Eric Silagy, president and CEO of Florida Power & Light, acknowledges that threats of cyber attacks against FPL and other critical suppliers are likely to last “forever.”
But he says FPL’s 5.6 million customers should be confident that the utility is making every effort it can — including subjecting the company’s employees to surprise cyber attack drills — to prevent breaches that could shut down its power grid.
Recent attacks on a critical oil pipeline in the Southeast, a meat processing company in Colorado, and even a small city-owned water system in Pinellas County have exposed the nation’s vulnerabilities to foreign hackers, prompting Congress, the president and corporate leaders to announce expensive, high-level initiatives to protect electric utilities across the country.
While FPL and other large utilities have built strong defenses against web-based intrusions, experts warn that their connections to smaller, municipal-owned or cooperative utilities that can’t devote comparable resources to defending themselves could pose a risk to large companies’ grids.
Silagy says his company has long treated the potential of a web-based attack as a serious threat. He acknowledged that connections with small, less-protected utilities are a risk, but he says any disruption would be minimal.
“We have a dedicated team of people that are involved with this, that are cyber experts that we have hired from ... mostly the federal government. These are NSA and CIA and some special operatives that come out of the military. We have a lot of IT specialists. We actually have a cyber defense operations center that monitors everything 24 hours a day, seven days a week.”
Silagy says he’s confident in the company’s ability to prevent hackers from accessing the utility’s control system. And if one gets through, Silagy says, the company can prevent any breach from cascading across its grid and shutting down power across its service area, which stretches from Pensacola to South Florida.
Silagy answered questions about FPL’s cyber defenses in a June 1 discussion with the South Florida Sun Sentinel editorial board that covered a wide range of topics. FPL officials asked that specific aspects of the company’s strategies not be revealed to the public, saying that even seemingly innocuous details could be valuable to criminals seeking to take control of the utility’s grid.
“The threat is very real and it’s serious,” FPL spokesman Christopher McGrath said.
NATION WAKES UP TO POTENTIAL FOR DISASTER
The severity of threats facing the nation’s utility grid is not a secret, however.
In April, the Biden administration launched a coordinated effort to enhance the cybersecurity of electric utilities’ control systems by working with utilities “to implement measures or technology that enhance their detection, mitigation and forensic capabilities.” The effort will be coordinated across several federal agencies, including the Cybersecurity and Infrastructure Security Agency and the Department of Energy.
Announcing the effort, Energy Secretary Jennifer Granholm said: “The United States faces a well-documented and increasing cyber threat from malicious actors seeking to disrupt the electricity that Americans rely on to power our homes and businesses. It’s up to both government and industry to prevent possible harms.”
Tom Fanning, CEO of Southern Company, an Atlanta-based regional electricity and gas provider, told a gathering of the Edison Electric Institute trade group on June 10 that utilities must start working together to ensure each can recover from a massive blackout that could shut down power to entire regions of the country, according to a report by the industry trade website Utility Dive.
His remarks came on the same day that the House Energy and Commerce Committee advanced four bipartisan bills aimed at shoring up the nation’s energy cybersecurity through enhanced public-private partnerships.
A major part of the effort, Fanning said, would involve enlisting the U.S. Department of Defense, FBI, Secret Service and Cyber Command to “impose costs” for hackers. “We want to make sure the bad guys understand there will be consequences for messing with us,” he said.
SECURITY REQUIRES CONSTANT VIGILANCE
Web-based criminals are not going to stop trying to breach the nation’s power supply anytime soon, Silagy said. “We should be very honest with ourselves and say cyber is going to be an ongoing issue forever. And you have some very sophisticated state-sponsored folks engaged in foul play in the cyber area, and there always are attempts to wreak some havoc.”
FPL’s email system, he said, receives an average of 120 million emails a month, most of which are filtered out as common spam. To combat those that elude FPL’s spam filters, the utility engages in extensive training exercises that involve deliberately sending phishing emails to find out which employees will click on types of links that could provide criminals a pathway into FPL’s network.
While modern technology can enhance FPL’s operations, “some of it creates new doors and entry points if you’re not careful,” Silagy said. “Before we deploy any new technology, one of the very first things we do is, we have to design in security measures to make sure that can stay secure when it’s deployed in the field.”
Cyber drills involving utility employees are taken as seriously as FPL takes its annual hurricane preparedness drills, he said.
They involve conducting exercises “where our business units and our leaders don’t know what’s going to happen,” he said. “Because I want to test people’s reactions. I want to understand their decision-making — what they do, how they do it, why they do it. And do they make decisions that actually thwart it, isolate it, kill it or help it spread? And I’d much rather learn those hard lessons in a drill than in the real thing.”
Large utilities such as FPL are more likely than smaller ones to have strong defenses against web-based attacks, a report by Moody’s Investors Services concluded in November after studying responses of 115 utilities that took part in a survey. Smaller, not-for-profit municipal-owned and cooperative electric companies, by contrast, are less likely to invest in the personnel and technology needed to maintain robust defenses and are more likely to rely on insurance policies to cover any damage caused by an attack, Moody’s said.
A 2019 Wall Street Journal investigation found that Russian hackers were able to find back doors into some utilities’ industrial control systems in 2016 by targeting obscure contractors and subcontractors that work with the utilities. Those companies, the paper said, had little reason to think of themselves as targets and thus were more likely to click on email attachments that installed malware onto their computers.
That malware installed code that wormed its way past utilities’ firewalls and into poorly secured “jump boxes” connecting corporate networks to otherwise walled-off control systems. The effort targeted at least 60 utilities in 24 states, managed to breach two dozen, and reached industrial control systems of at least eight utilities, the Journal reported.
SMALLER UTILITIES MOST VULNERABLE
Smaller utilities often lack staffing to focus on cybersecurity, said Lee Simonovich, vice president and global head of industrial cyber and digital security at Siemens Energy AG, in a story published by E&E News in February. City-owned utilities or small electric cooperatives might have just one cybersecurity specialist in their organizations, he said, and a breach at a small utility could provide a pathway into a larger system.
FPL is connected to numerous small utilities throughout Florida. It has a transmission line that feeds power at peak times to customers of Gainesville Regional Utilities. It shares ownership of a Georgia coal-fired generating unit with JEA, a community owned utility that serves 417,000 electric customers in the Jacksonville area. And it sells electricity at wholesale prices to numerous city-owned utilities or non-profit cooperatives throughout the state.
A JEA spokeswoman contacted for this story said the utility has a “layered defense security program,” conducts “ongoing training to improve our cybersecurity posture” and continually monitors external cybersecurity intelligence sources and takes appropriate measures to block known threats.
Silagy said that he couldn’t say with certainty that FPL’s grid would not be affected if a smaller utility is compromised in a cyber attack.
“But I feel pretty certain that it would be isolated,” he said. “It’s a hypothetical that is hard to answer because I don’t know what the level of attack is or what it isn’t, but I don’t rely on Gainesville or Jacksonville to keep the lights on. If they lost their whole system, it wouldn’t cause a problem for us being able to keep our lights on.”
©2021 South Florida Sun-Sentinel, Distributed by Tribune Content Agency, LLC.