Energy companies are always going to be a high-value target for nefarious actors who want to harm the United States. Companies need to assess threats and develop a plan to handle the worst-case scenario in order to be prepared, said Brian Harrell, managing director of enterprise protective services at Duke Energy Corporation.
“Industry recognizes the fact that bad things are going to happen, and it’s not if, it is in fact when,” he said. “We need to wrap our heads around the fact that somebody is going to hurt us in the middle of the night, and we need to be responsive, have the ability to respond and recover from that.”
Mr. Harrell and other senior representatives from the utility industry and government spoke about the importance of securing critical energy infrastructure during a panel discussion at George Washington University on Friday. The event was hosted by the Center for Cyber and Homeland Security and moderated by Frank Cilluffo, director of CCHS.
Mr. Harrell, a CCHS senior fellow, said there is no “silver bullet” to preventing cyber attacks. Companies need to develop layered security systems to protect the electrical grid and the services it facilitates, he said. It’s important for private energy companies to share timely information about the threats they encounter with one another and government regulators.
“Let us not build our crisis response plans in the midst of crisis,” he said. “Having these relationships now with our federal partners is absolutely critical.”
Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communications within the Department of Homeland Security, said there is a need for the energy infrastructure community to identify risks and determine the best practices for a safe and secure digital ecosystem through international standards. DHS laid out its priorities for mitigating threats in a recently published five-year cybersecurity strategy.
“We are not going to be able to prevent everything, so how do we organize ourselves to be able to respond and recover and mitigate consequences before they become significant,” she asked.
Scott Aaronson, M.A. ’00, vice president of security and preparedness with Edison Electric Institute, said the energy sector should look to the type of investment power companies have made to improve resilience during storms as a model. Over the last decade coastal providers have prioritized storm readiness, and as a result residents in Texas and Florida saw fewer outages and quicker service restoration during last year’s historic hurricane season.
“You can see where investments and resilience and preparedness showed great dividends, and where there are places where we can be doing better in order to be better prepared to respond and recover,” he said.
Mr. Aaronson said one of his biggest fears following hurricanes Harvey, Irma and Maria last year is the potential for misinformation. Threats to the energy infrastructure that interfere with the government’s ability to interact with civilians could put lives at risk. Mr. Aaronson has been working with social media providers about their capabilities to act as a trusted voice to the American people in emergency situations.
“This is a really big deal,” he said. “It doesn’t just apply to elections, it doesn’t just apply to manipulating of markets, this is something that we need to be thinking about as a nation for public safety so that our citizens can be prepared.”
Patricia Hoffman, principal deputy assistant secretary for the Office of Electricity within the Department of Energy; Chris Peters, vice president and chief security officer for the Entergy Corporation; and Joe Sagona, senior director of cybersecurity with Pacific Gas and Electric, also participated in the panel discussion.