This story was updated at 11:42 a.m. EST.
Southern Co. CEO Tom Fanning has stepped down from his leading role on a high-level industry-government panel that channels classified cybersecurity intelligence to U.S. and Canadian utilities.
Fanning’s departure as co-chair of the closed-door Electricity Subsector Coordinating Council (ESCC), confirmed by Fanning and other officials, comes as electric utilities face a critical test if Russia moves militarily against Ukraine and turns to cyberwarfare against Western powers.
Russia’s willingness to hack into the computer systems of American companies is a threat to U.S. power companies. In recent years, criminal groups with Russian ties launched aggressive campaigns to gain access to U.S. and European energy infrastructure. Security analysts say access to U.S. systems opens the door to Russian sabotage.
Fanning, representing the interests of major investor-owned utilities, made it a personal mission over the past decade to get more actionable information on the most serious threats to U.S. grid operators. He’s advocated for more government and private-sector collaboration, and he stressed the need for utilities, banks and telecom companies to link arms with U.S. military and security agencies charged with deterring state-backed hackers.
In an interview, Fanning noted the importance of two-way communication on cyberthreats, including information the industry shares about attacks it discovers.
“The private sector of the United States must collaborate with the intelligence community, our sector-specific agencies and the people in government who will hold the bad guys accountable,” Fanning said, “whether that’s DOD, FBI, the Secret Service or U.S. Cyber Command.”
Fanning will be replaced as ESCC co-chair by Bill Fehrman, CEO of Des Moines, Iowa-based Berkshire Hathaway Energy. Fehrman has led industry participation in the Biden administration’s 100-day action plan to deploy cyberdefense technologies to defend grid operations centers and other vital industrial control systems.
In December, Fanning was selected to chair a new advisory committee under the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Fanning told E&E News that a key committee focus will be on strategies to help the nation survive an extreme cyberattack by protecting the most vital facilities and functions, “hopefully to avoid the ‘bad day.’”
The Russian threat
The shift in the electricity industry’s cyberdefense leadership comes as grid operators analyze the Russian threat and prepare for the worst (Energywire, Jan. 18).
With President Biden standing beside Ukrainian President Volodymyr Zelenskyy, U.S. officials say they’re also concerned about the threat to Ukraine’s power grid. In December 2015, a Russian cyberattack on Ukraine’s electric grid left almost 250,000 people without power.
“We’ve been warned by our government partners to be extra vigilant because of the possibility of Russian attempts to compromise critical infrastructure,” said ESCC co-chair Duane Highley, who represents rural electric cooperatives. “We’re on high alert and keeping our systems tight.”
Analysts aren’t expecting the Kremlin to launch a major cyberattack on the U.S. if it goes to war in Ukraine. That would mean a two-front war for President Vladimir Putin. Still, Russia remains the largest state threat to the U.S. grid, according to the Homeland Threat Assessment released by DHS.
In early January, CISA, the National Security Agency and the FBI warned operators of critical U.S. infrastructure to be cautious as tensions ramp up, noting previous Russian hacks on the utility industry. Last week, the FBI asked businesses to alert them if they see an increase in Russian cyberthreats, according to CNN.
During his tenure, Fanning was at the center of efforts to build trust between the government and energy companies, as digital threats increased.
Distrust was a two-way street. How much top-secret data the government has been willing to share with companies, and the willingness of private companies to give government a window into operations, raised questions about America’s capacity to thwart cyberattacks.
“I have seen a progression in the government’s response,” said Highley, CEO of the Tri-State Generation and Transmission Association Inc., based in Westminster, Colo. “Before, we’d get information along the lines of ‘There are some threats, but we can’t tell you what they are.’ It was very vague.”
He also cited Fanning’s push for collaboration among industry sectors: energy, telecoms and big banks.
The CEO-led ESCC plays a key role in developing strategies for the electricity sector to respond to natural disasters as well as cybersecurity threats. During the early days of the Covid-19 pandemic, the group regularly released guidance on how utilities should prepare.
In addition, the ESCC set up a Cyber-Mutual Assistance Task Force, which mirrors a system that utilities use to share resources after a major storm.
Tom Kuhn, president of the Edison Electric Institute, saluted Fanning in a statement for his role in building the ESCC into a fast-response partnership among industry and government leaders “to manage whatever hazard we are facing, be it hurricanes, wildfires, cyber threats, a global pandemic, or disruptions to supply chains.”
Fanning said he will remain a member of the 30-member ESCC, just not co-chair.
He also says he’ll maintain a leadership role in the event of extreme weather events. The ESCC coordinates with DHS, the Department of Energy and other agencies during major storms to ensure electricity is quickly restored to areas that lose power. That includes coordinating mutual assistance for stricken utilities.
Berkshire Hathaway’s Fehrman, who replaces Fanning, has also been deeply involved in cybersecurity issues. He serves on the president’s National Infrastructure Advisory Council and is chairperson of the member executive committee at the Electricity Information Sharing and Analysis Center at the North American Electric Reliability Corp., or NERC.
Fehrman has played an important role in NERC’s GridEx security exercises. He has also supported the Joint Cyber Defense Collaborative (JCDC) that aims to improve the private sector’s relationship with the federal government.
At an event in October hosted by Auburn University’s McCrary Institute, Fehrman said for perhaps the first time in his career he’s watching the government knock down silos inside and outside of government. “And private companies have a role in this,” he said.
In that appearance, Fehrman criticized what he calls the intelligence agencies’ excessive tendency to classify information that could be important to grid operators.
Fehrman said that sharing actionable information quickly is the “end goal” of the JCDC collaboration with the government.
“The most depressing time for me is when I go into these briefings, and I get told all this information, and then I’m booted out and I go home, and I have nothing that I can do for it,” Fehrman said at the event.
Fanning said Fehrman was his personal choice to follow him at ESCC.
Fanning had been working with Anne Neuberger, the deputy national security adviser for cyber and emerging technology, on the first pilot program under the administration’s 100-day cybersecurity “sprint.”
His schedule was getting very busy, Fanning said, so he asked Fehrman to step in on the 100-day sprint. He called Fehrman a workhorse, not a show horse. “He’s done a really good job with it, and based on his good work, I asked him to follow me as [co-chair] of the ESCC.”