Protecting Energy Infrastructure Forum

On July 13, CCHS hosted a panel of experts to discuss the security of the energy grid.  Director Frank Cilluffo moderated the session, in which government and private industry experts discussed public-private partnerships, resilience of the sector, information sharing, and how cyber and physical security are related. The panel included representatives from the public sector, Patricia Hoffman and Jeanette Manfra, along with those from the private sector, including Scott Aaronson, Brian Harrell, Chris Peters, and Joe Sagona. The panel then engaged in a question and answer session on these complex topics. 
 
The panel agreed that cyber security and physical security should be dealt with as one combined issue, rather than separately. Ms. Hoffman, the Principal Deputy Assistant Secretary at the Office of Electricity at the Department of Energy (DOE), mentioned the creation of the Cyber Security, Energy Security, and Emergency Response office (CESER) at the DOE. This office will coordinate responses to both physical and cyber attacks.  Mr. Sagona, the Senior Director for Cybersecurity at Pacific Gas and Electric, said that a merger between cyber and physical security would bring more situational awareness; “they are not isolated or separate.” Those in private industry agreed that the combined cyber and physical risk is a “board-level priority” (Mr. Peters) and they brief their board on these issues up to five times a year. 
 
The issue of resilience was brought up multiple times by the panel, which emphasized the importance of this issue for energy systems.  Mr. Aaronson, the Vice President of Security and Preparedness at the Edison Electric Institute, defines resilience as maintaining operations in the face of problems or attacks. He likened the resilience of cyber systems to the physical systems that are in place for storms.  He used the example of Hurricane Irma, when power was restored to millions of people only five days after the catastrophic storm.  He believes that “investments in resilience and preparedness show great dividends,” and should be applied to cyber security.  One cannot protect all things all the time, and attacks will happen, which is why resilient systems are so important.  Mr. Harrell, the the Managing Director of Enterprise Protective Services at Duke Energy Corporation, highlighted how this plays out in the energy sector: one piece of infrastructure should not be so critical that if something happens to it, everything else falls apart; infrastructure should be “redundant” so that when something does happen, operations can be re-routed and maintained.  Mr. Sagona agreed with this, also referencing the diversity of the US grid.  The variety of owners and operators helps in response to an attack, and also makes critical assets less critical.
 
The importance of partnerships, both throughout levels of government and across sectors, was highlighted by the panel. Mr. Sagona mentioned that these partnerships have evolved “significantly,” and he has found that the public and private sectors are now more willing to work together and share more information.  Ms. Manfra, the Assistant Secretary at the Office of Cybersecurity and Communications at the Department of Homeland Security (DHS), agreed and cited this maturity as evidence of the trust that has been built.  She believes that declassifying and sharing information across the industry is important both to prevent and mitigate attacks.  Mr. Aaronson also brought up the relationships that private companies have with state governments, citing them as “the consequence people,” and noting that coordinating with them is highly valuable. 
 
Mr. Cilluffo closed the session with a question about how artificial intelligence (AI), machine learning, automated indicator sharing, and lab initiatives will play a role in the future of securing the energy sector.  Ms. Manfra believes that industry has a “huge opportunity to take advantage of machine learning.” She believes that implementing AI will allow analysts and other employees to do less "busy work." Ms. Hoffman added that machine learning and lab initiatives will also help physical security, further melding the two aspects of security (cyber & physical) together. 
 
Throughout both the panel and the question and answer session, the topic of information sharing was discussed frequently.  ISACs, or information sharing and analysis centers, help facilitate information sharing around a certain industry.  The E-ISAC, or electricity information sharing and analysis center, has become a conduit for information sharing between the industry and government.  The panelists from both the public and private sectors agreed that the E-ISAC can only be successful if there is private industry buy-in—as Mr. Harrell said, you “get out what you’re willing to put in.” Mr. Peters, the Vice President and Chief Security Officer of the Entergy Corporation, added that the “information sharing model needs to mature to match the threat.” Mr. Aaronson added that in regard to the E-ISAC, “cybersecurity is not an IT issue, it is a leadership issue.” Information sharing needs to be embraced by leadership for it to be successful across sectors.
 
Summary prepared by Caroline Ritchey
 
Related Media: