Root Causes 21: New Texas Energy Grid Security Regulation

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

June 5, 2019

The state of Texas is leading the way with new legislation requiring cyber protections for its energy grid. Join our hosts as we explain this legislation, why it comes now, and its potential impact on the greater energy industry.

Podcast Transcript

Lightly edited for flow and brevity.

Jason SorokoI’m anxious to talk about Texas, where everything’s bigger.

Tim CallanTexas, where everything is bigger including cyber security loss. Texas just put itself at the head of the class by passing a pair of Senate Bills that are there to protect the energy grid. It is Senate Bill 475 and Senate Bill 936 and I believe if I'm correct these are meant to work together.

Jason SorokoLet me tell you where the impetus for this came in. It turns out that there was a report about a utility, which did not name which North American utility it was. But they apparently for some period of time, lost visibility to certain parts of the system due to what is called a “cyber event.”

Tim CallanA cyber event, whatever that’s supposed to mean.

Jason SorokoApparently this happened in early March. It’s not officially confirmed, but when the state of Texas is about to pass two laws very quickly, you might get an idea of when and where and what may have been happening.

Tim CallanIt sure could be. We know furthermore it’s not just an anonymous utility. It was a utility in a “western state.” So that adds to the suspicion that Texas is where that happened.

Jason SorokoThere’s two bills. Probably the way things work in Texas is there might be companion legal pieces. That’s the way that they pass their laws there. As you know, in California there was IoT legislation that was passed. It’s now law with regards to authentication techniques within IoT devices going into California.

This is different because it’s very specific to the power grid in the state of Texas. The first bill was to promote collaboration among the utilities and the regulators. So, in other words, I think one of the challenges that they’re trying to address with this bill is that a scary event happened and there probably was not a lot of communication happening. And there wasn’t a lot of information sharing. Whoever it is that was hit probably was like, “I don’t know how to deal with this and I don’t know where to go. All I know is that I got to keep the lights on and I need help.”

Tim CallanAnd I would guess, Jay, that there was also a concern about, “Well, how do we know that the next guy down the road isn’t going to be hit?” Right? Even if I know what’s going on or I have my response and I see certain things, certain behaviors, if that’s not being shared among the community, then that same vulnerability is just available at another utility.

Jason SorokoThere are ISACs out there for the financial industry, oil and gas, and other vertical industries, already very formalized through the federal government information sharing mechanisms. I think the state of Texas wants to have something of its own. If they’re an integrated system, it would make sense for an integrated grid to be able to share information.

So that’s what the first bill is for. It basically formalizes what that’s going to be. Probably in my mind, Tim, that first bill is to essentially form a Texas ISAC for the grid.

Tim CallanThat’s state Senate Bill 475. So now what is Senate Bill 936 do in conjunction with that?

Jason SorokoThe centralized utility commission within Texas is actually going to be put in charge of five different bullet points:

They’re going to manage what they’re calling a comprehensive cyber security outreach program, which means they’re going to go out to the wider cyber security industry and probably ask for help. Which is not a bad thing.
They’re going to meet regularly and discuss best business practices, put together training, and the way you can see state legislation being worded here, there’s probably going to be some money put aside for these kinds of activities because right now there probably are no pockets of money to be able to do these kinds of things.
They’re going to do voluntary self-assessments.
They’re going to be researching, developing best practices regarding cyber security.
They’re going to be reporting to the centralized commission on the monitoring of what’s going on.

So between those five bullet points, this legislation, to me, again looks like just putting together a pot of money to do something that’s not there already.

So for those of you might be familiar with electrical energy generation, NERC SIP, and some of these other governance pieces that are out there federally, you can tell that the state of Texas is a little bit unusual compared the rest of the country. If I'm not mistaken, back when I lived there their power grid was obviously attached to the North American power grid, but Texas kind of stood on its own.

Therefore, it makes sense for Texas to have a coordinated statewide effort and to have the state put aside two bills which essentially will probably put together some program money for this kind of thing. What it should show you is it actually took a crisis for them to just begin to do the basics.

Tim CallanI have a lot of questions on this one. Some of these are broad words like self-assessment and best practices, but when I read this, I would’ve thought they were doing this stuff already. And I guess my question is, are utilities behind the game on cyber security?

Jason SorokoI think, Tim, they’re so far behind. If anybody listening from that industry is on listening now please tell us what you think. I think that all of us give full sympathy to an important fact: You know what, Tim? My lights are on right now.

Tim CallanMine too.

Jason SorokoAnd they’re going to be on tonight and I'm not even thinking about downtime. The little bit of downtime there is in the full North American grid system is barely worth mentioning. And that’s kudos to the incredible efforts of that industry and just living in the first world. The reliability of our electrical system is incredible and thank you, thank you for that.

Tim CallanYeah.

Jason SorokoHowever, you know, it turns out we had an event in early March. I’ll be happy to go on the record for this, but it is speculation. I’ll say this, I think the only reason why our lights haven’t gone out because of a full-blown cyberattack is because the bad guys know that it would cause such a dust up, that they’re using a lot of discipline in trying to direct their cyber security powers against us towards things like fraud and stealing money rather than turning out the lights. Because people would have to react if they turned out the lights.

Tim CallanAnd if I'm a for-profit criminal, I can see how that decision gets made, although the equivalent of ransomware certainly would be one potential business model.

But, gee, if we start talking about terrorist attacks or cyber warfare scenarios, then the people who would wage those attacks would not have those compunctions about it. They would be fine with that result if it caused the damage they wanted right now.

Jason SorokoI love what you just said.

You would’ve thought that they were much further ahead. It’s the same story over and over again. You might have an IoT device in your hand and you might think, ”Oh, this thing must be secure.” If you were to actually dig into it, nine times out of ten I bet you it isn’t right now. And that’s unfortunate. The very things that we take for granted such as our power system.

I’ll go as far to say as they may be near the bottom of the list. I think they’re at the top of the list in terms of safety and uptime and reliability and all those things that are incredibly important that those engineers are just masters of.

But when it comes to cyber security, these are connected systems, and quite often they are connected to some network that at some point ingresses/egresses at the public internet. And therefore, bad things happen. The lights went out in the Ukraine. That was a full-on cyberattack, and I hate to say it, but that looked an awful lot like a practice run for other jurisdictions.

Tim CallanWe can all bet that the people who did what they did in Ukraine and in a different flavor some years earlier in Georgia certainly feel like they’re capable of doing it again. For sure and probably at a bigger scale.

Is this going to set the stage for more of this kind of activity either in other states or at the national level in the US or in other countries?

Jason SorokoI would hope so. There already is interest.

Interestingly enough, Tim, think of what’s gone on with Texas and Texas being a leader in state-level grid cyber security. One of the things that I think allowed this to pass was not just the fact that there was a crisis but that the state allowed the electrical generation and transmission industry to actually pass on the additional costs either to the end customer or to someone in the middle of the stream.

That is actually worded as part of this legislation. So believe it or not, I think what may put this over the top is the costs associated with cyber security itself. The fact that the margins are so low in some of these industries perhaps has been causing them to not act. And so therefore the states are now breaking down and saying, "Yes, you can raise the price by one penny per kilowatt" or whatever that’s going to happen to be.

Somewhere along the line somebody’s going to have to eat the cost. The fact that it is now worded in legislation might be what tips this in favor of that industry actually moving forward in a more meaningful way.

Tim CallanUtilities have kind of an unusual challenge in this regard, which is that they are private companies but at the same time they’re these sort of quasi monopolies, and as a result they are very highly regulated. They’re also considered to be for the public good, and so there’s just a lot of people up in their business all the time and actions like changing pricing aren't always available to them as options. Or reducing costs in certain ways aren’t available as options.

Jason SorokoYeah, I think the economics of this is as a huge factor in why this is as far behind as it is. It’s definitely not for a lack of good will. I also think that, as we said, reliability and safety are paramount.

You and I, Tim, you know we can talk about cyber security and with respect to enterprise IT all day long. These folks are worried about keeping the lights on, and even small changes need to be studied to within an inch of their lives, and so therefore everything’s going to be more costly.

Tim CallanIs there another important point which is cultural, Jay? If I talk to somebody who works for a grid company and I say safety, do they immediately think about downed power lines and little school children rather than what you and I think about from our background in cyber security and born-in-the-cloud, where we start thinking about computer systems? Is there a cultural orientation toward the physical elements of running an energy company that maybe causes cyber security to get less attention than it would get otherwise?

Jason SorokoAbsolutely. You and I have been in the information protection security business for multi decades. I'm sure there’s a ton of good people on the other side who’ve been making sure that things are safe and up and running and reliable for multi decades. You know we get buried in our business. They get buried in theirs. To us the world looks a certain way. To them it looks a different way. For us to come together, we need to be able to come to a common understanding.

I think this legislation though, even though it’s simply worded and quite vague and generic, I think the wording is right in the sense that it’s outreach. Take a look at that first bullet point on the second bill, this is about, “Ok guys it’s time to come together. We need to share information, and we need to learn from each other. You know you guys who are multi decade information technology experts in security need to come together with the OT (operational technology) experts and we need to come to some kind of common understanding.” It’s long overdue and it really is time to start.

Tim CallanAgreed. And hey computer industry people, without electricity the computers don’t work, so help the electricity flow.

Jason SorokoFull respect.

Tim CallanYeah this important and we’ll keep our eyes on this. You know it is interesting that this is going on more or less simultaneously with some of the legislation that we’ve seen around Internet of Things. Like California Senate Bill 327 by way of example. And it feels like even though they’re slightly separate in what they’re doing that we’re almost looking at two sides of the same coin. That the same trends are occurring in both of these very related fields.

Jason SorokoThere also is, as you know, at the federal level, federal Internet of Things (IoT) legislation and NIST already has stuff on this obviously because the federal legislation actually is worded in such a way that they are actively looking for NIST to develop guidance that are specific to Internet of Things, etc.

There’s already a lot of really good work on this. Because this is state level legislation it’s not worded that way, but I'm more than certain that folks in Texas have already been talking to some of the federal governance people and experts. The way the wording is as of right now, nothing’s stopping anything from happening. It is vague for a reason and I think it’s actually for good reasons.

Tim CallanI think we both think this is a positive development, and we’re hoping to see this have legs and be extended and used and going in other directions.

I guess I’ll leave you with one last question: We talked about these two sets of legislation and effort, the energy legislation and the IoT legislation. Do these two areas of attention ultimately have the opportunity to help and improve each other? Are we going to learn things from the IoT laws that we’re going to take back to the energy and utility laws and vice versa?

Jason SorokoIn my experience the patterns of attack seem to be very similar.

Operational technology systems obviously have information sharing mechanisms. There’s an enormous amount of valuable operational data that is sitting inside of those networks. People want to get them out. And so that’s the impetus. That’s the commercial impetus for IoT devices reporting into those networks, predictive maintenance and all kinds of other use cases that either help to save money or generate revenue in a new way.

In terms of the types of devices that are inside those grid networks right now, an enormous number of technologies are being used in a more generic IoT sense that could bear very good fruit for this industry. For that first bullet point in terms of cyber security outreach, I think that cyber security vendors who have already been dealing with operational technology networks in the physical world have solved a lot of problems already that are going to help in this grid environment.

Tim CallanI think you’re absolutely right. A lot of the same problems, and even the fact that the energy companies have to be IoT users by the nature of what they do. So there’s going to be a lot of overlap there. Hopefully these things will help each other.

Jason SorokoI’ll finish off with one more sentence. I think you had touched on at the end of the last podcast, but again you know this is a podcast about PKI, I think purpose-built PKI has a place in here. I just have a feeling about that.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!