Securing utility assets, whether physical structures or cyber networks, has long been a priority in public power. Yet, as high-profile incidents with critical infrastructure have been front and center on the news, the concept of having a strong culture of security among utilities has become more prominent as well.
Just like building a culture of safety, having an organizational culture of security takes time to develop and means it is embraced by people at all levels. Building a culture of security isn’t just about putting the proverbial locks on the right doors — it is making sure that employees are aware of potential threats, seeing the value of identifying concerns, and encouraged to follow protocols that could mitigate the risk of attacks on their systems.
Signs of a Security Culture
David Godfrey, Manager of Critical Infrastructure Protection at Garland Power & Light in Texas, said that a culture of security is much like a safety culture, in that it is a mindset that develops over time. He said that it means that employees know that the processes, equipment, and other security mechanisms aren’t seen as control mechanisms, but investigative tools. He summed it up as gaining the trust of your employees.
“Employees spend at least a third of their time at work. We would hope that you protect your place of employment as if it was your own, and I think our employees do,” said Godfrey. “Anytime there is a security need, they are always willing to help.”
A culture of security doesn’t exist when cybersecurity is “entirely IT’s job,” said James Keltgen, who was director of information technology at Shakopee Public Utilities in Minnesota before switching to another position in local government in February 2023. When a culture of security is embedded well at an organization, he said, it is everyone’s responsibility. He said there would also be mechanisms in place that allow for a feedback loop, such as an easy way for employees to report phishing attempts.
Branndon Kelley, senior vice president, strategy and innovation and chief strategy officer at American Municipal Power in Ohio, “It’s not just about tools and techniques, it is about a mindset,” said Kelley. “Where you see the top leaders embracing it, sharing it – that really is the first sign that there is a culture of security.”
“Cybersecurity and physical security need to mesh,” added Kelley. “For no other reason than many of these events can be correlated. The more they can be meshed under one leadership structure, the more you will ultimately have a better posture of achieving your goal and having a better aware staff.”
Kelley also cautioned against the pervasive thinking that only utilities with a SCADA system have cybersecurity concerns. “That is entirely not true… any utility which has any sort of computer has a potential cyber problem.”
Keltgen said that an organizational culture of safety “requires intentional focus on human behavior.” “I’m more concerned about what employees do versus what they know about cybersecurity… that difference will determine whether the utility is secure or breached.”
As an example, Keltgen said his aim is for employees to stop and think about whether they should be getting certain information or if it is uncommon.
From Fear to Action
Godfrey noted that utility security has come a long way from when he began working in the industry more than 30 years ago, when security was usually only discussed in relation to large generating facilities.
“For so long, everyone left the utility industry alone,” said Godfrey. “Now, with the abundance of information on the internet, extremists and others have decided this is the way to shake things up. When you have a situation like what happened in North Carolina, that opens a lot of people’s eyes.”
While awareness can be good in some respects, utility security leaders cautioned about the fear — and exposure — awareness can bring.
Keltgen said that it is important for utilities to eclipse the coverage of the potential damage from attacks by digging into learning how attacks occur and what would happen in their system should they face a similar type of attack.
“You have to sell the idea of a security culture on value and not on fear,” explained Kelley. “For too long, we sold security along this idea that if you don’t do [a certain strategy], this big bad nasty thing is going to happen. The problem is, some people respond to fear and become paralyzed, and others see it as the boy who cried wolf and they just don’t react at all.”
Keltgen offered similar advice. The focus shouldn’t be on how much an incident would cost the utility or community, but on how individuals play a part in either allowing or preventing incidents. Then, he said, the focus can be on solving any problems or changing any behaviors that make it easier for incidents to occur.
In training, Keltgen said he likes to take a storytelling approach to show how an incident can hit home, alongside sharing and reminding employees about the mechanisms in place that help prevent them.
“Those who are paying attention tend to be ahead of the game,” said Keltgen. That includes being tuned into alerts from sources such as the Electricity Information Sharing and Analysis Center and Multi-State Information Sharing and Analysis Center. It also means following trends, such as how the convergence of information technology and operational technology has changed the nature of attacks.
Godfrey also pointed to the importance of using the tools and information from the E-ISAC. “While there’s a lot of information shared, and it can be daunting on some days, it also gives you awareness of what is going on within the industry,” he said. “We’re all aware of the incidents published in the news, so sharing these resources is vital to awareness of the threats trying to infiltrate our own backyards.”
Kelley echoed the emphasis on awareness, and that utilities should be “constantly assessing and monitoring” their systems. This includes conducting cyber incident response exercises and incident response planning. “It is not a question of if, but when [an incident will occur],” he said. “The question is, how are we going to respond? How will we recover?”
Exercising isn’t solely about understanding security measures, but is also about thinking through business continuity in the event certain systems can’t be accessed, such as if a billing system is compromised. In this scenario, said Kelley, utilities work through questions such as, “What does that do to your cash flow? How will it affect your utility if you can’t send out bills for one day, three days, or a month?”
Staying Current
Part of the challenge with cybersecurity, noted Kelley, is that it is being applied to systems that have already been in existence, and only in the past five years or so have mechanisms been considered and baked in from the development stage. “Historically, someone would show up and say, ‘I’ve bought this system and I’m not sure if its secure’ — that doesn’t fly anymore … it is maybe step two in making sure that it is going to fit.”
AMP produces short, specific “cyber minutes” throughout the year to help educate its board members about security related topics. Kelley said that the information is conveyed in a practical, relatable manner for people to understand how a specific issue could affect them. AMP also sends cybersecurity-related articles to its members on a weekly basis that follow a similar tone.
Kelley said that AMP has a program that assesses members’ cybersecurity against industry standards and identifies any gaps that should be addressed. Kelley said the assessments go beyond identifying problems and offers AMP members an 18-month plan to address the highest threats and prioritize activities based on which is most critical or could have the biggest budget impact.
In Garland, security is a topic of discussion during safety meetings, among other times. Godfrey makes a point to meet with different crew members throughout the year to exchange information about what kinds of threats to be aware of and get feedback. “It is amazing when you ask for feedback, what kind of information you get back. When you allow [crews] to express their ideas, they feel ownership in the process.”
Keltgen encourages individuals focused on IT in utilities to network, such as through the American Public Power Association’s Cybersecurity Defense Community, as having these relationships can support better information sharing and exchange over mutual lessons learned.
Purposeful Design
Utility security is a careful balance between having the right structures and systems in place, and ensuring people understand why such mechanisms are there and how to use them.
Kelley noted that it is part of the job for people designing systems to recognize human nature and put features in place that align with it, so that cybersecurity measures don’t become an interference, but help in making better choices. “People are the biggest cyber defense as far as keeping system safe, but you still have to train people, have to invest time into it.”
Kelley also pointed to artificial intelligence-based mechanisms that can identify when a user’s usage is outside of the norm, such as an employee who works a 9-5 shift that is appearing to access systems in the middle of the night, and report it as suspicious behavior.
“You could do everything in the world — cameras, access control, etc. — and if your substation folks just left the gate open, all that work would be for nothing,” said Godfrey.
It can come down to noticing where a fence might need maintenance, or a light bulb needs to be replaced. “It takes people to notice that and to care, to take the effort,” he said.
