Energy panel says sharing information is critical to energy security

Published May 10, 2016 by Paula C. Squires

Safeguarding data is a challenge for businesses today as hacks and breaches dominate the headlines. Yet the energy industry has been somewhat gun-shy in terms of revealing what it’s doing to protect energy and data assets because of the critical importance of the country’s electric grid.

That curtain rose a bit Tuesday as a panel of energy professionals talked about the importance of information sharing and other ways to protect against cyber and physical threats during an energy conference. The 2016 Energy, Sustainability & Resiliency Conference, put on by the Virginia Chamber of Commerce at the Greater Richmond Convention Center, drew more than 400 people.

Moderated by Brooks Smith, a partner at law firm Troutman Saunders, the panel on energy security agreed that cyber security has risen to the top of the list as a chief concern. Yet physical security must remain a priority as well.

Asked what Dominion is doing to protect its energy assets, Mark Engels, the company’s enterprise technology security and compliance director, talked about several efforts. Following an attack in California in April 2013, when gunmen shot at 17 transformers at PG&E’s Metcalf substation near San Jose — causing damage but no power outages — utilities across the U.S.  began to shore up their physical infrastructure at the direction of the Federal Energy Regulatory Commission.

“We looked at that attack and decided to invest $500 million over five to seven years to strengthen the physical, communication and operational controls for the infrastructure,” Engels said. 

The Richmond-based energy company, whose subsidiary Dominion Virginia Power serves 2.4 million customers in Virginia and northeastern North Carolina, tests for vulnerabilities. “We do almost continuous vulnerability assessments to test our staff and controls in their ability to detect something,” Engels said.

Information sharing also is key to thwarting threats, the panelists said.

“We have close relationships with our peers, the federal government, state utilities and other groups,” Engels said.

A recent enlightening exchange of information for the energy industry came after the investigation by a U.S. team into a December attack on Ukraine’s power grid that caused widespread outages.

The attack, described as a first confirmed cyber-warfare attack affecting civilians, cut power to about 225,000 people for six hours. One senior Obama administration official told a gathering of electric-power grid industry executives in February that the Russian government was behind the attack, although other government sources said the evidence wasn’t conclusive enough to draw that conclusion.
 
The event raised major concerns because the U.S. power grid has some of the same vulnerabilities seen in the Ukraine attack, U.S. officials said at the time. For a
U.S. team to go in, assess what went wrong and to share that information with the energy industry was “a very useful case study,” Engels said.

“It is possible that that kind of attack could happen in the U.S.,” he told the audience. “If you look at the number of utilities in Virginia, there are at least 12 cooperatives, all of whom have distribution assets that provide power to customers. So we looked at the tactics, techniques and procedures and walked through how would Dominion respond to that type of attack. What controls do we have to have in place to prevent that from occurring?”

In the Ukraine event, not only did the attackers cause outages, they launched a service attack that prevented customers from reporting outages, which slowed down the utility’s ability to recover, said Engels. “The way the Ukrainians recovered, “ he added, “they moved into manual mode for a period of time.”

“We’ve been able to see the steps that were taken so we can implement controls and put mitigations in place to make it more difficult for an attacker to accomplish that or to identify an attack early on.”

Jim Reinhart, chief operating officer, development and operations for data center operator QTS, said Virginia has a good track record of protecting its assets. Plus, it’s the No. 1 data-center market in the country.

“It has a robust policy around clean, low-cost cost energy and great public and private partnerships. The strength of the military in the state also provides physical security,” he added, “and things like strong tax policy have helped.  When it comes down to thinking about core elements, about where you go, it comes down to people. Two of every three attacks are due to human failure,” he said.

“… The only way to keep Virginia No. 1 in the market, is to get better on all fronts,” he added.

Jason Nichols, director of SAIC’s iSpace Lab, has spent many years in critical infrastructure protection. “The fact that we are having this conversation on stage is a positive signal,” he said. “There is a lot of vulnerability here. Virginia is unique. We have a lot of military, a lot of sensitive private infrastructure, and they are attractive targets.  Let’s get our colleagues to share information. Make it your own business to understand what’s going on.”