Cyber Security For The Future Grid
by Juliette Kayyem
February 25, 2019
This interview with Juliette Kayyem, CEO of Zemcar, President Obama’s Assistant Secretary for Intergovernmental Affairs at the Department of Homeland Security, and Belfer Lecturer in International Security at Harvard Kennedy School, was conducted and condensed by frank news.
Part of the energy democracy definition has to do with decentralizing the grid. The criticism then comes from a security perspective, which says, decentralizing the grid increases cybersecurity risks. Is that a fair conclusion? What does mitigating these risks look like?
No one system of critical infrastructure and how it's built is better than another in terms of security. A singular unified system might be easier to protect, but it also means it's a single target that can bring a whole system down. It has no layers of defense. You basically have, what we call in the security space, a single point of failure.
Think about that in terms of the blowout preventer and the BP Oil Spill. We had a single point of failure. A two hundred thousand dollar mechanism that fails, becomes a 30 billion dollar accident. You want layered defenses so that diversification, and bifurcation, and diversity, actually become better because you're not going to have that single point of failure.
On the other hand, each of those things is a new vulnerability that has to be protected in its own way. The idea that diversification or multiplication is, in and of itself vulnerable, that's only half the statement. It just means, how do we make those vulnerabilities less vulnerable? Because obviously, you're going to have more access points.
That's how, on the security side, we tend to think about critical infrastructures. We tend to think about five key attributes of the system, and how do you make it more resilient? That could be a transportation system. It could be critical infrastructure. It could be cybersecurity. This is how I think about it and teach about it and write about it.
The first is any complex system of energy has to have redundancy.
You can't have a single point of failure. You want to have layered defenses, back up systems, all that. The perfect example is it was a single system administrator who gave away his password thinking that it was password change, and it was not. It was a foreign entity. That got the foreign entity into the entire system. They just wouldn’t build a system that way anymore.
The second is, the systems have fail safe mechanisms.
What that means is that if the system gets under stress, if there's a natural disaster or cyber attack, the system is able to protect itself. It has fail safe mechanisms so that the whole system doesn't go down, so you can stop what we call the cascading losses.
A great example is the Super Bowl that went in half dark in 2013. That actually was a pretty sophisticated fail safe system. The power structure in the Superdome during the Superbowl came under stress and it protected itself. It stopped the cascading losses.
The third is, if the thing is under a cyber attack, the people who are meant to protect it are fully trained and understand how to protect the system.
Do you have people, rather than just technology, that actually are able to respond to get the system protected and get the system back up and running?
Those are the first three when you think about how to build a system that could respond quickly to an attack or prevent an attack. The other two have to do with resiliency. But those three key attributes are how we think about security rather than thinking, this one system is better than that system. All protective systems will have those three attributes.
Theoretically then, having a less centralized system is safer than having larger utility services in charge?
In theory, yup. Absolutely. But also, think about dams. That would be really hard to replace. A single dam provides a lot of important needs. In some instances you're going to need that one thing. You just figure out ways in which you can protect it. But the idea that diversification is inherently insecure sounds commonsensical – but it's actually not right. Because the single system could be insecure as well.
So then any company providing new energy services, whether it be solar or wind, would also be the service providing security for their customers.
What happens when we move beyond the private sector? Who in government is responsible for providing security for the new ways of creating and distributing clean energy?
It's going to depend. There are going to be guidelines and regulations depending on what the regulated industry is. Some of them are semi unregulated. With fracking, it took a couple years for the government to establish safety and security protocols. But most of them are regulations that fall on the private entity.
In cyber, I will tell you that there's lots of guidance, but there's almost no regulations in the cyber space in terms of critical infrastructure.
I think there's a general sense in the community that these companies are incentivized enough to be able to protect their systems. Unfortunately, if you read anything on critical infrastructure in the US, including voting and elections, a lot of that is dependent on either private, state, or local entities, and not demanded by the federal government. There's obviously exceptions to that, the nuclear realm is heavily regulated. Fracking is starting to get more regulated. But solar, not very much so.
It seems to be that energy at utility scale is very regulated, but when you move beyond utility and the grid, those regulations fall away. What that suggests to me is that technology is ahead of policy.
Oh, absolutely. Part of that is private entities don't like to get regulated. State and local entities don't like the federal government telling them what to do. Part of it is also a real tension between innovation and security, that I think is more in theory than in practice. There’s a sense that if we put too much regulation, too much security demands on this, there won't be as much creativity. That's what you hear about technology. You think about Facebook and Silicon Valley – government can't do anything because it will stifle innovation.
Then, everything bad happens and now all of a sudden people are talking about regulation.
Do you feel it would be helpful for policy to support cyber security for specific purposes in the new energy realm?
Yes. I think you might have to start with best practices. It's really interesting to think about this. We tend to think of clean energy as benign to the bad industries of oil drilling and BP.
But the truth is, these are industries that are, or will be, major companies satisfying an economic and energy need of the United States and the globe.
It is smart to start requiring them to build in a way that makes them more resilient, safe, and secure now. Rather than thinking, oh they’re nice and they’re innovative and they’re good. Facebook started off as good, right? It was just going to bring people together. When companies get bigger their incentive structure becomes different. You and I might be dead by then, but a hundred years from now the idea that we wouldn’t think about a green energy company the same way we think about Exxon and BP is ridiculous, of course we will, because they will be as big.
I do think it's a good time to start.
What language would be helpful?
It would have the attributes I just described. It would require building in redundancies, ensuring layered security, making sure that planning in response is done adequately and with state and local guidance. It would demand the things I told you in some ways.
In theory these things should be built into policy that dictates how we move forward on a large scale with clean energy. At the moment this looks like the Green New Deal. Should the GND incorporate security?
Yes. I have not looked at the specifics of the proposal that's out there, but I'm very curious. Does it actually have a resiliency or a safety and security component? I haven't heard anything, so I'm guessing no.
Remember the industry has an incentive to make it seem like these new industries are less safe. Now is the time because these companies, if you just look at the metrics, are going to be the BPs and Exxons of their day. Now is the time to begin to have these cyber protections, these safety and security protections in the green energy proposals, because if you don't do it now it's going to be almost impossible to do later.
We talked about Facebook two years ago the way we talk about green energy today. This is bringing us together. It's a brand new world. It's benign. Borders will be broken. That's how we talked about Facebook. It's a big company that didn't pay attention to its underbelly, to its vulnerability
Up until the last two years, any serious discussion about regulating a Facebook was met with, you can't stifle innovation, and we're just bringing people together. Well, you know what? Bringing people together can have its vulnerabilities.