Electric Light & Power Exclusive: Utility CIOs Talk Cybersecurity, Cloud Computing

By Kristen Wright, senior editor

Cloud computing is worth the investment, but some utility information is too sensitive to be kept in the cloud, four chief information officers (CIOs) of major investor-owned utilities told Electric Light & Power magazine.

The executives–Xcel Energy Vice President and CIO Dave Harkness, NV Energy Vice President and CIO Kevin Judice, Southern California Edison (SCE) Vice President and CIO Todd Inlander, and Pepco Holdings Inc. (PHI) CIO Doug Myers–met for a private roundtable with the magazine during DistribuTECH Conference & Exhibition in January.

Cybersecurity and fault-tolerant computing expert Suku Nair, a professor and chair in the Computer Science and Engineering Department at Southern Methodist University at Dallas, moderated.

The foursome agreed the cloud is appropriate for several applications–especially in the back office–because of its out-of-the box ease and low barriers to exit; however, certain applications should dwell in the clutch of utilities, not up in the cloud.

“We would probably be a little hesitant to use it in some of our most critical areas, just from a data privacy, data security perspective,” Xcel Energy’s Harkness said. “You know utilities–we all take the security of the grid, security of our customer information very seriously, so it would be difficult for us to justify some sort of a cloud solution that either stores it offshore or in a facility that we do not secure.”

NV Energy keeps the most sensitive data on-site, as well, Judice said.

“We like to control those applications internally,” he said. “You know, we also have some cases where we’ve outsourced certain functions to external companies, and we take the same approach there. We don’t push out, you know, our trading and risk. We don’t push out our EMS systems out to third-party providers, and we wouldn’t do that in the cloud, either.”

Judice said utilities need a clear separation between the corporation network and the operations network, especially when cloud applications enter the equation.

And then there are the challenges. Publically regulated utilities tend to encounter many challenges: compliance, legal and cultural, SCE’s Inlander said, plus concerns about privacy and cybersecurity.

Utilities that use the cloud for storage must verify that providers use all the appropriate safeguards, he said.

Although that puts more onus on the utilities, Inlander said, the onus must be there in the first place. Other companies that do business in the cloud have different business models than utilities do in safeguarding information, he said.

“Particularly, we’re talking about more back-office applications,” Inlander said. “So we for sure run the gauntlet, and it’s not like we certainly have an easier time when we want to just run out and build something or buy it and bring it in. And for us culturally, between legal compliance and other groups, the runway just to get there and the precedence we’re trying to set is a pretty difficult challenge for us. But we’re committed to it.”

Judice said that when weighing options in the cloud, he examines the infrastructure in addition to the applications. Some services and processes require tremendous computing resources, but they’re intermittent, he said.

“Do we really want to staff our infrastructure or build our infrastructure to handle those peaks or would we rather push those things out to an Infrastructure as a Service?” Judice said.

“In one recent utilization of a cloud application, we did a penetration test early on and found significant vulnerabilities there,” he said. “Now, the good news is they worked diligently on closing those holes–and to our satisfaction. And so I can’t underestimate that or overstate that. So you should really take a look at putting a lot of scrutiny on the providers themselves because they may have more budget. They may have more capabilities than your internal staff. They also might be a bigger target, as well, because they’re hosting multiple large companies’ data.”

PHI’s Myers said the marketplace should reward cloud providers that focus on security because security and reliability go hand in hand.

“We’re probably not at that point yet,” Myers said. “We’re probably still early on in the evolution of this market. And there are going to be differences in terms of the capabilities of these providers.”

PHI, he said, has an architecture review team.

“Before anything gets attached to the network, it has to run the gauntlet of a cross-functional group of technical experts who are going to look at it from all sides, whether it’s a cloud solution or whether it’s internally hosted, and make certain that it adheres to our standards, it’s at the appropriate level of security,” Myers said.

The utility industry already has connected the dots between security and reliability, Myers said, and cloud providers must do the same.

In a way, cybersecurity could be the saving grace for the electric utility industry, which has struggled to attract enough younger workers to replace retirees, Harkness said.

“Utilities, for the most part–and it really doesn’t matter if you’re talking about HR or IT or any of the roles in the company–it’s not a sexy business,” he said. “But in cybersecurity, we are. So in cybersecurity, folks want to come work for the utility because our challenges –to the points you just made–are greater than most other industries’ out there. We take it, again, very seriously.”

The utilities industry, Harkness said, is different than others in which executives constantly are balancing the appropriate level of risk.

“If we find an exposure,” he said, “we have to spend the money to fix it. It’s not negotiable. It’s not an option.”

Harkness said some of that comes back into the cloud discussion. A utility can run an application that identifies every path outside its network, but it cannot validate that same thing through a cloud provider other than requesting a report that verifies particular tests were executed, he said.

As a result, Xcel Energy’s security budget has increased every year, and Harkness expects it will continue, he said.

More security also means more tradeoffs.

“It’s pretty much an annual basis of what other projects we’re not going to do in order to accommodate the security projects,” Harkness said.

Judice said the one effort that’s helping is the National Association of Regulator Utility Commissions (NARUC).

“NARUC ” has done a really good job of reaching out to the state commissions to help them understand what the problem is because we’re consistently challenged with additional compliance burdens from all angles,” he said. “And I think some companies fall into a false sense of security that says, ‘Hey, we passed our NERC audit, so we’re good.’ Well, that’s not going to cut it, right?

“It’s really an education process to your senior executive leadership to the boards of directors to your regulators, and I would say we’re finally seeing–at least I’ve seen–a recognition that they’re taking it seriously now, so they are loosening the purse strings a bit to address those issues. But as Dave said, if you find a significant vulnerability, you don’t have time for all the governance associated with getting authorizations. You just have to get it fixed ASAP.”

Myers said that resources, however, can be a misleading metric.

“If you were to offer me a lower budget but strong executive-level support across the property around the topic of cybersecurity, I will take that over a larger budget but having to be swimming upstream,” he said. “So I think it’s important to think about resources, not just around dollars and cents but around what type of support do you have within leadership?”

Inlander said the utility industry must prioritize potential risks. Utility execs realize one of the industry’s greatest fears is a combined physical and cyberattack.

A man-in-the-middle attack, he said, would focus on supervisory control and data acquisition (SCADA) systems to do considerable damage to utility infrastructures.

“We realize that that is a target,” Inlander said.

“We have to focus on not just increasing the walls of the moat, but greater situational awareness when the threat is actually inside and figuring out how to detect it. So we’ve changed our paradigm a bit.”

Nair said the utility industry must be doing a good job protecting the grid from cyber criminals.

“That’s why they went to Target,” he said.

More Electric Light & Power Articles
Past EL&P Articles
Previous articleSempra Energy unit finances 155 MW wind power project
Next articleAn Industry in Transformation–How Utilities Can Stay Ahead of the Game

No posts to display