Andy Stone: Hello and welcome to the Energy policy now podcast from the Kleinman Center for Energy Policy at the University of Pennsylvania. I'm your host Andy Stone. The energy industry increasingly relies on information technology to manage everything from customer accounts to pipeline systems and complex smart grids. But the embrace of communications technology has exposed the industry to cybersecurity threats. Recent cyber attacks have succeeded in stealing or destroying the data of major oil companies. While the interconnected nature of our electric grid opens the possibility that a well coordinated attack could take out part of the nation's electricity supply. The industry is awakened to threats, but of course, no easy task to protect the sprawling electric grid or a pipeline network from nimble cyber terrorists. Our guest today has led cybersecurity efforts in government and industry. Bill Hederman is a senior fellow at the Kleinman Center and executive advisor to a data security company, agile PQ, where he consults to energy companies on cybersecurity issues. Until 2016 he was a senior advisor to the Secretary of the US Department of Energy (DOE). Bill, welcome to the podcast.
Bill Hederman: Thank you, Andy.
AS: Just to get started, could you give us some background on your involvement with cybersecurity issues and a view into what cyber security is, particularly within the context of the energy industry?
BH: So cybersecurity is the element of security needed by the energy industry to protect itself from attacks that would come not through the wires of the grid or the pipes of the oil or gas networks, but through the wires for communication, either telecommunication or, or information technology. And it's a threat that has been growing rapidly in the last couple of years.
AS: Is there a specific issue that brings us to light now, technology issue that cybersecurity is come to the floor?
BH: Well, you know as you mentioned, I finished up at DOE in July of this year and in one of my last assignments I was in Ukraine. And of course, when you're in a environment like that where you know that you're being tapped at all times, you're very aware and careful about what you're doing with your computer, with your cell phone, et cetera. But when you're at home and you're comfortable, you probably are taking risks that you really should not be doing, you know, the threat is real and imminent. In the early days it was mostly like vandalism of amateur hackers. Just trying to see what they could do. It started to grow the organized who were after primarily credit information and maybe intellectual property that they could resell. But now it's a matter with nation state levels of hostile activity. And while it's not leading to blackouts, we see the trail of attacks being successful in penetrating systems. That means you need to go and find out what's in there and make sure you get it out and clean it. And then also, you know chains as strong as the weakest link. The weakest link here we can see is not necessarily the technology, it's the human factor. People opening something they shouldn't open, linking to something that they shouldn't be linking to. And so the dilemma now as we see it is how do you keep the mission of an organization in place so they can do their business, but do it without opening itself constantly to these potential attacks?
AS: Now there's been a lot of focus on cyber security in recent years. We've seen a major retail chain stores in United States under attack for credit card data, these types of things. How is this specifically different or the same when you're looking at cybersecurity between a retail industry, a credit card supplier and what's going on with oil and gas or the electric grid?
BH: Okay. So we have seen attacks on retail companies largely about credit information, as you said, financial institutions have seen attempts at attacks, but for the most part, financial institutions knew they would be attacked and their security is at a different level. The energy companies, if you will, we're thinking about normal industrial strength security. But, what we were seeing and you know, in the physical world, we saw this in warfare over the last couple of decades that taking out power generation facilities, et cetera, early was important thing to do. Well, now as we look at the potential for, hostilities in a whole different space and literally there is a cyberspace command now and all the major powers the battle ground is being laid out now. And so when somebody has a successful entry, if you will, they're leaving a minefield behind, but we have to go and find it and take up those mines. But the attacks aren’t happening there because the US has stated that it would be viewed as an act of war to attack and take out things like our grid. So the brashest thing we've seen along those lines was the attack on a small dam and New York State so far of via cyber attack.
AS: Who are the aggressors specifically when we're talking about cyber terrorism on the energy industry?
BH: Okay. So, I don't use the term cyber terrorism. It's to me, it's just cyber hostility. And this is more than terrorism. It's, it's geopolitical maneuvering. There's no public solid evidence. There's lots of indicators about who's involved. Ukraine has publicly accused Russia of the attacks that took out a quarter of a million people on their system. There have been claims of evidence on other parties as well. But the evidence in the cyber world is difficult to come by. And when you, when you do have information on it, it's usually going to stay classified because as methods and means of figuring that stuff out needs to stay quiet.
AS: Yeah. How do these attackers break into a network and what are the tools that they're using?
BH: One of the main ways is a company's going to have a firewall and agency's going to have a firewall. The best way to get through the firewall is to convince the system that you belong on the safe side of the firewall. So that generally happens through what are called fishing expeditions, which is notes are sent to people. They're sent in a way that invites them to click it open. And we all get many of these that we know are bogus and we just toss them.
AS: These are the fishing emails that come into your inbox?
BH: Yes, yes, yes. And, sometimes all you have to do is open it and you can get infected. If it's a really advanced form of attack, others you'll need to click into some specific attachment or something. So people need to be alert on this and is actually a debate now, you know, in the past how we've addressed this is as a sites are identified as sources of problems, they would be put on a blacklist and you prohibited them. But now companies that deal primarily with issues that need serious protection that talk about white listing, which is a company has to be approved or a site has to be approved or you may not link to it from being inside the firewall. And of course, even as you do that, something could have infected that white listed site. And so it will be much more difficult to conduct business in a natural way with white listing techniques. But I think some organizations are heading that way because it just, the volume and sophistication of the attacks has reached a point where it's prudent to take a different approach.
AS: Okay. So you take an electric utility for example, or something quite different, you take a pipeline company in somebody breaches, they're a system, they're enterprise, information system. What does that breach then lead to? What are the targets within that company that the person or organization that's doing the attack hope to get access to and then what might they want to do with that?
BH: Okay, let me back up a little bit first, which is to look at how to, an electric utility gets so linked into the internet, if you will, because one, it's important to realize that people who built the internet were seeking to create easy access and encourage information sharing. It was inconceivable at those moments back in the ancient 1990s that the world would get to be this kind of neighborhood. And so it was intentionally built to be easy to share and look at things. Now that's a problem. And ironically, as the grid moved in, major parts to become open access, federal authorities were encouraging people, well don't use your own little private built electronic bulletin board to share information, use the internet. It's there. It's a great device for sharing in an open access sort of way. So the grid was encouraged to move in that direction. Now as they need to pull back, there are active measures that could be taken to improve security and air restrictions it could be putting in place and they have to get their regulators to approve all of this. And there's even an issue around the talent to assess whether measures are appropriate and effective and so forth. And the tradition of the cat and mouse game with the regulated utility and the regulator is that utility proposes more than it needs because expects to be cut back some. And so the regulator looks and says, well, how are they gold plating this year? And we got to make sure that they only do what's absolutely necessary and cost effective. With pipelines, it's different because if you will, is a more inherent physical nature. In fact, there are many of pipelines where the valves still require somebody to drive out in a pickup truck and manually turn the valve. They feel more complacent here. But the reality is, I've heard a CEO say, ‘I asked my guys how much it connected to the internet. They say not at all. I asked two or three questions and I learn that when they have a problem with the piece of equipment, they call the support contractor and they do the work over the phone’. So they're using the internet then to fix things. So they are exposed. So both pipelines and the electric grid have vulnerabilities here. The electric ones are probably more instantaneous, but the pipeline needs to be concerned too, both for themselves and also in the gas pipeline being an inherent part of serving the electric grid.
AS: Can you illustrate a little bit what might an attack on the electrically look like? You know, to what extent could the grid be incapacitated or you know, what, what specific infrastructure would somebody target to actually create a problem?
BH: So the Idaho National Energy Lab did a test to see if they could cause physical harm. And they did it in more in a way of a demonstration because they knew they could and they put on a turban and they attacked it as if they were hostile force. And basically they sped it up far outside of its normal requirements, and I believe they also cut off the oil supply. And so basically they had this equipment on fire and short order and it was a kind of damage that was not, they could turn it off and fix it. Things had melted. So pretty long term repair operation. So the other thing about a lot of this equipment is it's somewhat standard. And so if you send in a virus or malware that's going to hunt to destroy a certain piece of equipment, they can find it at every facility, whether it's at every generation facility or something at a transformer substation, they can find it, and get there and the attack can even be coordinated, perhaps take stuff out. If you look at the pattern in the attack in Ukraine, there was also follow up denial of service attack, which was basically overloading the circuitry to inbound, a control room that was trying to figure out what was going on and customers could not call in and report the situation on their part of the system. So it's typically a few levels, you know, the first one is the preplanning and the pre-positioning. The second is the initiation. The third is trying to respond to what went wrong and knowing what's wrong. And then the fourth is the recovery.
AS: We're talking about the cybersecurity threat to America's energy sector with Bill Hederman, Senior Fellow at the Kleinman Center and former Senior Advisor to the Secretary of the US Department of Energy. This is all very, it sounds kind of James Bond, if I may say that potentially somebody from far away could infiltrate the system, plant some virus or whatever it may be that would actually make the system go down. How would you judge the actual threat at this point? How much danger is there that there could be a major attack through the grid?
BH: Well, you know, that's a tough question. I don't want to create a sense of panic, but I mean there should be a sense of alarm. The activity that's hostile is real and going on as we speak. There's evidence of the attacks, in terms of attempts for unauthorized entry and of success in some unauthorized entry. We know from the Ukraine experience what a basic attack will look like. And it was successful and Ukraine's a pretty sophisticated technological country. So this was not a trivial effort. And, you know, and we within the US know some, we know what we can do to, and the sense is that all the major countries have the potential to be pretty effective on offense. Defense has proven much more challenging and the defense will have to be ongoing and it will be something that the threats are always evolving. And so the defense is always going to have to be both vigilant and evolving as well. There are some promising developments and you know, the US just has an amazing ability to create new options if you will. And you know, some of those involve technologies that really could leap forward and they may not solve the whole problem, but they may be able to provide protection for, for large shares of the defense perimeter, if you will.
AS: Yeah. Just along the lines of what you just said, I heard somebody talk about this once at a conference and they said that basically the attackers are very nimble and they're changing constantly. Whereas the grid, as you mentioned earlier, is something that's been up for decades. It's an old system and these are these, you know, they're slow responding. Is there any way that a big established grid and the companies that run these grids, is there any way they can actually keep ahead of these very nimble attackers?
BH: And so that's another, a really packed question. Let me unravel it a little but, because one, I think one of the big problems here is there isn't the clear set of who's responsible for what and who has authority over what, you know, a lot of these attack structures that we're talking about, things that normally a civilian would expect the federal government to do under the defense of the nation. But the internet has created all these, if you will, direct passageways right down into individual companies, individual persons. And uh, it's almost the opposite of when President Eisenhower built the defense highways, this is almost the offense highways into us. And so we've got to figure that out. And there's lots of activity at the Department of Defense at FERC, and their NERC operation, which is a North American Electric Reliability Corporation, The Department of Homeland Security, the DOE is involved through DHS on some of the collaborative efforts. The Edison Electric Institute is very active here. People are engaged, senior executives and utilities have gotten clearances so they could hear the more complete descriptions of what's going on. And then they as respected colleagues talk in a more broad way with others who may not get the details, but when they hear somebody in sleep one night, they take it seriously. And so the community is forming, it's still mushy if you will. It's not solidified. And there's this culture when you have, especially I think in the utility industry, when you've got a great deal of uncertainty of you tend to herd right, that if you stay in the group, well then you weren't one of the laggards and laggards get picked off and penalized. And if you're a leader you might guess wrong and you could get picked off as well. So people are tending to stay together and try to move together. That can be good. But we also do need some leaders to try different possibilities. And so far it seems like that's being done through consensus formation. And I think it's premature to go to that really time for some companies to step up and, and try out some options because we need to see what could work here. And my sense is that the regulators, the industry and people who are prepared to support them could do more but people have to step up and do it. And unfortunately, it's like most other fads. There are thousands of companies claiming to have magic bullets here, and a lot of it is not magic bullets, it's blocking and tackling every day. But there are some potential advances here that I think could be a big help. And what we've got to do is strategically get them introduced and tested and so forth.
AS: In your view, if there were a government agency that would take the lead on this to kind of get guidance to industry on how to respond to this and the technologies that they need to, to protect themselves, what would be the ideal agency to take that lead?
BH: I might go to the FBI, but DHS is probably the closest that's a realistic option.
AS: Homeland Security?
BH: Yeah. Yeah. So I think that you know, the, the challenge here is that this is very specialized talent that you need for cybersecurity. And there aren't enough professionals in the field. We do have the positive element that I think our professionals are extremely gifted in this area, but we need more of them. But until we get more, we have to get the people who have the insights to be able to share it. And we have to make sure it happens in a way that we know why we're trusting and listening to the people that are claiming expertise talking with us. And that's a real problem because lots of people can talk the talk here. And what was really important is that you can make things happen effectively.
AS: Overall, how do you see this issue evolving over the coming years? Is it going to get worse? Will our ability to thwart potential attacks improve? Where are we going?
BH: Well, it always depends, but I'm hopeful that we can make progress. I mean, it's only been a couple of years in which the lights have gone on that wow, this is serious. It's a real danger. We have to take action. And I think Americans have very deep resolve about things like this. We are not going to let ourselves be intimidated and threatened in this way, so we will step up to it. But we have to find a way to step up to it quickly and move forward because the culture is already built up kind of this lackadaisical attitude about security and the internet and it's not appropriate going forward. I think we've started to see that, you know, like how cyber issues arose in a recent presidential campaign and so forth. People understanding, wow, a lot of stuff can happen here. It's not all good. So I think, you know, that's important. And um, I think we're making progress on that. And, and in, in America, I think when we recognize a problem, we tend to attack it pretty effectively.
AS: Got it. So this is actually very much a new issue and the awareness is still rising, correct?
BH: Correct. Yep.
AS: Okay. Well our guest today has been Bill Hederman, a Visiting Scholar at the Kleinman Center. Bill, thank you very much for coming on the podcast.
BH: You're welcome Andy.
AS: And thanks to our listeners for tuning into Energy Policy. Now from the Kleinman Center for Energy Policy at the University of Pennsylvania, you can get the latest energy and environment updates from our Twitter feed @kleinmanenergy. Keep up to date on the latest news, research and events from the Kleinman Center by visiting our website, www.kleinmanenergy.upenn.edu.