How are the public and private sectors coordinating to address the increasing global threat of cyber and physical attacks on the grid? During today's OnPoint, Scott Aaronson, managing director for cyber and infrastructure security at the Edison Electric Institute, discusses the vulnerabilities facing the U.S. grid and the latest strategic planning between the federal government and utility industry on managing these threats.
Monica Trauzzi: Hello, and welcome to OnPoint. I'm Monica Trauzzi. With me today is Scott Aaronson, managing director for cyber and infrastructure security at the Edison Electric Institute. Scott, thank you for coming on the show.
Scott Aaronson: Thanks for having me, Monica.
Monica Trauzzi: Scott, last week the Senate Homeland Security Committee held a hearing on critical infrastructure threats. How would you assess the level of cooperation that exists between the public and private sector on those issues?
Scott Aaronson: I really appreciate you asking. It's incredibly good and getting better all the time. If you think about the infrastructure that the electric grid is and what it operates, it is critical to the life, health and safety of Americans. And while the electric sector is really good at operating its machinery, its equipment, we don't have intelligence-gathering capability. We don't have a standing army, we don't have a law enforcement mandate. So we need government and the government needs us, and I'm very proud, in addition to my role at EEI, also part of the secretariat for the Electricity Subsector Coordinating Council, which really is where government and industry come together.
Monica Trauzzi: Right, and so that's the body that sort of coordinates between the utility industry and the federal government on preparing for these kinds of threats. What is the latest coming out of that group, the ESCC, in terms of strategic planning for potential attacks?
Scott Aaronson: So the ESCC, the first thing you have to understand about the ESCC is it is CEO level. Now, the joke always has been, well CEOs don't do work, they set strategic visions, they provide resources, they create accountability, they're a draw to other senior executives. And so when the folks in the corner office care about an issue, it is amazing how the rest of the enterprise cares about that issue. So we have been able to do a lot more to advance the cause of security because of the leadership of the ESCC. So we are deploying more tools and technology to improve our situational awareness. We are exercising, both as an industry and with the government, to prepare for incidents. We are sharing information, whether it's at a classified level or an unclassified level, whether it's at the CEO level or the operator level, information is flowing far better. And then last, we are working with other sectors with which we share a lot of interdependencies.
Monica Trauzzi: But is this the kind of issue that's keeping CEOs awake at night?
Scott Aaronson: It is. You know, I used to work on Capitol Hill, so this is my first real job, and I've learned that CEOs have bosses too, and in our case, it is the shareholders and our boards. And these are risks to the enterprise, and these are risks that the boards and the shareholders are taking very, very seriously.
Monica Trauzzi: In a recent assessment by NERC, the group said that there is an increased global threat of cyber and physical security. How vulnerable is North America, and is the vulnerability equal internationally or are there certain pockets that you identify that are more vulnerable?
Scott Aaronson: You really have to look at the adversaries. So there are what I would consider near peer nation states who are very sophisticated, just as the Unites States is. And so when you look at that level of sophistication, you really go back to almost that Cold War doctrine of mutually assured destruction. As you go down the level of sophistication, I like to quote the director of the CIA, John Brennan, who said those who want to attack the grid can't; those who can don't want to because of that mutually assured destruction. So to answer your question more directly, the answer is it depends, and that's always the case with security. What I would say specifically is to protect our systems, we have to be right 100 percent of the time. The adversary has to be right once. So given those odds, we have chosen to focus not just on protect and defend, but also how do we respond and recover to make sure that incidents that are likely to occur do not have catastrophic impact but are merely inconvenient.
Monica Trauzzi: And do utilities have adequate resources available to properly and fully protect their assets and the grid?
Scott Aaronson: I believe we do. There are a few things about the grid that are interesting. First of all, it's a grid of grids, so there is a lot of resiliency built in because of the redundancy. There's also excess capacity in the grid. We have 45,000 substations in the United States, so there are capabilities to restore those substations if they are damaged, and they have been in the past. And there are ability to re-engineer the system to route around affected areas. So the grid has a lot of baked-in resilience. That is a big part of our defense strategy.
Monica Trauzzi: There's been a lot of coverage of cybersecurity this past year, including a book written by Ted Koppel, and I know he was part of the Homeland Security panel, he testified there. Has cybersecurity become sensationalized, do you think, or is the coverage fair?
Scott Aaronson: So I think the perceived vulnerability may be overstated. I also think that cybersecurity was something that got people's attention, maybe 10 years ago. It was this new domain, it was this new vector of attack, but at the end of the day, we are never going to have a cyberattack that does not have physical implications. We're never going to have a physical attack that doesn't have cyber implications. So we are looking at security a little bit more holistically than just cyber, but I do think the fact that there is now the capability to impact grid operations remotely certainly changes the dynamic a little bit, and there is a book called "The Accidental Superpower" that had the United States flourished because we've got neighbors to the north and south who are friendly and oceans on both sides. Those oceans are a little bit narrower now because of the threat of cyber.
Monica Trauzzi: All right, we'll end it there. Thank you so much for coming on the show. Nice to see you.
Scott Aaronson: Thanks so much, Monica.
Monica Trauzzi: And thanks for watching. We'll see you back here tomorrow.
[End of Audio]