WEBVTT - Guarding the Grid: Hackers Target Smarter Power System 0:00:00.400 --> 0:00:03.240 This is Dana Perkins, and you're listening to Switched on 0:00:03.560 --> 0:00:04.720 the BNF podcast. 0:00:05.040 --> 0:00:05.240 Now. 0:00:05.280 --> 0:00:07.360 I don't know about you, but it seems like all 0:00:07.360 --> 0:00:10.400 of my friends are talking about AI lately. And among 0:00:10.480 --> 0:00:13.920 the myriad of things to consider is cybersecurity. It's such 0:00:13.920 --> 0:00:16.000 a hot topic, in fact, that it was even featured 0:00:16.040 --> 0:00:19.520 in the most recent Mission Impossible film. But cybersecurity is 0:00:19.640 --> 0:00:22.440 not a new topic, as will come to find, as 0:00:22.520 --> 0:00:25.439 much of the world has an increasingly complex grid that 0:00:25.480 --> 0:00:28.240 has evolved to become even smarter and more digital and 0:00:28.400 --> 0:00:31.800 capable of optimizing energy use, which will prove helpful in 0:00:31.840 --> 0:00:35.199 the race to net zero. These very additions themselves have 0:00:35.320 --> 0:00:40.040 created new vulnerabilities which cyber attackers can exploit. So what 0:00:40.240 --> 0:00:42.640 sort of damage can be caused by a cyber attack 0:00:42.720 --> 0:00:45.559 on electric utility and can we protect them? And what 0:00:45.760 --> 0:00:49.720 exactly is an air gapps. It's a computer or network 0:00:49.720 --> 0:00:53.880 which is isolated from other networks for security reasons. Today, 0:00:54.040 --> 0:00:55.840 instead of me telling you any more about it, I'm 0:00:55.920 --> 0:00:59.120 joined by our Grids and Utilities team member Amanda al 0:00:59.360 --> 0:01:01.520 She's going to discuss some of the findings from her 0:01:01.600 --> 0:01:06.800 recent report called Guarding the Grid Utilities Fortify cyber defenses. Together, 0:01:07.080 --> 0:01:10.240 we discuss the different forms a cyber attack can take, 0:01:10.440 --> 0:01:13.920 the motivations behind these attacks, and the scale of damage 0:01:13.920 --> 0:01:16.640 that can be caused, as well as the costs involved 0:01:16.640 --> 0:01:19.640 in fixing them, and to ward off attacks. Can anything 0:01:19.720 --> 0:01:23.039 be done at the government level to beef up cybersecurity. 0:01:23.280 --> 0:01:25.600 We assess some of the policies countries have put in 0:01:25.640 --> 0:01:29.800 place to strengthen cybersecurity in both the public and private sectors, 0:01:30.040 --> 0:01:34.200 and the marketplace for companies offering grid security. And finally, 0:01:34.440 --> 0:01:37.240 what does the future of grid security look like? As 0:01:37.240 --> 0:01:40.679 we enter an era of AI and quantum computing with 0:01:40.840 --> 0:01:45.080 even greater computing capabilities, also comes some potential threats and 0:01:45.160 --> 0:01:47.319 are there measures that can be put in place to 0:01:47.440 --> 0:01:51.840 combat these even more complex attacks. To access Amanda's report, 0:01:51.960 --> 0:01:55.040 BADF subscribers can find it at BNF dot com, on 0:01:55.120 --> 0:01:57.800 benf Go, on the Bloomberg terminal, or on the BNF 0:01:57.840 --> 0:02:00.360 mobile app. If you like this podcast, make sure to 0:02:00.400 --> 0:02:03.120 subscribe and you'll receive an update when a future episode 0:02:03.200 --> 0:02:05.080 is published. And if you give us a review or 0:02:05.080 --> 0:02:08.240 a rating on Apple Podcasts or Spotify, it'll make us 0:02:08.280 --> 0:02:11.079 more discoverable by others. But right now, let's jump into 0:02:11.080 --> 0:02:24.520 our conversation with Amanda. Amanda, thank you very much for 0:02:24.600 --> 0:02:25.800 joining switched on today. 0:02:25.960 --> 0:02:26.800 Thanks for having me. 0:02:27.120 --> 0:02:29.720 So today we're going to talk about grid security. What's 0:02:29.760 --> 0:02:32.360 at stake here? What is the worst case scenario? 0:02:32.800 --> 0:02:37.000 So, I mean utilities are really integrating more and more 0:02:37.120 --> 0:02:41.440 digital technologies, meaning that they're investing in more technologies like 0:02:41.520 --> 0:02:46.399 sensors and creating digital models of the grid and investing 0:02:46.400 --> 0:02:50.120 in communication technologies. And as they do that, it means 0:02:50.160 --> 0:02:52.680 that first of all, the grid is getting the eyes, 0:02:52.760 --> 0:02:55.640 the brain, and the sense that it needs to act efficiently. 0:02:55.880 --> 0:02:58.760 By at the same time, integrating all these new technologies 0:02:59.000 --> 0:03:02.920 which have in at access means that it's increasing the 0:03:02.919 --> 0:03:06.920 potential cyber attack service of the power system. And with 0:03:07.040 --> 0:03:10.160 this new link with the Internet, it basically means that 0:03:10.280 --> 0:03:15.680 cyber thread actors could potentially access physical grid infrastructure, leading 0:03:15.680 --> 0:03:18.200 to damages, leading even to power outages. 0:03:18.760 --> 0:03:22.800 So we're most concerned about blackouts maybe citywide, statewide, Like 0:03:23.080 --> 0:03:26.360 what scale would the worst case scenario be? And I 0:03:26.400 --> 0:03:29.200 guess the follow on to that is really how connected 0:03:29.480 --> 0:03:31.760 is it? Is it all of the grids across the US, 0:03:31.880 --> 0:03:35.600 barring or cut that are all connected. You know how 0:03:35.640 --> 0:03:38.520 big could a problem be if there was a cyber 0:03:38.560 --> 0:03:41.040 attack they got in If we're specifically focused for this 0:03:41.120 --> 0:03:43.320 question on power outages. 0:03:43.200 --> 0:03:45.280 I mean, that's really hard to say, because what we 0:03:45.360 --> 0:03:48.200 know right now is that there is malware out there 0:03:48.360 --> 0:03:53.200 that could specifically target technologies on the grid, like substations 0:03:53.280 --> 0:03:57.360 or other kind of operational technologies. So I mean, hypothetically 0:03:57.720 --> 0:04:00.280 a cyber attack could maybe take out and an ore 0:04:00.600 --> 0:04:06.160 utilities network. Hypothetically, I'm just saying, but I mean, of course, 0:04:06.240 --> 0:04:09.320 utilities are investing in new cybersecurity technologies to make sure 0:04:09.440 --> 0:04:12.880 that doesn't happen. But potentially the more and moral malware 0:04:12.920 --> 0:04:16.120 coming out that can target power systems means that this 0:04:16.200 --> 0:04:18.839 could lead to outages across utilities. 0:04:19.120 --> 0:04:22.400 So outages and then you also reference the damage to equipment. 0:04:22.440 --> 0:04:26.440 So is that one way of targeting or using malware 0:04:26.560 --> 0:04:28.919 is to actually cause maybe a piece of equipment to 0:04:28.960 --> 0:04:34.080 malfunction and to actually cause very expensive damage to critical infrastructure. 0:04:34.400 --> 0:04:38.320 Yeah, exactly. So there's one example. There's a kind of 0:04:38.360 --> 0:04:42.960 malware called crash override, also known as in destroyer. I 0:04:43.000 --> 0:04:44.760 love these names that're kind of funny, but what they 0:04:44.839 --> 0:04:48.160 do is really not funny. For example, crash override was 0:04:48.320 --> 0:04:52.159 used actually used in an attack on Ukraine's grid in 0:04:52.240 --> 0:04:57.080 twenty sixteen. And this malware basically took and codified, meaning 0:04:57.120 --> 0:05:00.400 put into code knowledge of how control systems work, so 0:05:00.440 --> 0:05:03.640 the control system for substations, how they work, and then 0:05:03.800 --> 0:05:07.279 use this to shut down the substation in Kiev. And 0:05:07.320 --> 0:05:10.080 this was one substation. But the scary thing is that 0:05:10.160 --> 0:05:13.080 cybersecurity professionals here thing that this could have been a 0:05:13.120 --> 0:05:16.320 proof of concept since not all of this malwar's functions 0:05:16.320 --> 0:05:19.160 were used. So if this is not on a larger scale, 0:05:19.240 --> 0:05:22.159 it can really damage the grid and of course impact 0:05:22.279 --> 0:05:24.120 people that depend on electricity. 0:05:24.600 --> 0:05:27.080 So let's talk a little bit about the olden days 0:05:27.080 --> 0:05:30.480 when the grid was not connected and things were much simpler. 0:05:30.680 --> 0:05:35.400 Technology hasn't just spreaded immediately. Over time, systems have gotten 0:05:35.560 --> 0:05:39.279 more sophisticated, and there used to be security measures built 0:05:39.279 --> 0:05:41.560 into the way that it was designed. Can you talk 0:05:41.560 --> 0:05:43.359 a little bit about how the grid used to be 0:05:43.400 --> 0:05:47.359 designed and really what precipitated such a dramatic change to 0:05:47.360 --> 0:05:48.600 make everything interconnected. 0:05:49.120 --> 0:05:52.279 I mean, originally the text structure of the grid or 0:05:52.279 --> 0:05:54.320 the digital tech structure of the grid was based on 0:05:54.600 --> 0:05:58.960 two main elements so it's informational technology and operational technology 0:05:59.040 --> 0:06:01.800 or IT and OT, so for IT think things like 0:06:01.920 --> 0:06:06.200 file management, emails, internet, and for OT. These are the 0:06:06.240 --> 0:06:10.119 technologies that monitor and physically control power equipment on the grid, 0:06:10.200 --> 0:06:13.760 like substations. And originally these were kept separate because you know, 0:06:13.800 --> 0:06:16.880 if OT, like a substation or circuit breakers on the 0:06:16.880 --> 0:06:20.120 grid were compromised, then it could result in power outages. 0:06:20.400 --> 0:06:24.200 So keeping IT and OT separate was the OG, like 0:06:24.240 --> 0:06:27.680 the original kind of cybersecurity mechanism for the power system 0:06:27.800 --> 0:06:31.200 to ensure a hack in it would not impact the 0:06:31.200 --> 0:06:34.560 physical grid. But I mean now we're seeing utilities are 0:06:34.560 --> 0:06:37.760 digitalizing at a rapid pace. And what I mean by 0:06:37.800 --> 0:06:41.960 digitalizing is that, as mentioned earlier, the grid is integrated 0:06:42.040 --> 0:06:46.000 news technologies like sensors and analytics software to access and 0:06:46.080 --> 0:06:49.279 analyze data from the power system to help run this 0:06:49.360 --> 0:06:52.680 physical infrastructure more efficiently. So this is great, you know 0:06:52.760 --> 0:06:55.360 if you think about efficiency, But this also means we're 0:06:55.360 --> 0:06:58.680 integrating IT and OT. So with this new link between 0:06:58.839 --> 0:07:03.080 information technology and operational technology, if a cyber thread actor 0:07:03.160 --> 0:07:05.480 hacks into an IT system, you know a simple thing 0:07:05.520 --> 0:07:07.840 like a phishing email, it might be able to move 0:07:07.920 --> 0:07:11.880 laterally and access ot networks and really cause damage to 0:07:11.920 --> 0:07:13.080 the grid like we've been seeing. 0:07:13.400 --> 0:07:15.640 So we talked a little bit about the olden days 0:07:15.640 --> 0:07:18.880 of the grid when things weren't as interconnected, and there 0:07:18.960 --> 0:07:21.680 is some brilliance in that simplicity in that. 0:07:22.000 --> 0:07:22.560 Is there a. 0:07:22.480 --> 0:07:25.760 Move to in some way make these grids a little 0:07:25.760 --> 0:07:29.080 bit isolated from one another to actually minimize the risk. 0:07:29.240 --> 0:07:32.040 I know that there's a lot to gain in terms 0:07:32.120 --> 0:07:35.080 of efficiency and reducing waste when we have a much 0:07:35.120 --> 0:07:38.040 more connected grid. And we're all familiar with these terms 0:07:38.040 --> 0:07:40.920 connected grids, smart grid, and actually even the rise of 0:07:40.960 --> 0:07:43.800 new business models like virtual power plants. But is there 0:07:44.040 --> 0:07:47.000 a space for grids to not be connected with one 0:07:47.000 --> 0:07:50.440 another and to have a series of non connected units 0:07:50.720 --> 0:07:53.600 that you know, the connectivity essentially ends somewhere, And is 0:07:53.640 --> 0:07:57.200 there thought being given to how connected is to connected? 0:07:58.640 --> 0:08:02.560 That's a good question. I think that it would be 0:08:02.680 --> 0:08:06.520 very difficult not to have connected grids because we need 0:08:06.960 --> 0:08:10.480 both ram above and distribution grids and transmission grids and 0:08:10.760 --> 0:08:16.080 interconnection among these grids to support a broader sustainable energy transition. 0:08:16.360 --> 0:08:19.280 So I think what we need to do is understand 0:08:19.360 --> 0:08:22.280 that the power grid is getting more and more access 0:08:22.480 --> 0:08:26.080 to distributed energy resources such as evs such as roofs 0:08:26.120 --> 0:08:29.800 of solar and batteries that are connected to the distribution grid, 0:08:29.800 --> 0:08:32.959 which are connected to the transmission grid, which are communicating 0:08:33.000 --> 0:08:35.400 more and more with one another to help balance the 0:08:35.440 --> 0:08:40.000 overall power system. And as more of these decentralized energy 0:08:40.040 --> 0:08:44.679 resources come online, the cybersecurity of power systems also needs 0:08:44.679 --> 0:08:48.880 to reflect or mirror increasingly decentralized nature of the power 0:08:48.960 --> 0:08:51.320 system as well. Because it's happening, We're seeing a lot 0:08:51.360 --> 0:08:54.080 more virtual power plan projects. We're seeing a lot of 0:08:54.120 --> 0:08:58.280 more distribe engry resources come online. So of course some 0:08:58.520 --> 0:09:01.640 grids might like for example, microgrids, they can be islanded 0:09:01.679 --> 0:09:04.400 when need be. But what we're seeing is that a 0:09:04.440 --> 0:09:07.760 broader focus on coordinating the broader power system. 0:09:08.160 --> 0:09:11.160 Now, cyber attacks are something that are probably not new 0:09:11.200 --> 0:09:13.440 to any of us. We all think about phishing emails 0:09:13.480 --> 0:09:15.520 when we think about our own inbox. And what I 0:09:15.559 --> 0:09:19.480 want to know is how much of the focus I 0:09:19.520 --> 0:09:22.640 guess on these cyber criminals is on the energy system. 0:09:22.760 --> 0:09:24.200 And is this a big thing for us to be 0:09:24.200 --> 0:09:24.800 worried about. 0:09:24.960 --> 0:09:29.679 I mean, short answer, yes, Unfortunately, that's exactly what we're 0:09:29.720 --> 0:09:33.319 seeing is that cyber attacks on utilities are on the rise, 0:09:33.800 --> 0:09:38.240 and the frequency of cyber attacks on utilities are reaching 0:09:38.320 --> 0:09:42.160 even new very high levels. And this is because as 0:09:42.200 --> 0:09:45.320 we digitalize the power system and connecting more and more 0:09:45.400 --> 0:09:49.040 connected resources. Connecting mean that they're connected to the internet, 0:09:49.200 --> 0:09:51.920 it means that the cyber attacks surface of the power 0:09:51.920 --> 0:09:54.800 system is growing and because of that, we're seeing more 0:09:54.960 --> 0:09:59.240 cyber attacks. So the frequency of cyber attacks on utilities 0:09:59.280 --> 0:10:02.440 we saw reach very high levels during the pandemic and 0:10:02.520 --> 0:10:05.880 part driven by more remote work and cyber attacks have 0:10:05.920 --> 0:10:09.400 also been increasing since the war in Ukraine, potentially because 0:10:09.400 --> 0:10:12.559 this is allowing threat actors to showcase their cyber war 0:10:12.600 --> 0:10:16.559 for techniques. So it's clear that this geopolitical and social 0:10:16.600 --> 0:10:20.560 issues and upheaval usually leads to an increase in cyber attacks, 0:10:20.840 --> 0:10:23.960 and this seems to indicate that the energy sector really 0:10:24.040 --> 0:10:26.600 is becoming more and more of a target. For example, 0:10:26.640 --> 0:10:29.320 according to the data from IBM, the energy sector for 0:10:29.400 --> 0:10:32.760 about eleven percent of the total global number of cyber 0:10:32.800 --> 0:10:36.160 attacks IBM tracked in twenty twenty two, which is higher 0:10:36.200 --> 0:10:38.960 than the sector's pre pandemic levels of about six percent, 0:10:39.360 --> 0:10:43.400 and North America in particular has been the most targeted 0:10:43.440 --> 0:10:46.439 region for attacks, according to this data on energy firms 0:10:46.480 --> 0:10:47.839 over the past two years. 0:10:48.280 --> 0:10:52.720 What happens after a cyber attack? Do the consequences include 0:10:53.040 --> 0:10:56.120 needing to as you referenced, know if something gets broken, 0:10:56.200 --> 0:10:59.520 repairing kit or is this a conversation around actually being 0:10:59.559 --> 0:11:02.360 held round because that happens sometimes as well, where they 0:11:02.400 --> 0:11:05.440 won't release your system until you've paid a certain amount 0:11:05.480 --> 0:11:08.679 to the cyber criminal. What happens and how do these 0:11:08.679 --> 0:11:13.120 companies respond to these attacks when something does go wrong? 0:11:13.440 --> 0:11:16.320 Yeah, I mean a cyber attack can make many things 0:11:16.360 --> 0:11:20.199 go wrong, from money being lost due to just downtime 0:11:20.280 --> 0:11:22.880 of the power system, to having to pay off ransomware, 0:11:23.120 --> 0:11:26.480 to potentially having to pay fines because the cyber attack 0:11:26.600 --> 0:11:29.760 was caused by some kind of non compliance with regulation, 0:11:30.240 --> 0:11:33.440 or you know, fixing or repairing damage equipment. We've seen 0:11:33.480 --> 0:11:36.800 that Also, IBM estimates the global average cost of a 0:11:36.920 --> 0:11:42.440 data breach, which means just accessing illegitimate access of confidential data. 0:11:42.600 --> 0:11:44.600 They're saying the global average cost of a data reach, 0:11:44.720 --> 0:11:48.320 specifically for the energy sector, has reached nearly five million dollars, 0:11:48.559 --> 0:11:52.600 and this is because actually identifying and dealing with those 0:11:52.640 --> 0:11:56.400 reaches is getting costlier and taking longer because honestly, these 0:11:56.400 --> 0:11:59.440 cyber thread actors are getting more and more sophisticated in 0:11:59.480 --> 0:12:03.880 their techniques. At the same time, there's more technologies and 0:12:04.000 --> 0:12:07.640 services coming out specifically to respond to these attacks, so 0:12:07.720 --> 0:12:13.240 incident response technologies that includes both services like some companies 0:12:13.320 --> 0:12:17.800 like Drego's offer services like playbooks, which are basically lists 0:12:17.840 --> 0:12:21.840 of action items for specific cyber attacks that a company 0:12:22.000 --> 0:12:25.400 can do, and Dregos is specifically focused again on operational 0:12:25.440 --> 0:12:28.720 technologies such as in the grid. So other than services, 0:12:28.800 --> 0:12:32.000 there's also startups and companies coming out with new technology 0:12:32.120 --> 0:12:36.200 to support and even automate incident response. So, for example, 0:12:36.240 --> 0:12:39.880 there's a technology or group of technologies called SORE like 0:12:40.040 --> 0:12:47.040 Fly in all caps, which means Security Orchestration, Automation and Response, 0:12:47.480 --> 0:12:51.760 which uses basically AI algorithms to help both detect and 0:12:51.880 --> 0:12:55.359 automate some of the response to actual cyber incidents. 0:12:55.920 --> 0:12:59.360 So there are new companies that are seeing this vulnerability 0:12:59.440 --> 0:13:02.920 and fire a way to really help utilities figure this out. 0:13:03.000 --> 0:13:06.600 But surely it's not all coming from startups looking to 0:13:06.920 --> 0:13:10.320 strategically fix these problems. I would assume that the utilities 0:13:10.320 --> 0:13:14.120 themselves are invading in various ways to protect themselves. What 0:13:14.320 --> 0:13:17.600 is happening with the utilities and what other I guess 0:13:17.600 --> 0:13:21.880 domestically grown technologies or responses are they then turning to 0:13:22.040 --> 0:13:23.839 in order to secure their grid. 0:13:24.200 --> 0:13:28.400 What we've been seeing really is that utilities are spending 0:13:28.440 --> 0:13:33.120 more on cybersecurity and developing their own cybersecurity strategies, especially 0:13:33.120 --> 0:13:38.760 the larger utilities. So basically that involves one developing business practices. 0:13:39.200 --> 0:13:44.240 So that's things like growing security teams, having cybersecurity expertise 0:13:44.400 --> 0:13:49.920 on board levels, and also running annual incident response practices, 0:13:50.000 --> 0:13:53.680 kind of running hypothetical cyber attacks that might happen on 0:13:53.960 --> 0:13:57.640 the utility and have the security teams actually practice what 0:13:57.679 --> 0:14:01.960 they would do in that situation. That's the business evolutions side. 0:14:02.000 --> 0:14:04.480 There's also a lot of new investments coming out of 0:14:04.600 --> 0:14:07.319 utilities on cybersecurity. You know, what we're seeing is that 0:14:07.400 --> 0:14:10.760 spending is on the rise on cyber For example, in 0:14:10.800 --> 0:14:13.960 the US, we've seen that utility is a spending more 0:14:14.000 --> 0:14:19.520 in terms of capital expenditure on cybersecurity, specifically operational technology security. 0:14:19.640 --> 0:14:23.640 So for example, Southern California Edison or see their capex 0:14:23.720 --> 0:14:27.760 on cybersecurity, Rose about two thirds from sixty million USD 0:14:27.840 --> 0:14:30.520 in twenty twenty to nearly one hundred and ten million 0:14:30.760 --> 0:14:32.960 in twenty twenty one. And that was kind of driven 0:14:33.000 --> 0:14:37.120 by their grid modernization program to make sure that their 0:14:37.120 --> 0:14:41.000 grid technologies really are cybersecurity. And you know, we're BNS, 0:14:41.000 --> 0:14:43.160 so we had to quench the numbers. And we found 0:14:43.160 --> 0:14:46.560 that in the US, be calculated that the annual cybersecurity 0:14:46.560 --> 0:14:51.560 capex for utilities is likely already one billion US dollars, 0:14:51.960 --> 0:14:55.880 with the average share of capex allocation usually around one percent. 0:14:56.240 --> 0:14:58.120 And I mean, of course this might be higher or 0:14:58.120 --> 0:15:01.160 lower by utility, but this real isn't a small number, 0:15:01.280 --> 0:15:04.280 and it is likely to grow, we think as well. 0:15:04.320 --> 0:15:07.920 One regulations get more strict and two when, if, and 0:15:07.960 --> 0:15:09.840 when cyber attacks grow so. 0:15:09.960 --> 0:15:12.440 Much like you can't drive a car without insurance in 0:15:12.560 --> 0:15:15.840 many parts of the world, is there an obligation illegal 0:15:15.920 --> 0:15:20.920 obligation in some countries for cybersecurity to be in place 0:15:21.200 --> 0:15:24.400 because nobody wants blackouts, least of which the company is 0:15:24.440 --> 0:15:28.360 operating the grid and also the power providers. But are 0:15:28.600 --> 0:15:30.120 governments getting involved? 0:15:30.320 --> 0:15:32.560 The US really is leading the way in terms of 0:15:32.600 --> 0:15:36.560 regulation and standards for cybersecurity specifically in the power sector. 0:15:36.720 --> 0:15:39.640 And I think that's potentially because cybersecurity has been seen 0:15:39.680 --> 0:15:42.400 as a matter of national security for a while now. 0:15:42.800 --> 0:15:45.480 And for example, in two thousand and eight, the North 0:15:45.480 --> 0:15:51.280 American Electric Reliability Corporation NERK came out with mandatory standards 0:15:51.280 --> 0:15:55.160 for critical infrastructure protection called NIRKSIP. Sorry a lot of 0:15:55.200 --> 0:15:58.960 acronyms there, for both physical security and cybersecurity of the 0:15:59.000 --> 0:16:02.840 bulk electric system. And bulk electric system here refers basically 0:16:02.880 --> 0:16:06.280 to the transmission grid, so violations of these standards can 0:16:06.320 --> 0:16:08.880 result in fines of up to one million dollars per 0:16:09.000 --> 0:16:12.480 day per violation. But while the US has been kind 0:16:12.520 --> 0:16:16.080 of leading the charge in cybersecurity regulation and policy, I 0:16:16.080 --> 0:16:20.280 think also Europe is catching up. Originally, the European Union 0:16:20.320 --> 0:16:24.440 couldn't really impose strong regulations for power system cybersecurity because 0:16:24.560 --> 0:16:28.160 issues like cybersecurity are really related to national security, and 0:16:28.200 --> 0:16:31.120 I think countries don't really appreciate when you meddle into 0:16:31.640 --> 0:16:35.240 matters of national security, so it was difficult to do that. However, 0:16:35.440 --> 0:16:39.000 as cybersecurity is becoming more of an issue, and also 0:16:39.240 --> 0:16:41.560 I mean, we have a bunch of grid interconnections among 0:16:41.640 --> 0:16:44.960 European countries, which means a cyber attack in one country 0:16:45.040 --> 0:16:48.080 might affect another country. The EU is stepping up their 0:16:48.080 --> 0:16:51.320 cybersecurity directives as well, and the biggest thing there right 0:16:51.360 --> 0:16:55.200 now we're seeing is the Network and Information Security Directive 0:16:55.480 --> 0:16:59.120 or NIS number two, which is an update of that directive, 0:16:59.680 --> 0:17:04.199 which basically calls for essential entities which includes grids, to 0:17:04.400 --> 0:17:07.040 ramp up their cybersecurity measures. And there's a lot of 0:17:07.080 --> 0:17:10.000 fines there too, and it has to requires member states 0:17:10.000 --> 0:17:12.920 to basically set a maximum fine of at least ten 0:17:12.920 --> 0:17:16.080 million euros, which is about ten point six million dollars 0:17:16.440 --> 0:17:19.639 or two percent of their global annual revenue, whichever is 0:17:19.680 --> 0:17:22.080 higher if they fail to comply. So I think the 0:17:22.119 --> 0:17:24.720 European Union is also ramping up regulation here. 0:17:25.840 --> 0:17:28.320 Now you're only as strong as your weakest link. Is 0:17:28.359 --> 0:17:32.720 there a specific part of the network that is most vulnerable? 0:17:32.760 --> 0:17:36.640 And how do most of these problems actually get in? 0:17:37.160 --> 0:17:40.119 Is it malware connected to an email or is it 0:17:40.160 --> 0:17:43.640 something else? Is it our smart refrigerators or the electric 0:17:43.720 --> 0:17:47.240 vehicles connected to the grid directly, where are the biggest vulnerabilities? 0:17:47.560 --> 0:17:51.240 I mean, based on what I've seen, most cyber attacks 0:17:51.320 --> 0:17:55.640 on utilities are still the regular ones, So phishing or 0:17:55.680 --> 0:17:59.960 through public facing applications or through websites and stuff like that. 0:18:00.600 --> 0:18:03.760 But as we get more and more distributed enjury resources 0:18:03.800 --> 0:18:08.359 connect to the grid, like electric vehicles, smart meters, even 0:18:08.400 --> 0:18:11.320 air conditioning units are becoming smart nowadays and can give 0:18:11.400 --> 0:18:14.560 and take electricity from the paragrid, it means that we're 0:18:14.600 --> 0:18:18.080 getting more and more end points connecting to the paragrid 0:18:18.119 --> 0:18:20.879 which are also connected to the Internet. And this means 0:18:20.880 --> 0:18:25.479 that honestly, utilities networks are becoming far more complex than 0:18:25.480 --> 0:18:27.560 they used to be and have far more endpoints than 0:18:27.600 --> 0:18:32.120 they used to be, which means that having regular firewalls. 0:18:32.200 --> 0:18:34.560 I think when we think about cybersecurity, right we think 0:18:34.560 --> 0:18:37.760 about traditional firewalls, which are basically like putting a giant 0:18:37.760 --> 0:18:41.520 fence around your corporate network. That's really not enough anymore 0:18:41.520 --> 0:18:43.680 as we have more and more of these endpoints flooding 0:18:43.960 --> 0:18:47.720 utilities network, So that's really calling for new sets of 0:18:47.920 --> 0:18:53.120 cybersecurity technologies down to the actual endpoints, specific security measures 0:18:53.160 --> 0:18:56.760 for these distributed energy resources and within the network. 0:18:57.119 --> 0:18:58.800 So if I had to break this down in its 0:18:58.800 --> 0:19:02.679 simplest sense, it is a system that is connected to 0:19:03.160 --> 0:19:06.000 the electrical grid and in some way is trying to 0:19:06.400 --> 0:19:09.800 decide whether or not it pulls electricity or it stops 0:19:09.800 --> 0:19:13.520 pulling electricity based on what it's getting in terms of 0:19:13.720 --> 0:19:17.360 data from that grid, regarding perhaps peak demand at that time, 0:19:17.480 --> 0:19:20.080 in power prices or whatever that input is. What I'm 0:19:20.119 --> 0:19:23.280 wondering is with these firewalls that exist, those that are 0:19:23.320 --> 0:19:26.639 trying to break into the network, is it that the 0:19:26.960 --> 0:19:31.159 network inherently has vulnerabilities and they find those? And this 0:19:31.240 --> 0:19:35.560 raises the question of AI and an increasingly smart computer 0:19:35.600 --> 0:19:38.480 system that can go through a number of permutations very 0:19:38.520 --> 0:19:42.840 quickly and find those vulnerabilities versus when human being and 0:19:42.960 --> 0:19:46.280 mistakes do happen, responds to as you mentioned, phishing and 0:19:46.520 --> 0:19:50.119 essentially allows that vulnerability to happen because they made a mistake. 0:19:50.320 --> 0:19:52.480 I would expect that both of these exist, and you 0:19:52.520 --> 0:19:55.240 said the vast majority are coming from fishing right now. 0:19:55.480 --> 0:19:58.680 My question there lies, do we think that first scenario 0:19:59.040 --> 0:20:01.439 that I went through the w and where AI and 0:20:01.520 --> 0:20:05.360 locating those vulnerabilities without being aided by someone like myself 0:20:05.400 --> 0:20:08.600 clicking on the wrong thing, is that something that we 0:20:08.680 --> 0:20:10.560 additionally need to think about in the future. 0:20:10.880 --> 0:20:13.879 Phishing is one that we know of for now, but 0:20:14.440 --> 0:20:17.840 I think as we have more resources connecting to the grid, 0:20:18.040 --> 0:20:21.600 we have more entry points for cyber attackers. So, for example, 0:20:21.600 --> 0:20:25.119 if we think about electric vehicles, even though a utility 0:20:25.359 --> 0:20:28.239 has its own set of cybersecurity measures, it needs to 0:20:28.600 --> 0:20:32.480 interface with an increasing amount of additional second and third 0:20:32.520 --> 0:20:35.439 party players. Right, so, every think about EV's they connect 0:20:35.440 --> 0:20:38.320 to the grid, and for example, a startup called si 0:20:38.440 --> 0:20:42.600 Flow is focused specifically on EV cybersecurity, and based on 0:20:42.720 --> 0:20:47.800 data that they're sharing, they show that the communications protocol 0:20:47.960 --> 0:20:52.640 used for EV charging management systems can be compromised by 0:20:52.640 --> 0:20:55.359 cyber thread actors, and by doing that, the thread actor 0:20:55.520 --> 0:20:58.919 could for example, turn EV chargers on and off, or 0:20:58.920 --> 0:21:02.680 even steal and as more evs come online as v 0:21:02.720 --> 0:21:06.480 an EFC's will happen in our new energy outlook and 0:21:06.640 --> 0:21:09.959 electric vehicle outlooks, if we do depend more and more 0:21:10.000 --> 0:21:13.320 on electric vehicles and systems like vehicle to grid where 0:21:13.520 --> 0:21:17.080 the power system calls on EV's to help support the grid, 0:21:17.280 --> 0:21:20.439 this could really cause damage as well. So basically what 0:21:20.480 --> 0:21:23.120 I'm trying to say is as more endpoints come online 0:21:23.359 --> 0:21:25.840 and the grid depends more and more on distribute energy 0:21:25.920 --> 0:21:29.199 resources which are also connected, that's a huge issue on 0:21:29.280 --> 0:21:33.120 the endpoint security level, which is kind of lacking right now. 0:21:33.560 --> 0:21:36.440 So when I think about hacking, I think about non 0:21:36.440 --> 0:21:38.840 state actors, but we also know that some of these 0:21:38.920 --> 0:21:41.399 are either first of all state sponsored or secondly, is 0:21:41.440 --> 0:21:44.920 there a fear that essentially this could be weaponized. 0:21:45.520 --> 0:21:48.840 Yeah, I mean what's a bit scary is that cyber 0:21:48.880 --> 0:21:53.119 thread actors are getting better and better at specifically developing 0:21:53.200 --> 0:21:58.679 malware and attack techniques targeting operational technologies like substations on 0:21:58.720 --> 0:22:02.120 the power grid, Meaning they're figuring out how to launch 0:22:02.320 --> 0:22:05.720 cyber attacks that are tailor made for the power grid, 0:22:05.800 --> 0:22:09.879 and this can definitely be used in cyberwarfare. So a 0:22:10.040 --> 0:22:13.960 very famous example of an attack on an industrial control 0:22:14.040 --> 0:22:19.600 system was stucksnet, which basically targeted a nuclear power plant 0:22:19.600 --> 0:22:23.439 in Iran by taking advantage of a software vulnerability to 0:22:23.640 --> 0:22:29.560 access controllers in that plant, and basically the attackers use 0:22:29.680 --> 0:22:33.600 this vulnerability to compromise the control system and make the 0:22:33.640 --> 0:22:37.800 centrifuges spin too fast, causing damage to the plant. So 0:22:38.200 --> 0:22:40.440 this and some other examples we've seen around the world 0:22:40.480 --> 0:22:43.480 are kind of showing us that cyber warfare is an 0:22:43.560 --> 0:22:47.680 increasingly normal thing, specifically targeting the power system. 0:22:47.920 --> 0:22:50.679 Another data point that came up also from IBM is 0:22:50.800 --> 0:22:54.600 that the cost per data breach is averaging around four 0:22:54.640 --> 0:22:58.040 point seven eight million US dollars each time. So this 0:22:58.119 --> 0:23:01.200 is expensive. It's expensive for the breech and invariably now 0:23:01.200 --> 0:23:04.080 it's costing more money to try and prevent them and 0:23:04.400 --> 0:23:05.879 cut it off at the past. So this is a 0:23:05.920 --> 0:23:08.879 burgeoning industry of companies that are looking to service this. 0:23:09.200 --> 0:23:11.720 But what is the next thing for you now that 0:23:11.760 --> 0:23:15.200 you've spent time researching this, What is the next thing 0:23:15.240 --> 0:23:18.040