Digital defense takes people power at Minnkota, from education to implementation.
Justin Haar’s job is to think like the bad guy.
As a cybersecurity specialist, he spends his days combing through code searching for gaps in Minnkota’s digital defense systems. While kicking the tires on the network systems, firewalls and other applications is important, Haar said that technology is actually becoming a smaller part of protecting against cyberattacks.
“When we look at how to secure our system, there are three aspects: people, the processes and the technology,” Haar said. “Technology is the smallest part. The best way to protect an organization is to educate the people and to build secure processes.”
Haar says the threats continue to evolve and expand in complexity. Most hackers are not trying outsmart the technology, but rather focus on tricking people into providing the information they need to access the system – an act commonly referred to as phishing. Fraudulent emails and other deceptive online practices are becoming more common.
“If one of our employees opens a phishing email, it doesn’t matter what kind of firewalls we have in place or how good our other IT tools are because they’ve just let them past all that and into the system,” Haar said.
The consequences can be serious. Wrongdoers can initiate viruses, system malfunctions, communication failures and – in a worst-case scenario – access to the systems that control the electric grid and power plant operations. The electric utility industry is unique in that the motivation for such an attack is often not directly related to financial gain.
“The biggest threats to the cooperative have a lot more to do with interrupting our ability to generate and transmit electricity, and those come from nation states,” Haar said. “It’s not necessarily going to come from a hacker sitting in their basement. These threats come from large, well-funded, well-organized groups. That makes them particularly challenging to deal with.”
Haar said Minnkota employs a “defense-in-depth” strategy that creates layers of security for a hacker to go through. Each layer presents a potential fail point where an anomaly could be noticed by Minnkota staff.
Risks are real
The real-world impact of grid cybersecurity came to light in 2015 when hackers caused large-scale blackouts on Ukraine’s power grid. It was the first time a cyberattack was known to cause a widespread power outage.
“In the Ukraine attacks, we know the wrongdoers didn’t just break into the system,” Haar said. “They were living in those systems for months before the actual attack. They were very patient in learning everything they could so that when they were ready to initiate their attack, they had what they needed to take control of the system.”
Fast forward to 2019, the United States experienced its first disruptive cyber event on the electric grid. While the event did not cause a blackout, generation issues or other grid impacts, it did temporarily affect system visibility for a utility in the western United States. The North American Electric Reliability Corporation (NERC) published a report in September on lessons learned from the event. NERC is responsible for developing and enforcing regulatory standards to ensure the reliability of the nation’s grid.
The first NERC Critical Infrastructure Protection (CIP) standards went into effect in 2008, and since then several new versions have added requirements and broadened the number of regulated entities and assets. These standards are enforced nationwide through recurring audits conducted by eight regional entities. Noncompliance subjects utilities to potential million-dollar fines per day, per violation.
“The number of NERC cyber requirements and impacted assets have drastically increased,” said Theresa Allard, Minnkota’s compliance manager. “The detailed requirements are complex, but it’s forced us to take a deep dive into all aspects of security and ensure we’re addressing everything.”
Allard said Minnkota uses compliance requirements as a base foundation and implements additional best-practice standards to mitigate risk and enhance security.
Practice makes perfect
Minnkota has an ongoing cyber awareness program that reminds employees of the potential dangers that exist online.
“We’re trying to get our employees to think in terms of risk and recognize that just because a cyberattack hasn’t happened to us doesn’t mean it couldn’t happen in the future,” Allard said. “The threats we hear about are real and Minnkota is just as much of a target as any other utility.”
For two days in November, a large group of Minnkota employees will get a chance to put their cybersecurity knowledge to the test. The NERC-organized GridEx event will provide realistic simulations to help employees determine how they would respond to cyberattacks, communication failures, social media upheaval and other security-related incidents. It will be Minnkota’s first time as an active participant in the exercise, which includes hundreds of organizations from across the country.
“GridEx is going to allow us to think critically about how we would handle a variety of physical and cyber incidents,” Allard said. “The goal is to gather the lessons we’ve learned and implement those lessons into improved and better coordinated processes and procedures.”
Perhaps not surprisingly, the focus of GridEx is on how the people respond more so than the technology. That’s by design, Allard said.
“The technology is only as good as the people and the processes behind it,” she said.
Editor’s note: October is Cybersecurity Awareness Month.
Main image: Minnkota cybersecurity specialist Justin Haar says education is key to keeping power systems safe from cyberattacks. (Minnkota/Kevin Jeffrey)