Cobb EMC’s service area is Duke Energy, based in Charlotte, N.C. One of the largest U.S. electric power companies with some 4 million customers in the Carolinas and Midwest, Duke Energy will continue its defensive strategy regardless of the government’s level of involvement, said A.R. Mullinax, senior vice president and CIO.

A.R. Mullinax, Duke Energy CIO Click here to enlarge image

“Our challenge is to protect against anything that might affect the safety and reliability of our power grid,” Mullinax said. “I can only speak for Duke Energy, but I can tell you we take security very seriously. We use the latest tools and industry standards to evaluate, monitor and constantly improve our security posture. We maintain a constant vigilance on emerging threats and take all necessary, preventive actions; however, I would never classify anything as impossible.”

Living in a digitally connected world comes with consequences, including attack vectors that knowledgeable cyberattackers might pursue, Mullinax said.

“When guarding something as precious as the power grid, you have to put security at the forefront and take all necessary actions to mitigate risk,” he said.

Duke’s defense includes multiple layers throughout its information technology (IT) infrastructure, Mullinax said. Services include:

  • Ongoing penetration testing of IT systems using widely accepted application-scanning tools and outside specialists,
  • Providing security consulting services in support of project teams to identify and mitigate security risks before implementing new or updated IT systems, and
  • Maintaining architectural standards and policies prescribing how infrastructure and software are used and configured to defend against cyberattacks.

Austin Energy’s defense begins with measures as simple as prohibiting employees from on-the-job Internet surfing. Employees may not watch YouTube videos or update their Facebook pages via company computers, Carvallo said.

“I don’t have any peers nationwide that aren’t working on this,” he said. “Security tends to trump convenience and functionality. Security always wins.

“Utilities have, for as long as anyone can remember, been focused on security–originally physical security. NERC CIP (critical infrastructure protection) standards have been going on for a long time now. I’ve been doing this particular job for six years, and we’ve been on the NERC CIP bandwagon since then.”

Right now, utilities are conducting audits in preparation for 2011, when NERC CIP penalties will start being assessed, Carvallo said.

He doesn’t think cyberspies can bring down the grid on a national scale because it’s regionally segmented, he said.

“I don’t know what that means, really,” Carvallo said. “Physically, there are 10 regions controlled by ISOs or RTOs like ERCOT in Texas, and those 10 regions are somewhat interconnected electrically. Texas is separate from the east coast or the west coast. If somebody penetrated and took down Texas, they couldn’t take down the west coast and the east coast. There is some kind of resilience there.”

ERCOT, the Electric Reliability Council of Texas, is an independent system operator (ISO) that manages electric power flow to 22 million Texas customers–85 percent of the state’s electric load and 75 percent of the state’s land. ERCOT schedules power on an electric grid that connects 40,000 miles of transmission lines and more than 550 generation units. In addition, it manages financial settlement for the competitive wholesale bulk-power market and administers customer switching for 6.5 million Texans in competitive choice areas, according to its Web site.

As utilities introduce measures to prevent cyberattacks, they also feel tightening budgets. They enter public discussion of falling utility stocks, lighter spending and other effects of the recession about the same way they react to questions regarding grid penetration.

Recession Rethinking

As utilities introduce measures to prevent cyberattacks, they also feel tightening budgets. They enter public discussion of falling utility stocks, lighter spending and other effects of the recession about the same way they react to questions regarding grid penetration.

And that comes from a CIO whose utility is faring better than some. Besides decreased employee travel and other obvious first-round cutbacks, Austin Energy isn’t experiencing significant degradation, Carvallo said.

“That may be unique to Austin,” he said. “Texas is bucking the trend. We have seen a small slowdown, but it’s very small. It’s not indicative of the national outlook, primarily because we benefit from the location and the popularity of the city. People from the east coast and the west coast move to Texas. We seem to somewhat benefit from the crisis.”

And that comes from a CIO whose utility is faring better than some. Besides decreased employee travel and other obvious first-round cutbacks, Austin Energy isn’t experiencing significant degradation, Carvallo said.

Like most utilities, Austin Energy is in the middle of budgeting for fiscal year 2010. The OPEX budget will get scaled back to 2008 levels, and the CAPEX fiscal year 2010 will remain at 2009 levels. Carvallo said several projects will continue at a slower pace.

“It looks like our forecast for FY10 may be flat on budget,” Carvallo said. “We’re trying not to spend more. We’re trying to cut back. In general, every project that we’re in the middle of–including integration of smart grid–we’re not stopping. All the projects I know of will continue.”

And that comes from a CIO whose utility is faring better than some. Besides decreased employee travel and other obvious first-round cutbacks, Austin Energy isn’t experiencing significant degradation, Carvallo said.

Those projects include the Pecan Street Project–otherwise known as Austin Energy’s smart grid 2.0–to help the city of Austin meet its goal to generate 300 MW of clean energy within the city limits. Carvallo said Austin Energy’s smart grid 1.0, which began in 2003, will be finished, delivered and servicing 100 percent of the territory in August. It identifies the city’s potential challenges in meeting this goal and provides possible resolutions.

Those guiding the Pecan Street Project include the city, the Greater Austin Chamber of Commerce, the University of Texas, Environmental Defense Fund and corporations. According to the project’s Web site, the goal is to design:

  • A system that delivers plentiful, reliable and affordable power to the growing citizenry,
  • A system that is responsible with precious natural resources such as air and water,
  • A system that can eliminate the need for more polluting power plants,
  • A system that produces a power plant’s worth of energy, generated within the city limits via renewable resources,
  • A system with a sound, sustainable business model, and
  • A system to share with cities across the United States and around the world.

The project will make Austin the first city to fully deploy the smart grid–predictable for several reasons: the Texas grid serves only Texas; power system modifications don’t require federal approval; Austin is demographically green and technologically savvy; and the Austin City Council is the board of directors. It all makes for a quick buy in and move to the smart grid.

Smart grid 2.0 is all about the customer. It will deploy probably in January 2010, Carvallo said.

“It’s the only kind of project like it in the world,” Carvallo said. “When we’re done with that planning phase, which finishes in August ” we’ll start working on deploying some pilots.”

Austin hasn’t been hit by the recession as hard as other areas, but Carvallo still has challenges, including the culture change for employees, the ecosystem at large and changing customer behavior. It all makes faster progress more difficult, he said.

“I would say that our biggest challenges are that there are never enough hours in the day to do everything we’re doing,” Carvallo said. “The other one is that we’re reinventing the industry. This is the seventh year in a row that NREL has declared us the No. 1 green energy utility. When you think about it, that’s just amazing, right? We’ve been building the smart grid for four years, and we’re going to finish before anyone else.”

NREL is the National Renewable Energy Laboratory, the nation’s primary laboratory for renewable energy and energy efficiency research and development.

The Pecan Street Project in Austin, otherwise known as Austin Energy’s smart grid 2.0, will help the city of Austin meet its goal to generate 300 MW of clean energy within the city limits. Photo copyright Greater Austin Chamber of Commerce Click here to enlarge image

Not all utilities have been spared. Duke Energy has had to delay some IT projects and scrap others. Its standard process is to ensure IT projects closely align with business initiatives, and then leadership prioritizes those projects. Mullinax listed the prioritization process first in a list of his IT department’s biggest challenges.

“As the business functions raise their thresholds to meet increasing cost pressure, IT projects have been eliminated and delayed,” he said. “The net result has been that the IT projects that the business values the least have been eliminated from this year’s plan.”

Smart grid-related projects, however, remain on the calendar.

“The smart grid is permeating every area of IT at Duke Energy including applications, infrastructure and security,” he said.

Duke Energy will allow smart grid customers online access to their daily energy usage. Functions have been integrated with the customer information systems, meter data management system and work order system to provide remote order fulfillments. It allows work orders for smart grid meters to be performed electronically as opposed to rolling trucks and service techs. Its capablities include performing meter reads and re-reads and connect and disconnect functions electronically, Mullinax said.

Duke also will expand its call center technology to provide athome agents, consolidation of second and third call center shifts, more virtual calls between regions and expanded dashboard reporting, Mullinax said.

Two new teams will support Duke’s smart grid initiatives. One will focus on developing and supporting all smart grid applications. The other will focus on telecommunications to support field devices and move data from the field to the corporate data center.

Duke also has expanded the role of its security and architecture teams to ensure its smart grid system designs are scalable, stable and secure, Mullinax said.

Second on Mullinax’s list of challenges is continuing to deliver Duke’s schedule, scope and budget commitments through excellent project management while minimizing the impact of implementation through excellent change management. Other challenges include reducing the support costs of legacy IT systems to channel more money to new IT investments; maintaining sufficient IT, business knowledge and skills to support legacy systems; and keeping the infrastructure secure, he said.

Down south, member-owned Cobb EMC isn’t as concerned about the stocks, Arnett said. Instead, everyone is paying close attention to the government and its involvement. Arnett looks forward to smart grid implementation and expects his IT department will be affected in a big way. The co-op has a sophisticated distribution system and AMI meters in commercial accounts, but not in residential accounts.

“The stimulus package might help us fund that,” Arnett said.

Continued projects for the co-op include developing new renewable programs, a single-page bill and a Web self-service redesign. Cobb EMC also will upgrade network security, and application enhancements recently were approved.

Arnett, like Mullinax and Carvallo, has his own challenges.

“Seems like everything’s a challenge these days,” he said. “Our PMO (project management office) organization has a great project success record. We’ve got great teamwork, many working 10 to 12 hours a day–that’s a challenge. We have a big opportunity with Oracle to expand our ASP (application service provider) partnership. I’ve hired a sales rep. I might be the only utility company CIO that has a sales rep.”

There are many more challenges CIOs dare not speak of in public. Even so, when fighting cyberattacks during tightened spending, a CIO can remain optimistic like Arnett.

“I think there’s a market for a Cadillac system with a Chevy budget,” he said.

Maybe nobody told him that the feds own those brands. Recession changes everything.

On the Net:

Austin Energy:
Cobb Electric Membership Cooperative:
Duke Energy:
Pecan Street Project:

Previous articlePOWERGRID_INTERNATIONAL Volume 14 Issue 5
Next articleNew Mexico Gov. Bill Richardson Protests DOE Smart Grid Grant Guidelines
The Clarion Energy Content Team is made up of editors from various publications, including POWERGRID International, Power Engineering, Renewable Energy World, Hydro Review, Smart Energy International, and Power Engineering International. Contact the content lead for this publication at

No posts to display