Looking beyond the digital walls

Phil Kroetsch knows the digital walls that protect Minnkota’s data inside and out. He’s helped construct the layers of security that keep hackers and other wrongdoers from causing chaos on the electric grid.

But as virtual attack attempts become more prevalent – and much more sophisticated – Kroetsch and the cooperative’s other cyber architects are moving beyond barriers and instead building new communication pathways to securely share information with others across the energy sector.

This fall, Minnkota is planning to implement Essence 2.0 in partnership with the National Rural Electric Cooperative Association (NRECA) and the Department of Energy (DOE). System information flows through a “black box” sensing technology that has been installed in Minnkota’s data center. The program continuously monitors incoming and outgoing data for anything out of the ordinary.

“This will provide us with visibility and confirm what we’re seeing in the system is actually what’s happening in the field,” said Kroetsch, Energy Management System (EMS) programmer analyst III. “Anything that falls out of our baseline will be treated as an event of interest and we’ll investigate.”

When anomalies are detected, the technology provides real-time alerts, which allow for Minnkota staff to examine the potential threat. Because the electric grid is incredibly complex, the cooperative’s power system operators remain on site 24 hours a day to continuously monitor the bulk electric system and respond to events large and small.

In addition to identifying irregularities locally, the larger benefit of Essence 2.0 is being able to see beyond Minnkota’s walls of security and recognize trends across the country. NRECA currently has about 100 electric cooperatives and other utilities using the program, with the potential to add more participants in the future. The program was validated through real-world testing by the U.S. National Guard’s cybersecurity threat hunters.

“From Minnkota’s standpoint, this level of collaboration is pretty new,” Kroetsch said. “The big value is that we gain information on our system and we’re able to securely share data trends with the DOE.”

According to NRECA, Essence 2.0 can accelerate the detection of malicious cyberthreats on systems from months to seconds. This is increasingly important as hackers can spend substantial amounts of time inside a system before striking. Identifying these activities helps ensure they are immediately isolated and information from other utilities can help determine if there may be a larger coordinated attack.

“The software can cross-check and see if multiple utilities are experiencing unusual traffic,” Kroetsch said. “We should know right away if something is going on.”

Building on partnerships

Participation in Essence 2.0 builds on Minnkota’s existing partnership with DOE through its Cyber Risk Information Sharing Program (CRISP). Minnkota joined CRISP in late 2019 and has DOE equipment installed to monitor incoming and outgoing information from the cooperative with a specific focus on internet traffic. Information is shared with DOE’s Pacific Northwest National Laboratory (PNNL), where security analysts look for leading indicators of suspicious activity.

“The real benefit is that PNNL has the capability to do large dataset analysis that we’re just not going to be able to do on our own,” said Justin Haar, Minnkota cybersecurity specialist. “By receiving data from other energy partners throughout the U.S., we’re aware of what’s going on in the energy sector and we can proactively prevent issues before they get to the point where they would affect us.”

CRISP participants currently provide power to more than 75% of continental U.S. electricity customers, and participation in the program continues to grow. The modern electric grid leaves no utility as an island, which means cyberthreats on other utilities’ systems can trickle back to affect Minnkota.

“CRISP has absolutely fed us relevant information that has helped protect us,” Haar said. “We’re getting reports that benefit from classified federal information we otherwise wouldn’t be able to access.”

Real risks

With Essence and CRISP working in unison, Minnkota will have a heightened state of cyber awareness. It comes at a critical time, as cyberthreats on the energy sector are increasing. In spring 2021, the network systems for the largest pipeline in the United States were accessed by hackers, who wanted millions of dollars to return the files.

In an effort to contain the attack, Colonial Pipeline voluntarily shut down 5,500 miles of pipeline for six days, which resulted in fuel shortages throughout the East Coast. They also paid the ransom of $4.4 million in Bitcoin. Officials later determined that the cyberattack was the result of a single compromised password.

“Some of these attacks are government sponsored trying to impact critical infrastructure within the U.S., and some are from U.S.-based extremists attempting to disrupt utility operations,” said Dan Inman, Minnkota vice president and chief information security officer. “Our job is to maintain reliability for our members and we need to remain vigilant in deploying the right tools to accomplish that important job.”

Just days after the Colonial Pipeline incident, President Joe Biden signed an executive order calling for electric utilities and federal agencies to work together to strengthen cybersecurity practices and deploy technologies to enhance digital defense systems.

Technology is only one piece of the puzzle. Minnkota is also collaborating with utilities and across the country to prepare employees to respond to worst-case scenarios. In November 2021, Minnkota and hundreds of other utilities and partners will participate in GridEx VI – a nationwide event to test the industry’s response to simulated physical attacks and cyberthreats. The two-day exercise is coordinated through the North American Electric Reliability Corporation (NERC), which is the regulatory agency responsible for the security of the nation’s electric grid. Minnkota employees will go through realistic simulations to determine how they would respond to cyberattacks, communication failures, misinformation campaigns and other security-related incidents.

“In many cases, the people and processes behind the technology are more important than the technology itself,” Inman said. “That’s why we have active awareness programs and training events to make sure our staff remains focused as our cyber risks continue to evolve.”

Editor’s note: October is National Cybersecurity Awareness Month.

MAIN IMAGE: Looking out over a digital display of Minnkota’s power delivery system, Justin Haar points out a substation to Phil Kroetsch. (Minnkota/Michael Hoeft)