The intersection of cyber and physical, coupled with nation state actors, is making security more difficult and costly. And adding to the growing need to support physical and cyber activities is the challenge of finding people to do the job. Forbes reported that there were a million jobs for cyber security around the globe in 2016 and projected the market for cyber work would grow from $75 billion in 2015 to 170 billion in 2020. In the U.S., the Bureau of Labor Statistics found 209,000 unfilled jobs in 2016 alone.
If demand for services and a lack of qualified staff were not enough, as an industry, we have to respond to an ever-increasing plethora of requirements and regulations, which are important to keep the grid alive, well and protected.
Collaboration Works, Cookie Cutters Do Not
At the Western Area Power Administration (WAPA), over the past three years we have dramatically changed our approaches, given the challenges outlined above on both physical and cyber fronts as well as understanding how to protect our 17,231 miles (27,730 km) of line, 319 substations and 477 communications sites. We have been learning how to examine and meet a variety of needs in a world “where one size fits all” does not work — where budgets have to be managed while we improve security without hindering operations.
Fortunately, our industry has taken tremendous steps forward through the power of collaboration in the form of the Electricity Sub-Sector Coordinating Council, The Electricity Information Sharing and Analysis Center (E-ISAC) operated under the auspices of the North American Electric Reliability Corporation as well as other federal resources. In particular, E-ISAC has moved the game ahead by engaging a growing number of utility industry and energy sector entities. For our part, WAPA has been encouraging its customers and others to be active participants, because sharing knowledge is the key to staying ahead and improving. The trade associations also have been instrumental in establishing information channels.
WAPA’s approach to physical security (without compromising Critical Electric Infrastructure Information) began in 2013 with the consolidation of our Office of Security and Emergency Management across our five regions and the implementation of a sophisticated risk-based program in analyzing the threats and vulnerabilities to our substations. Over the past three years, we have used a federal facilities “all hazards” process to review more than half of our substations in what will become an ongoing and regular business practice. The recommendations range from the simple (trimming hedges and replacing signage) to the more costly and time-consuming (upgrading networks to enable electronic site access systems), which get rolled into our 10-year capital plans. These efforts are coupled with significant design changes for new and updated facilities as well as a broader move to adding hundreds of surveillance systems across our footprint. Performance testing validates the effectiveness of our activities.
Since 2013, WAPA’s expenses for physical security have nearly tripled, though fortunately offset by cost-avoidance in an aggressive Continuous Process Improvement program.
WAPA’s recent experience in meeting the Critical Infrastructure Protection version 5 standards was an eye opener for the organization. More than 25 people dedicated a year of their careers to ensure that all requirements were met. This undertaking prepared the organization in several ways, most critically by virtually erasing the blurring lines between operating technologies and information technologies.
Protecting Assets Begins with Humans
At WAPA, we have an average of a million pings on our firewalls from around the globe each month, weekly (sometimes daily) phishing attempts and a host of concerning but managed attempts on our systems. Continuous vigilance requires adapting new operating models to offset the asymmetrical advantages held by those wishing to do harm to systems.
Changes in WAPA’s protective schemes have included the move to an enclave that isolates critical systems while at the same time allowing management to monitor in an effective manner. These steps, coupled with continual patching, regular software and hardware upgrades and consistent, proven security hygiene practices — like effective access management, managing an accurate technology inventory and regular penetration tests — have helped WAPA effectively work the cyber issues that arise. Engagement in industry forums, trade associations and information sharing groups improves our awareness of current trends, risks and threats.
To protect against physical threats, we work at securing the environment. For cyber threats, the most common point of entry is through the vulnerable person who makes an error in judgement or is fooled into allowing the breach. These risks are exacerbated when fear leads people to hide their missteps. To mitigate this risk, we employ training and work to create a culture that encourages questioning, rapid admission of mistakes and effective security processes.
Participation in industry-wide events such as GridEx, Cascadia Rising and other tabletop exercises has helped to give WAPA a broader perspective. Trust building between entities is crucial for rapid, effective, proactive information sharing. We need to continue to build relationships that smooth the way. Can we ever protect our grid entirely? No way. Can we continue to raise our game? Absolutely.