Without electricity, the world pretty much shuts down, and without gas to heat homes, Wisconsin residents would have hard time coping with winter.
As CEO of Madison Gas & Electric, Gary Wolter knows his company has to secure its technology to provide those services to its customers. And he knows a cyber attack that shuts down either power or gas could be deadly on a large scale.
Wolter spoke at the Fusion Executive Summit, produced by WTN Media, Monday at the Fluno Center in Madison, Wisconsin. “We recognize we are the infrastructure upon which other critical infrastructure depends. The communications system doesn’t work without electricity, the Madison Metropolitan Sewer District doesn’t work without electricity and the water supply system needs big pumps. Right down the line, our infrastructure depends on electricity — think about hospitals.”
He continued, “The electrical system is largely automated, and much of the key infrastructure is out in the open, often in remote locations. Last year, attackers cut the communication links at a California substation and then used automatic weapons to shoot up and destroy transformers, showing how vulnerable infrastructure can be.
“The natural gas system is a little easier because, while we monitor it remotely, we don’t control it remotely. To open and close valves we send someone out in a truck.”
The company’s control systems aren’t linked to the Internet, he added.
“We have firewalls and we have safety devices, but we have to be prepared all the time, while attackers only have to get through once.”
A good attacker can hide what he is doing. The Stuxnet virus was busy destroying Iranian centrifuges while sending out signals that everything was fine, he said.
“If someone gets into the system, that’s the system we use to restart the grid. When the eastern seaboard went down, we could restore it in four days, but what if someone is inside that system trying to prevent restoration?”
David Cagigal, CIO State of Wisconsin, said cybersecurity became real to him when he and Major General Dunbar, Wisconsin National Guard and Homeland Security Council, attended the cyber defense conference of the National Governors Association and National Association of State CIOs in San Jose at the end of March. “Developing better cybersecurity will require people to think beyond their defined roles and job descriptions,” he said.
“You begin to realize our interdependency,” said Cagigal. “You can’t stay in your lane, you can’t be in a state of denial because there is a lot of interdependency among sectors. Private-public partnerships are the only way this will get resolved. There’s an enormous amount of work that needs to be done.”
Corporate boards of directors are looking at recent cyber attacks, such as Target, JPMorgan Chase and Sony, said CEO Wolter. “They know they have an obligation, but they are not quite sure what needs to be done.” Wolter proposed a broad approach to cybersecurity, one that goes beyond just financial assets. “Hackers could, for example, lock up a work management system and demand a payment to release it, or they could wipe out some records for fun.”
The attacker might be North Korea or China, or perhaps a 17-year old computer genius in Ukraine. It used to be that only nation states had the resources to launch a cyber attack, but now technology has lowered the bar and that 17-year old in Ukraine could present a real risk.
When threats are from nation states, deterrence can be successful, as it was during the cold war when large nuclear arsenals led to a doctrine known as Mutually Assured Destruction (MAD). In cyber attacks, it is difficult to know where an attack came from and difficult to retaliate.
“I believe if we were being attacked physically — bridges, roads, buildings — the way we are being attacked in the cyber world, we wouldn’t put up with it.”
Companies should review their organization, operations and staff training to improve security.
Who has access to your system — your accountants, lawyers, and people installing software? A vendor puts out 30 thumb drives on his trade show booth — will one of your people take one back to the office and plug it in?
“The biggest threat is probably a human factor, social engineering and phishing,” he added. “Attacks have gotten more sophisticated than 10 years ago. I would guess if 20 people in your organization were targeted that at least three will click on something that looks legitimate.”
ISIS is having some success recruiting volunteers from the Midwest, he warned.
“Is the risk to your company not from some hacker in Europe in Asia but from some kid who played on your son’s soccer team?”
Corporate Boards should think about where cybersecurity belongs in their organization — does the board need a cybersecurity committee, or should it place responsibility in the IT department or the audit committee? What’s the liability for a breach, is insurance available, and has anyone read the policy lately to see what is covered and what is excluded?
Wolter is starting to talk to his board of directors more frequently and more about what skill sets are needed to conduct proper and effective risk assessments that go beyond checkbox compliance.
When the board faces the challenges of effective risk analysis, boards can be very helpful in allocating financial resources. It’s important to educate your board on cyber risk scenarios and response plans. CEOs should demonstrate how they are detecting, assessing and responding to threats. There is huge interest in this topic in the boardroom, and directors have liability according to recent reports.