Clickability tracking pixel

In Case of Cyberattack, Public Utilities Must Ensure Reliability

Cyberthreats to critical infrastructure for power, water and wastewater utilities were the focus of a three-day Cyber Physical Systems Summit.

by Tamara Dietrich, Daily Press (Newport News, Va.) / September 26, 2016

(TNS) - When it comes to protecting its power grid in Virginia from cyberattack, Dominion Virginia Power considers its long experience with hurricanes a helpful template.

"It's just another challenge," said Rodney Blevins, chief information officer and senior vice president for the biggest utility in the state and one of the biggest in the country.

"One of the things that's important to understand is ... we are obsessed with the reliability of the grid," said Blevins. "To the point where, in certain parts of the organization, you almost can't get people to talk about anything else."

It matters little if the attack is cyber or physical, an act of God or bad actors at home or abroad, he said — the same corporate mission would kick in.

"It's the same outcome you're going to pursue," Blevins said.

Cyberthreats to critical infrastructure for power, water and wastewater utilities were center stage Thursday as the three-day Cyber Physical Systems Summit concluded.

Tangier Island is located twelve miles offshore, in the Chesapeake Bay. The island is a tightknit,  culturally unique fishing community focused on commercial fishing and crabbing.  A rapidly eroding shoreline, climate change and a rising sea level puts the island at risk to be completely underwater...

The summit was held at Jefferson Lab in Newport News and drew cyberexperts, government officials, academics, military personnel and industry representatives from throughout the region to share information and war stories on a broad range of cybersecurity topics.

Blevins said he became CIO at Dominion three years ago after spending nearly three decades in electrical distribution and as an incident commander.

"Which might seem to be an odd thing," said Blevins. "But the idea of having an incident commander in charge of the IT department at a time when the lights could potentially go out seemed like the right thing to do on the part of our chairman. And I'll tell you, I've learned quite a bit."

Anyone can fall victim to an online data breach — even a federal security expert who specializes in preventing data breaches.

In fact, Ron Ross of the National Institute of Standards and Technology said he was swept up in several breaches just last year.

The "big one," he said, was when hackers...

Anyone can fall victim to an online data breach — even a federal security expert who specializes in preventing data breaches.

After several major data breaches in recent years, and especially after the terrorist attacks of 9/11, governments from federal to local have been similarly obsessed with security.

"Virginia takes an 'all hazards' approach to disaster preparedness," said Brian Moran, Virginia Secretary of Public Safety and Homeland Security.

That approach is especially vital, he said, because the state has so many strategic federal and military assets.

The state partnered with the U.S. Department of Homeland Security to launch a pilot initiative to spread cybersecurity awareness and conduct security assessments of water and wastewater groups, Moran said.

On Thursday, utility experts ran through some of what they've achieved, including developing contacts with intelligence agencies.

"We focus a lot in sort of the perimeter in," said Nick Santillo Jr., chief security officer at American Water, a public utility headquartered in New Jersey. "That's sort of our defense base. But we have a lot of activity that happens at our perimeter. So we work closely with both the FBI and DHS around sort of who's knocking on our front door."

The company gives the federal agencies data from its computer firewalls and denial logs, he said, and meets with them on a regular basis.

"Cybersecurity is an evolution," Santillo said. "It's a continuous improvement of process."

Safekeeping the data of employees and customers from cyberattack is just as critical, said Barry Lawson, associate director for the National Rural Electric Cooperatives Association.

NRECA is a national trade group representing more than 900 electric cooperatives in 47 states serving more than 42 million customers.

"Data protection is just another part of operating a business," said Lawson. "When I talk to cooperatives, I'm trying to make sure they understand the risks of not protecting that information. There's reputational risk, there's legal risk. If you're found negligent, you really can have a major financial downfall. Some of our cooperatives are small enough that legal action along those lines could potentially financially do them in."

The nonprofit scientific and educational group American Water Works Association, based in D.C., partnered with DHS and the National Institute of Standards and Technology to develop a road map to cybersecurity, said Kevin Morley, the association's security and preparedness program manager.

It's important to keep having discussions on cybersecurity, Morley said, "and frame this in the context of risk management versus risk elimination."

"The idea that this framework is somehow a checklist of, well, if I do all these things, then I'm good, I can rest assured and can get some sleep — that's not a good way to look at this," said Morley.

"It's a dynamic threat environment. A dynamic playbook. That's why you have an incident commander guy running things at Dominion, right? It's an all hazards approach. You don't know what's going to be. I just think risk elimination needs to be moved away from the lexicon."

The regional cybersummit was the first to be held in Virginia. It was hosted by Gov. Terry McAuliffe, who has made cybersecurity the mission of his yearlong tenure as chairman of the National Governors Association.

©2016 the Daily Press (Newport News, Va.) Distributed by Tribune Content Agency, LLC.

E.REPUBLIC Platforms & Programs