Southern Co. CEO relishes role as chairman of industry's cyber brain trust

Southern Co. CEO Tom Fanning has a message for officials who warn that there is a key group of electrical substations that could be taken down and cripple the United States: "They don't know what they're talking about."

Fanning has reached that conclusion in his role as chairman of the Electricity Sub-Sector Coordinating Council, an obscure yet potent group of 30 executives that interacts with federal government intelligence and energy agencies to protect the nation's power grid from threats and devise responses should an incident occur.

Fanning took the helm of the ESCC in January at a time when severe weather recently had crippled transmission facilities along the Gulf Coast and East Coast, a major substation had been assaulted by gunmen in California and reports of attempted cyberattacks aimed at utilities appeared with increasing frequency in the media.

During the Edison Electric Institute's annual meeting in Las Vegas recently, Fanning spoke with EnergyWire about his role with the ESCC and the pending deployment within the electric utility industry of sophisticated software developed by one of the federal government's national laboratories to thwart cyberattacks.

A former chief information officer, Fanning said, "I've always kind of been aware of this stuff. I was the first guy at Southern to hire an outsider to try and hack Southern; so we've been doing that since" the middle of the 1990s, he said.


"If I let it, this could turn into a full-time job," Fanning said of the ESCC, which first met in September 2013.

He describes the group as the "body politic" of the electricity industry with its executives representing investor-owned utilities, public power utilities and electric cooperatives. Also at the table are representatives of the nuclear industry, independent power producers, independent system operators, the North American Electric Reliability Corp. and electricity trade associations.

The ESCC meets three times a year, the last time on June 4 in Washington, D.C. It reports to the Department of Homeland Security through the Department of Energy, Fanning said.

The group has three areas of focus, according to its website: tools and technology, information flow, and incident response.

A morning meeting of the ESCC members is followed by the CEOs meeting with their "counterparts at the highest levels of government," as one ESCC participant said. They include DHS Deputy Secretary Alejandro Mayorkas, DOE Deputy Secretary Daniel Poneman as well as officials from the National Security Council, National Security Agency and FBI.

"As opposed to just talking to each other, [the ESCC and the government] actually do things that improve the security posture of the industry and therefore improve the security posture of the nation. "The ESCC is the venue where that collaboration can take place," the participant said.

'Robust program' for transformers

The vulnerability of the nation's high-voltage transmission grid was dramatized in April 2013 by an armed attack on the Pacific Gas & Electric Co. Metcalf substation near San Jose, Calif., that disabled transformers and forced the utility to reroute power.

Shortly after the still-unsolved assault, Jon Wellinghoff, then the chairman of the Federal Energy Regulatory Commission, told an interviewer that a FERC analysis showed "it wouldn't take ... very many substations to take out the grid entirely in a physical attack, a coordinate physical attack basis."

A year later, The Wall Street Journal published more details from the confidential FERC analysis that concluded knocking out a relatively few key substations could cause sustained outages, triggering immediate pressure from Congress for a regulatory response. FERC then issued a fast-track order for new security standards to protect the transmission grid.

FERC's conclusion has been questioned by the commission-appointed grid reliability monitor, the North American Electric Reliability Corp., and by a White House official, Rand Beers, deputy assistant to the president for Homeland Security. Beers told a cybersecurity conference in April that the FERC analysis was based on "extraordinarily narrow" assumptions. The likelihood of such an event happening was "of such a low probability as to be next to impossible," Beers said.

Fanning agrees that the FERC analysis was based on a "static set of assumptions" that ignored the dynamic and ever-changing nature of the nation's bulk power system and does not reflect "reality."

New transmission and new generation are being added to the grid regularly and what facilities are deemed critical can change from month to month, or "condition to condition," Fanning said. "So to say that there are nine critical substations is just so flawed; they don't know what they're talking about."

Fanning pointed to the success to date of EEI's Spare Transformer Equipment Program, a voluntary effort among utilities to share high-voltage equipment (EnergyWire, March 28).

"Not only are there spare transformers; we have transportation all worked out," Fanning said.

"This is a very robust program. So, Southern Co. for example, we know what the voltage requirements are of other utilities in the STEP program. So to the extent somebody had a problem, we would organize the best way to get them a spare part.

"And this is mostly large transformers that are central to this flawed thesis of 'I can take out 10 and bring the United States down.' That just wrong; that's just so wrong," he said.

The program has 50 participants and the Bonneville Power Administration. EEI expects that number to grow and the lobby has reached out to the trade groups for the national municipal utilities and rural cooperatives to join.

Uniform response to cyber activity

Fanning was the most animated about a new "single framework to analyze, identify and react to unusual activity" in cyberspace.

The value of the "single cyber protection regime" settled on by the ESCC is "that in working with the government, we'll have a much more comprehensive approach to identify unusual activity, characterize it and then deal with it," Fanning said.

"The government has tools that can improve our situational awareness, and they are allowing us to incorporate those tools on our systems," said Scott Aaronson, EEI's senior director of national security policy and secretary to the ESCC.

One tool was developed by the government's Pacific Northwest National Laboratory in Richland, Wash.

CRISP, or the Cyber Risk Information Sharing Program, "is a suite of technologies that enable situational awareness and information sharing," Aaronson said.

"It's not just about the monitoring of the network but sharing the findings, sending threat information out to the rest of the industry that may not be CRISP adopters through the Electricity Sector Information Sharing and Analysis Center," he said.

The CRISP software is being piloted by four or five utilities, said one industry source who declined to be identified, and another 22, including municipal utilities and cooperatives, are expected to deploy it by the end of this year, he said.

CRISP works by placing information-sharing devices on a utility's communications network to monitor network traffic. "They compare that net traffic against classified databases," through the national lab and shares findings, such as bad IP address, malware or other indicators of compromise," the source said.

But CRISP is not free; "it comes with a price," he said.

Managing risk

During the interview, Fanning, a graduate of Georgia Tech, boiled down his approach to enterprise risk management by drawing a line graph on a napkin with one axis measuring magnitude and the other measuring likelihood.

"What you do here with high magnitude but low likelihood events -- this would be like a nuclear accident -- what you do here is employ strategies; you work like hell to avoid them," Fanning said.

But for cyber, physical and natural risks, Fanning sees them as usually falling into the spectrum of "high likelihood but low magnitude" that require management strategies.

"And so when you ask, 'Can [an attack] on a small municipal [utility] cause a widespread blackout?' No. What you do there is manage it," he said.

"Now somebody getting into the energy management system of Southern Co. -- avoid like crazy.

"The cost of blowing this is awful. So you have to get it right," Fanning said.

Reporter Peter Behr contributed.

Twitter: @RodKuckro | Email:

Like what you see?

We thought you might.

Start a free trial now.

Get access to our comprehensive, daily coverage of energy and environmental politics and policy.



Latest Selected Headlines

More headlinesMore headlines

More headlinesMore headlines

More headlinesMore headlines

More headlinesMore headlines