Electric utilities use red-teaming, AI to prepare for advanced threats
The U.S. electric industry has responded to a steady stream of cyberthreats with more rigorous red-teaming and by using artificial intelligence, utility executives said.
“We’re penetrating our own system to ensure that we are moving the envelope,” said Brian Harrell, Duke Energy Corp.’s managing director of enterprise protective services. “We’re trying to find the vulnerabilities before anyone else does.”
“Just yesterday I [was] having a six-hour conversation with the FBI about somebody trying to penetrate our system,” Harrell said Friday at an event at George Washington University’s (GWU) Center for Cyber and Homeland Security. “These are the kinds of things that are happening on a day in and day out basis.”
Harrell told CyberScoop that Duke Energy, which has 7.6 million customers across six states, is still responding to the security incident, declining to go into detail. The episode could turn out to be insignificant, he said, but is nonetheless an opportunity to practice coordinating with federal officials.
Joe Sagona, a senior cybersecurity official at Pacific Gas & Electric, said his utility is using artificial intelligence to defend its networks. PG&E, which services 5.4 million electric customer accounts, hires outside red-teamers who might imitate the capabilities of Russian hackers, he added.
“We’re not sitting back and…waiting for alarms and lights to go off,” but instead are going hunting for hackers, Sagona said on the panel.
For utility executives, the threat is never far from mind. In March, the Department of Homeland Security warned that Russian government hackers had targeted the energy sector, among others, in a two-year campaign that collected information on industrial control systems (ICS) used in the sector.
Outsourcing is an option
Big power companies like Duke Energy and PG&E can run their own in-house intelligence organizations, with analysts picking apart threat data. The smaller electric cooperatives serving rural communities across the country, however, tend to lack the resources to do that.
For example, smaller companies frequently try to “‘dual hat’ their control systems people and tell them – you also need to perform these cybersecurity tasks, but often there is a skills gap,” Marty Edwards, an industrial cybersecurity expert, told CyberScoop.
“The good news is that you no longer need to try and do all this in-house,” added Edwards, who is managing director of the Automation Federation. “There are plenty of boutique cybersecurity consulting companies that specialize in ICS and operational technology – and you should bring them in to see what they can find.”
Help is also available through the National Rural Electric Cooperative Association, which offers cybersecurity training and tools to resource-strapped cooperatives.
The cyberthreat information-sharing hubs for the electric and financial sectors are recognized as some of the most advanced in the private sector. At the GWU event, Harrell said Duke Energy has been trying to learn from the threats facing financial heavyweights.
In recent weeks, he said, Duke Energy executives met with their counterparts at Bank of America, J.P. Morgan Chase, and Wells Fargo to discuss threat data because “we recognize that some of the data threat streams that they get may be different than what the [Electricity Information Sharing and Analysis Center] is pushing our way.”
“We fully recognize that we are a high-value target for anyone who wants to do anything nefarious to critical infrastructure,” Harrell said.
There were more than 650 million intrusion attempts on Duke Energy networks in 2017, Harrell said, adding that the company has poured “millions and millions of dollars” into cybersecurity in order to repel such threats.
