Articles by Brian Harrell
Utility security staff have a responsibility to ensure they can identify risks associated with security threats Protecting North America’s power grid is a thankless job. Day in and day out, the good citizens of the United States and Canada wake up with the assumption that when they get out of bed each morning and flip on the lights, the room will illuminate, the coffee pot will come to life and their mobile phone will have been fully charged. After all, we live in a modern First World society, where we have come to depend on timely and efficient power at our fingertips. In reality, that reliable electricity that we all enjoy has many people working around the clock to ensure its reliability, resiliency and security. Today’s grid operators are inundated with natural and man-made threats. As utilities tackle the monster of the moment, which is the evolving cybersecurity threat, we must not take our eyes off the more primitive threat. Security threats to US grid Electricity is perhaps the most vital of the critical infrastructures and key resources that support our society. The mission of the North American Electric Reliability Corporation (NERC) is to ensure the reliability of the North American bulk power system (BPS). While electric utility companies are responsible for administering the day-to-day operations of the electric grid, regulators such as NERC and the Federal Energy Regulatory Commission (FERC) are charged with the overall responsibility of ensuring reliability and security. NERC develops and enforces Reliability Standards, annually assesses seasonal and long?term reliability, monitors the bulk power system through system awareness, operates the Electricity Information Sharing and Analysis Center (E-ISAC) and educates, trains and certifies industry personnel. Normal everyday operations of the system are the responsibility of utility owners and operators. Currently, the most significant reliability threat to the U.S. grid is associated with squirrels and balloons, and not religiously inspired terrorists During emergencies, NERC supports industry actions to respond, mitigate and restore the BPS to normal operation by facilitating effective information sharing and communication with and between NERC registered entities, government agencies and the media. This information is not focused on operational decision making; but instead provides utilities data, best practices and mitigation strategies to help recover from crisis. Obviously as a regulatory body, NERC must stay out of emergency response until the utility has best mitigated the threat or reliability issue. Currently, the most significant reliability threat to the U.S. grid is associated with squirrels and balloons, and not religiously inspired terrorists. However – and more applicable to grid operators – we have recently seen noteworthy interest in disabling or destroying critical infrastructure. Coordinated attacks specifically targeting the grid are rare, but an attack by a disgruntled former employee, ideologically motivated activist, or a criminal stumbling across a “soft target”, could inflict significant damage. With an interconnected grid of over 450,000 miles of high voltage transmission lines (100 kV and higher) and over 55,000 substations (100 kV and larger), the targets of opportunity are endless. An attack by a disgruntled former employee, ideologically motivated activist, or a criminal stumbling across a “soft target”, could inflict significant damage Critical infrastructure protection Critical infrastructure protection is a cyclical process incorporating prevention, detection, mitigation, response and recovery. The key to this protection is the identification of credible threats, which will assist energy companies in assessing risks and potential vulnerabilities (weaknesses) of their facilities. Once a threat has been thoroughly analysed, it is then possible to institute preventative measures to deter, detect and delay an attack. Of course, critical infrastructure protection planning must always include mitigation, response and recovery actions in the event an attacker is successful. While the security of the grid is a shared responsibility between the government and the private sector, the primary responsibility rests with utility owners and operators. Utility security staff have a responsibility to ensure they are able to receive and act upon criminal intelligence and be prepared to identify risks and vulnerabilities associated with security threats. Any protection programme that is developed must be as efficient and cost-effective as possible, as budgets are limited and ratepayers are sensitive to wasteful spending. Effective security programmes rely on risk management principles and associated tools to establish priorities, allocate budget dollars and harden infrastructure sites. Physical security protection encompasses defensive mechanisms to prevent, deter and detect physical threats of various kinds. Specifically, these measures are undertaken to protect personnel, equipment and property against anticipated threats. Properly conceived and implemented security policies, programmes and technologies are essential to ensure a facility’s resistance to threats while meeting demand, reliability and performance objectives. Unfortunately, many do not realise the amount of reports, guidelines, standards and assessments that have been developed for use Electricity industry physical security standards Significant progress has been made in the electricity industry surrounding the issue of security. Unfortunately, many do not realise the amount of reports, guidelines, standards and assessments that have been developed for use. The industry has gone through multiple iterations of mandatory Critical Infrastructure Protection (CIP) Standards that focus on security protections. The CIP Standards, while not perfect, may be an example for other sectors to immolate. These standards are a minimum baseline for compliance and utilities should not assume that because they have a good compliance programme they are somehow immune from attack. In addition, many electric utilities undergo a sector-wide Grid Security Exercise (GridEx) every two years to hone their skills and provide updates to their security practices and policies. This is in addition to annual exercises mandated by the cyber standards. It is fair to say that the industry has been very responsive to the evolving security threat and the mandatory requirements found within CIP compliance. As a result of the 2013 California substation attack that destroyed $15 million dollars in infrastructure, industry now has a physical security standard. This standard was created to protect the most critical transmission substations and control centres in North America. While protections vary, many utilities have upgraded their security measures to include concrete or non-scalable perimeters, robust access control, cameras, lighting and armed guards. It is highly likely that we will one day see similar standards put in place to better protect non-nuclear generation facilities, but only time will tell. Many utilities have upgraded security measures to include concrete perimeters, robust access control, cameras, lighting and armed guards The piece that the industry continues to struggle with is information sharing and the ability to quickly obtain actionable threat intelligence; an issue which has been combatted head-on through the sharing of security information amongst utility partners. Large utilities with the manpower and resources to address this initiative are changing the security model from reactive to proactive. If you understand your adversary’s tactics, intent, and capabilities, you can develop strategies to combat their attacks and better plan for future threats. Better, more proactive security, can be achieved through information sharing agreements and partnerships with other utilities, regulatory agencies and intelligence partners. Many utilities do not have the dedicated resources to dissect and aggregate this data and are thus unable to react appropriately, or wind up drawing inaccurate conclusions. As a result, the electricity sector is demanding more access to actionable intelligence and threat streams. With this added intelligence, utilities can better pinpoint threats to specific systems and focus efforts on system recovery and restoration. This will undoubtedly drive better, more informed responses to security incidents. The FBI, DHS and the DOE have made considerable strides in improving information sharing, and giving classified access to intelligence products Improving information sharing Over the past few years, the FBI, DHS and the DOE have made considerable strides in improving information sharing and giving classified access to intelligence products such as bulletins, alerts and secret level briefings. These products have been used to mitigate threats, reduce risk and update internal security policies. Additionally, this data flow has enhanced communications between security teams, management and board members by providing authoritative threat warnings. This ultimately drives better investment strategies by more directly connecting security priorities with business risk management priorities. Unfortunately, utilities still see risks in sharing information with federal partners. Recently, the Washington Post released an article with a salacious headline falsely suggesting that the grid was hacked via Russian malware. Even after correcting the story, the question remains: who leaked the information to the Washington Post? Utilities all over the country were witnessing an information sharing failure. We must assume that at some point in the future a North American utility will suffer from a planned and coordinated attack against electrical infrastructure. Have we looked at credible threats closely enough and did we prepare our people to respond, recover and communicate? As an industry, we will be judged and hard questions will be asked about how seriously we considered the threats and what we did to mitigate future attacks. Success will be determined by how quickly we are able to respond and the swiftness of system recovery. There is no doubt that security is an “all hands” approach by everyone involved.
The Duke Energy Corporation, one of the largest utilities in the word, has hired Brian Harrell as Managing Director, Enterprise Protective Services. Harrell is widely seen as an industry expert on critical infrastructure protection, with a specific focus on power grid security. He is the former Director of Critical Infrastructure Protection Programs and Director of Operations for the Electricity Information Sharing and Analysis Center (E-ISAC) while at the North American Electric Reliability Corporation (NERC). He was recently recognised as one of Security Magazine's Most Influential People in Security and he currently serves as a Senior Fellow at the Center for Cyber and Homeland Security at The George Washington University. Duke Energy is headquartered in Charlotte, N.C. and serves approximately 7.5 million retail electric customers in six states in the Southeast and Midwest. Duke Energy is a Fortune 125 company which provides energy services to approximately 24 million people.
AlertEnterprise Inc. has announced that Brian Harrell is joining its senior executive team as Vice President of Security. Formerly the Director of Security and Risk Management at Navigant Consulting, Mr. Harrell is a widely acknowledged expert on strengthening the security and resiliency of critical systems and enabling infrastructure owners to rapidly identify and understand emerging threats. Protecting electric grid from cyberattack Prior to Navigant, Mr. Harrell was the Director of Critical Infrastructure Protection Programs at the North American Electric Reliability Corporation (NERC) and led the Electricity Information Sharing and Analysis Center (E-ISAC) where he was charged with helping protect North America's electric grid from physical and cyber-attack. Mr. Harrell’s career spans experience with the US Marine Corps, US Department of Homeland Security, and multiple private sector agencies focused on protecting the United States from security threats. Jasvir Gill, Founder and CEO of AlertEnterprise states that, “Brian brings significant infrastructure protection expertise and leadership to our company and we’re excited to have him join our executive team.” He adds that, “Brian is a widely respected voice in the industry. His addition to the team ensures we will continue to offer cutting-edge technology and advisory services to our valued clients”. Implementing sophisticated solutions Harrell notes that “protection of critical infrastructure and key resources is vital to our national security, economic vitality, and way of life.” He adds that “recent high-profile cyber and physical access attacks throughout the world underscore the urgency to implement sophisticated solutions. I am enthusiastic to join a technology company that has truly innovative solutions and approach to help the private and public sectors protect their data, systems, and infrastructure.”