october 2021

Security eMagazines

By Scott Aaronson, Contributing Writer

Special Report – Critical Infrastructure


The critical infrastructure public and private sector can look to America’s electric companies for a holistic approach and partnership on supporting essential improvements to security posture and culture.

Protecting the Energy Grid Is a Team Sport

Font, Rectangle

songqiuju / iStock / Getty Images Plus via Getty Images

The power supply facilities of contour in the evening

We all have heard some variation on the sentiment that protecting our people, data, networks and infrastructure cannot be the responsibility solely of those with “security” in their titles.

For America’s electric companies, whose infrastructure is critical to the life and safety of our customers, communities, and country, that has meant an aggressive commitment to:

  • Coordinate with key stakeholders, including vendors, interdependent sectors and government partners;
  • Develop a culture of security within companies, from industry leaders to frontline workers; and,
  • Prepare for current and future threats by investing wisely, prioritizing critical assets, and engineering resilience against all hazards.

This holistic approach is informed by more than a century of operating the energy grid of North America, which requires all segments of the electric power sector to work together to address shared threats and to respond collectively when incidents do occur.

Now, as threats evolve from emboldened and increasingly sophisticated malicious actors targeting critical infrastructure, this framework has supported key improvements to the security posture and culture of electric companies.

Aligning Roles of Government and Industry

It is not surprising that many people assume that the government’s only role is to regulate while the industry’s role is to operate, and that coordination is untenable given this dynamic. After all, the electric power sector is among only a few industries to have mandatory cyber and physical security regulatory standards.

Fortunately, there is a much deeper partnership and a strong desire to collaborate among industry and government leaders. Both the public and private sectors recognize that neither can do it alone.

This industry-government partnership is embodied in the Electricity Subsector Coordinating Council (ESCC), which brings together chief executives from all segments of the industry with senior government officials to prepare for and respond to all hazards. The ESCC is recognized as a model for industry-government coordination and has helped to align government intelligence gathering and policymaking with the industry’s operational security efforts.

One example of the shared responsibility for protecting critical infrastructure can be seen in the deterrence strategy. That is, we deter adversaries by limiting the impact of their efforts and by imposing a cost for the attack. The former is largely the responsibility of energy grid operators to be resilient and minimize the impact of an attack so that adversaries choose a different target; imposing consequences then, such as diplomatic sanctions, legal repercussions, or reciprocal attacks, is exclusively the purview of government.

A more specific example of the shared responsibility is captured in the Biden administration’s 100-day Action Plan for Industrial Control System Security pilot program. Due to threats to critical infrastructure early in President Biden’s term, his National Security Council made enhancing visibility into operational technology systems a top priority.

The electric power sector was proud to be the first sector chosen for this initiative and is deploying sensors on control systems for high-priority facilities that will support situational awareness, intelligence gathering and better defenses for critical systems. This will also be an opportunity for other sectors to learn from the electric sector’s experience and improve visibility into other critical industrial systems.

As we have seen with the Colonial Pipeline attack and supply chain threats from SolarWinds and the Kaseya ransomware attack, the adversary is not thinking in discrete industrial sectors. Neither should we.

In addition to supporting public-private partnerships like the ESCC, it is critical that we improve industry collaboration across industrial sectors and with vendors as well. The electric power sector is focused on improving how we assess and share vulnerability data, aligning our defense and response capabilities with interdependent sectors, and incentivizing the security of suppliers for critical systems. These are not unique to electric companies. They are issues that all sectors and government partners must address collectively.

Font

The electric power sector is focused on improving how we assess and share vulnerability data, aligning our defense and response capabilities with interdependent sectors, and incentivizing the security of suppliers for critical systems.

Advancing a Culture of Security

Several decades ago, occupational safety incidents were far too prevalent among electric companies. This caused industry leaders at the time to make workplace safety a priority, resulting in a culture shift that is still strong today.

A similar challenge now exists as security threats pose a risk to operations and reputation. Again, industry leaders are focusing on changing corporate culture as one way to address this risk.

Thanks to leadership from the chief executives of all U.S. investor-owned electric companies, the Edison Electric Institute (EEI) developed a “Culture of Security” initiative that has provided tools to improve security culture for individual electric companies and a venue for sharing practices across the industry.

Self-assessments are now conducted by companies annually. In addition to demonstrating that security is a priority for the “C-suite,” this yearly exercise provides a venue for security teams and leaders across business units to address corporate security culture and to better align efforts.

When it comes to securing specific systems like operational technology for power delivery, much of the expertise is in the sector. To leverage this expertise, electric companies are now piloting a peer review program to have security professionals from electric companies review their peers, identify opportunities for improvement and socialize best practices.

The commitment from industry operators to participate in these programs highlights both the shared responsibility felt across the sector and the desire to learn from each other. While culture alone does not improve security posture, it is the foundation on which new efforts are built and ensures that today’s imperatives remain tomorrow’s priorities.

Preparing for, and Responding to, all Hazards

The final part of the electric sector’s philosophy on security acknowledges that you cannot protect everything all the time. We must not just protect and defend, but also prepare to respond and recover should security fail.

To that end, the industry’s commitment to mutual assistance — companies helping each other to recover following storms and other disasters by sharing crews and material — now applies to security threats. This includes the establishment of a Cyber Mutual Assistance program under the leadership of the ESCC, which enables the sharing of experts and equipment among the more than 150 companies that participate in the program. There also are mechanisms for sharing hard-to-replace equipment like high-voltage transformers and new resilience strategies that allow for operations in a degraded state. These critical programs have been expanded in recent years.

Of course, there are some systems that are too important to fail. Whether it is the Defense Critical Electric Infrastructure that supports military missions or the systemically important critical infrastructure that supports our way of life, identifying priorities allows electric companies to engineer security, redundancy and resiliency with a risk-based approach.

Given the critical role that the energy grid and electric infrastructure play in supporting national and economic security, electric companies are committed to working together and with their government partners to ensure this infrastructure is resilient and secure. These efforts are the product of leadership and effort at all levels of government and the electric power sector and are informed by more than a century of coordinated operations among a variety of stakeholders.

About the Author
Scott Aaronson is Vice President, Security and Preparedness at the Edison Electric Institute (EEI). Aaronson has been with EEI since 2009 when he joined the government relations department focusing on security and several emerging technology issues, including electric grid modernization, cybersecurity policy and telecommunications priorities. He now leads EEI’s security and preparedness team where he focuses on industry security and resilience initiatives, establishing collaborative partnerships between government and electric companies — and across critical infrastructure sectors — that enhance security for the energy sector. In addition to his role at EEI, Aaronson also serves as part of the Secretariat for the Electricity Subsector Coordinating Council (ESCC). Image courtesy of Aaronson

Scott Aaronson
A rear view of a businessman in black suit with a briefcase and a black umbrella standing at water edge and looking rainstorm clouds at sunset. Lightning is seen descending from a gray and cloudy sky.

Special Report

Critical Infrastructure

A Resilience Framework for the Future

By Daniel Kaniewski

Smart city, building technology

Special Report

Critical Infrastructure

Cyber-Physical Security in an Interconnected World

By Dr. David Mussington

Wind turbines for electrical power generation in green agricultural fields

Special Report

Critical Infrastructure

Protecting the Energy Grid Is a Team Sport

By Scott Aaronson

Truck on the road going in the american countryside

Special Report

Critical Infrastructure

GridEx: How Exercising Response and Recovery Supports Grid Reliability

By Kate Ledesma

Aerial view of a water treatment facility in the South Texas area just south of Houston.

Special Report

Critical Infrastructure

Combatting Security Threats to Our Nation’s Critical Water Infrastructure

By Michael Arcenaux

Logo, Font, Text

october 2021 | securitymagazine.com