Cybersecurity briefing given to Chelan PUD
PUD commissioners were briefed on the district’s comprehensive approach to cybersecurity, based on industry principles and guidance and a strong “defense in depth” approach by Information Technology Director Greg Larsen during the first meeting of the new year.
Larsen told the gathered officials, including newly installed Commissioner Steve McKenna, that the Chelan PUD belonged to several industry groups that shared information vis-a-vis cybersecurity threats, defense mechanisms and reaction to same.
The timing couldn't be better. The U.S. Senate began hearings in early January about the Russian hacking attack on the presidential election and Russian hackers may also have been involved with the hacking of the Burlington (Vermont) Electric Company grid.
The Jan. 3 mini-seminar presented by Larsen who summarized "where we are today," industry cybersecurity principles and guidance, key 2017 cybersecurity projects and "take-away points."
Larsen said the giant utility that we all depend on for our utilities has undergone "penetration testing" to measure the effectiveness of fire walls against potential attackers from any source, foreign and domestic.
The goal of the PUD's IT director is to "relentlessly protect customers and district assets against cybersecurity risks." During a slide show presentation Larsen also admitted, "it's not an easy thing to do - a simple click on the wrong link can make us vulnerable."
It was made clear by Larsen that not just one method of defending the grid is being employed, but many techniques would be deployed "simultaneously."
He vowed to continue training all employees that use computers to be aware of potential threats to the system.
Newly re-elected Commissioner Ann Congdon of manson said she is still "unsure if I should open some emails or links."
Cashmere orchardist and PUD President Commissioner Randy Smith said, "You can never be totally secure. You always have to be on your guard."
The board of commissioners was reassured by Larsen that every effort is being made to continue learning new and better ways to prevent hackers from disrupting service, stealing data and causing chaos in the county by being involved with programs such as C2M2, which means Cybersecurity Capability Maturity Model (C2M2) program. It is a public-private partnership advocated by the U.S. Department of Energy to help safeguard the nations electric, water, gas and other energy sources grids.
Larsen also related a recent visit to Denver where he attended an industry conference. He commented that whether governmental or private utility is involved, "executive management must champion cybersecurity efforts." This top down role model approach is designed to show junior executives and rank and file computer operators within organizations the importance placed on cybersecurity b y top management, according to Larsen. He also stated that "programs and policies need to be documented and maintained" and that there should be a specific "plan to respond to cybersecurity incidents before they happen."
Another weapon at the disposal of the PUD is the use of "external resources to periodically assess the cybersecurity program and risks." Larsen said Chelan PUD adheres to industry guidelines as delineated in North American Electric Reliability Corporation (NERC) standards which fall under Federal Energy Regulatory Commission (FERC). FERC regulates, monitors and investigates electricity, natural gas, hydropower,
oil matters, natural gas pipelines, LNG terminals, hydroelectric dams, electric utilities and more.
Larsen emphasized the importance of continued employee training, communications regarding threats and "phishing" exercises. "Phishing" is a method hackers use to steal data from unawares computer operators by via sensitive information such as usernames, passwords and credit card details for malicious reasons, by disguising itself as a trustworthy entity in an electronic communication such as an innocuous-looking email.
He also told the commissioners and staff, as there were few if any "public" attendees, that the PUD has "insurance protection against loss of customer information."
Larsen is invested with the power and authority to "shut down the system if there is a sign of an attack," according to the presentation. One of the most important revelations disclosed by Larsen is the connection Chelan County PUD has with industry expertise as found in the Pacific Northwest National Laboratory (PNNL) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
He also said the county system has a "red flags" committee and also uses encryption methods to protect data. The mini-seminar ended with another salient point made by Larsen - that the district has "automated collection and analysis of outgoing internet perimeter traffic as well as 24x/ security event analysis and notifications."
Finally, Larsen told the commissioners that network security response simulation will be conducted with the Washington State Military Department, i.e., Army National Guard, with the PUD district acting as defenders trying to contain an "attack" while the National Guard simulates the "attack" on the system. Afterwards, the National Guard will conduct a debriefing in order to point out areas where enhancement of "district cyber resilience" can be identified.
"Employees are key to our success," concluded Larsen.