Hack the Plant

“Most industrial economies only consume about 20% our total end use energy in the form of electricity. The rest, we consume by basically combusting fossil fuel … You could get all of your electricity from wind and solar and you've still only solved 20% of your carbon problem. A lot of the investments we've made at Energy Impact Partners are actually in electrification. Basically electrifying all that stuff that today is fueled directly by fossil fuel but in the future could be fueled by electricity.” - Andy LubershaneIn this episode of Hack the Plant, I'm joined by Andy Lubershane, Director of Research for Energy Impact Partners (EIP), a venture investment firm founded by a coalition of electricity and gas utilities. We discuss how energy companies themselves accelerate investments in clean energy such as electric, wind, and solar technologies - and the threats and challenges to this innovation from a cybersecurity perspective. Join us to learn more.

“You can only cover about 65% of the cybersecurity workforce demand with the existing workforce today. So we need to do something to address that gap. We need to either build that workforce or re-skill existing individuals that are looking to get into new fields. That's the approach that we're taking. So the need is there. We know that cyber risk is there. We know that adversaries are constantly re-skilling and skilling up as well. And we need to build a protective workforce around that.” - John EllisIn this episode of Hack the Plant, we feature John Ellis, who heads up the Industrial Cyber Alliances at Siemens Energy.  We discuss a new, industry-lead apprenticeship program he runs which focuses on critical infrastructure protection called CIISAp (short for: Cybersecurity & Industrial Infrastructure Security Apprenticeship Program). ICS village is one of the partners of this program, which is tackling the gap between shortage of skilled employees and the workforceHow is the cohort designed? How can we encourage collaboration tech companies, service companies, academia, and government to train the cyber workforce of the future?Join us to learn more.

“How do we talk about all the great things we're doing in our communities, in optimizing and trying to reduce carbon, and looking at new solutions and coming up with different technologies that can help advance to help keep prices down and keep reliability up. We're really spoiled at times in the US with how often we have our power. I've had to travel on all seven continents and had times where I didn't have power because the grid was down in other countries.” Dr. Noel SchulzIn this episode of Hack the Plant,  Dr. Noel Schulz of Washington State University joins us to talk about  innovations within the power industry. We discuss how our power systems (which we often take for granted) work, how to keep them secure, and innovations around the world in power supply. We also tackle the challenges of creating more diversity in harnessing carbon-neutral power sources…and the analogous issues of diversity and inclusion in industry.   How can we increase access to reliable power while reducing our carbon footprint? WhoJoin us as we discuss these questions, and more.

“I've been educating now for about eight years within the college system and that hands-on experiential learning is critical. When I have students do something that's like a scenario based off of different security assessments I've done or just weaving in some real world stuff, they thrive. They really get excited. They walk away from it energized.” - Dennis SkarrIn this episode of Hack the Plant, Dennis Skarr of Everett Community College joins us to talk about an industrial cybersecurity program for students he has recently built. He describes the interactive element that helps students get excited about cybersecurity - in turn inspiring the next generation of cybersecurity professionals.What success has this program had - and how, and why, should it be replicated across the country?Join us as we discuss these questions, and more.

Wind energy is one of the most rapidly growing energy generation sources in the US - how can these renewable systems stay resilient in the face of cyber attacks as the industry grows?In this episode, we hear from Megan Culler and Keith Mecham of Idaho National Labs (or INL). Megan Culler is a Power Engineer and Researcher; Keith Mecham is a Critical Infrastructure Cybersecurity Engineer.INL is a Federally funded research and development center (FFRDC): public-private partnerships which conduct research and development for the United States Government. They have the largest federally owned wind project which provides both full scale power, as well as engineering and development support to a variety of federal agencies using renewable energy.How does wind fit into our broader energy infrastructure? What threats does cybersecurity present to renewable energy? How can industry work tougher for policymakers to keep our systems secure?Join us as we discuss these questions, and more.“A big risk is people just don't understand the risks with these types of systems. I think that's starting to change, as we have larger and larger energy companies that already understand cybersecurity jumping into wind. We have projects from Royal Dutch Shell and BP and other energy companies. They're setting up huge wind farms, especially offshore. They understand cybersecurity because of their refineries and pipeline systems, better than a startup does. And we hope we see more of that bring some maturity to the industry.”-Keith Mecham

“Initially it was looking at specific types of attacks and thinking how those could be utilized against our systems, but then it became more sophisticated in thinking of how these attacks could be coordinated together by larger actors? ….  I think that regulation's role is more to draw attention and provide you with a base minimum, and then from there, it's the responsibility of those industries of those actors to step up and design the systems and implement true security.” - David CoherHow can our electrical grid system anticipate cybersecurity attacks? What is the nature of its vulnerability to attack, and what role can regulation play in securing our future?In this episode, we hear from David Coher, leader of Southern California Edison's (SCE) Energy Contract Management team, which manages their long-term energy procurement contracts (approximately $4 billion, annually). David is an attorney, who moved from real estate litigation to SCE where he established programs for cybersecurity, participation in California's Greenhouse Gas emissions Cap & Trade market, and Dodd-Frank compliance.We discussed how the power grid works and the changing landscape of keeping our energy grids safe from cyber attacks. We also explored the challenges of establishing a regulatory compliance program - in particular how to anticipate cybersecurity threats.What is next for SCE? What are some potential opportunities and threats on the horizon for the safety of our electric grid? Join us to learn more.

“We had to go out and talk to experts and just have the conversations and then be brutally honest about what those people were telling us about the problem. In many cases, we didn't even tell them what we were thinking about doing. We would call them up and say, "How are you securing your industrial control systems today?" and just listen.” - Joshua Steinman“We really learned to go in, us. Instead of imposing what we thought the problem would be for other asset owners, really let them tell us what their problems were. So that was probably one of the biggest takeaways during the customer discovery. And it was also great to hear that a lot of people had, I would say, some similar problems across different industry verticals. And everyone knew that there needed to be some change and wanted to see change. So that was also very refreshing for me.” -Brandon ParkWhat are the biggest challenges in critical infrastructure cybersecurity? In this episode of Hack the Plant, we hear from two entrepreneurs, Joshua Steinman & Brandon Park, who just did a 7 month long customer discovery process trying to understand where the key problems are now to keep our ICS systems safe from cyber threats.J​​oshua Steinman is a former naval officer, Y Combinator startup founder, and cybersecurity policy senior director during the Trump administration.Brandon Park is a Security Engineer at Amazon focused on securing ICS at scale. Prior to Amazon, he supported Department of Defense and Department of Energy projects.Their conversations spanned from ICS cybersecurity experts to operators to  executives at companies with large footprints in the space - and led to some surprising and unexpected insights that have led to the launch of something called Galvanick.How can this make our ICS more safe, reliable, or cyber-resilient? Join us to learn more.

When will hard infrastructure have machine learning capabilities? It might be sooner than you think. Ariel Stern, formerly an engineer in the Israeli Ministry of Defense and a civil infrastructure project manager, currently CEO of Ayyeka, which offers remote monitoring for industrial Internet of Things (IoT) systems. Ariel has a forward-looking approach to creating resilience in critical infrastructure…anticipating that we are entering a new era for critical infrastructure….from IoT data creation, management, and analysis to advanced Artificial Intelligence pattern recognition and prediction.Is this science fiction? Join us to learn how the technology that can create resilient infrastructure for tomorrow is here - today.

On May 12, 2021, the Biden Administration issued an Executive Order “On Improving the Nation's Cybersecurity.”  This came in the wake of  ransomware attacks drawing national attention: Solar Winds, Colonial Pipeline, and more.We take a deep dive into the Executive Order, and what it means for public and private efforts to keep our critical infrastructure safe with two attorneys and cybersecurity experts.Megan Brown is a Partner at Wiley Rein. She has deep expertise in cybersecurity and data privacy issues, working for national and global companies on cutting edge compliance and risk management.  Liz Wharton the Chief of Staff at SCYTHE where she serves as a strategic advisor for the CEO and leadership team, building and maintaining cross-department relationships, crafting external initiatives, and driving day-to-day projects and tasks. Previously she was the Senior Assistant City Attorney with the City of Atlanta, where she served on the immediate incident response team for the City of Atlanta's ransomware incident.   

In February, severe winter storms and an electricity generation failure left almost 5 million people in Texas without power, leading to hundreds of deaths, and a shortage of heat, food and water. The Electric Reliability Council of Texas (ERCOT) manages the flow of electric power to more than 26 million Texas customers. How did the massive power failure happen? What does this power outage suggest about the resilience of our critical infrastructure?Beth Garza, former director of ERCOT and senior fellow at the R Street Institute, answers these questions and more. Over the course of her 35-year career in the electric utility industry, Beth Garza has held a variety of leadership roles in generation and transmission planning, system operations, regulatory affairs and market design for both regulated and competitive entities.  Further information:Watch: Shedding light on the legislative response to the Texas blackouts. Testimony: The House Committee on Science, Space and Technology hearing on "Lessons learned from the Texas blackouts: Research needs for a secure and resilient grid."  

Daryl Haegley is the Director of Cyberspace Mission Assurance and Deterrence at the Department of Defense. Daryl oversees cybersecurity efforts to secure control systems (ICS) and operational technology (OT), and focuses on bringing awareness to the ever-increasing cyber threats. He has 30 years of military, civilian and commercial consulting experience. He has successfully advocated to change laws, DoD policy and standards, and academic curricula while initiating the first comprehensive facilities related control systems cybersecurity program of its kind within the federal government."We're going to see despite investments, despite technology, we're going to see some  ransomware on some of these critical infrastructure systems. And I think people are going to get hurt. Things are going to stop operating. Things are going to explode and there's going to be some serious consequences." 

Congressman Mike Gallagher (R-Wis.) has been instrumental in setting up the Cyberspace Solarium Commission, a bipartisan, intragovernmental body whose goal is to help create a strategic approach to defending the United States from cyber attacks of significant consequence (and for listeners of this podcast, that definitely means attacks on our critical infrastructure). Congressman Gallagher's background in the Marines, and work in the public and private sectors, gives him a unique position to help create law around the intersection of national security and cybersecurity as the two become "kitchen table issues", as he tells his constituents. 

Rob Lee, the CEO and founder of the industrial cybersecurity company, Dragos, is a pioneer in the ICS threat intelligence and incident response community. Before Dragos, Rob served as a cyber operations officer in the U.S. Air Force tasked to the National Security Agency, helping protect industrial infrastructure - an issue that leaders around the world are now wrestling with. As he likes to put it, "The threat is worse than you realize but not as bad as you want to imagine."

The Army Cyber Institute has been testing the cybersecurity preparedness of cities around the country in an experiment called Jack Voltaic. It is a major, multi-sector public private exercise aimed at understanding critical infrastructure dependencies on force deployment. We're joined by Lt. Col. Douglas Fletcher - chief data scientist - and Lt. Col Erica Mitchell - key resources research lead for critical infrastructure - to talk about their findings. 

For today's episode, I'm joined by Dale Peterson, who is on the leading edge of helping security conscious asset owners in a range of sectors effectively manage and reduce cyber risk to their Industrial Control Systems (known as an “ICS”). ICS is a computer system that monitors or controls a physical process. They  exist everywhere: power generation, water supply systems, transmission, product manufacturing. We talk today about some of the key cyber vulnerabilities in these systems, and the relationship between the government and the private sector, how CEOs and other decision makers should evaluate and deploy resources to deal with ICS cyber threats, and the importance of regulators developing metrics for improving cyber security relative to ICS systems. 

Megan Samford is the first woman Chief Product Security Officer in industrial control systems (ICS) manufacturing. She's spent time in both the private and public sectors, from Rockwell Automation and General Electric to serving two governors of Virginia and their offices of homeland security. She is also spearheading a project to develop a common language and framework for cyber security between governments, private sector and first responders in the space. Or, as she puts it: "I believe that every other type of responder in the world, whether you're a firefighter or a police officer, or a medic...there is a framework by which you could literally be picked up an airlifted and dropped into another organization or locality or state or government really, and you would seemingly know how to fall in line with the common framework to respond alongside your peers. But within cyber, it's very schizophrenic, it's very disparate, and it's largely based on the needs of individual companies."

Patrick Miller sits at the intersection of cybersecurity and regulation because, as he likes to say, "those two don't fit well." Beyond his decades of work in the space, he also co-founded BEER-ISAC, a network of individuals who comprise the human component of critical infrastructure security. They share war stories, information, intelligence and - as the name says - drinks. In this episode, Patrick explains the difference between compliance and security in the evolving space defending critical infrastructure.

"Securing and having the right measures of cybersecurity relates to the national security of the whole country and our national income." Reem Al-Shammari is the chief information security officer for the Kuwait Oil Company. She sits at the intersection of a massive swath of her country's economy - oil and gas - and the need to secure it against emerging threats faster than government regulations can be established. Because Al-Shammari works within a global industry, she also has to help ensure cross-border information sharing frameworks and practices for the six Gulf countries to stay one step ahead of bad actors.

The second half of our interview with author and strategist P.W. Singer. He discusses his latest book - Burn In - where he translates real-world research about Artificial Intelligence into a glimpse at a future we’re not too far away from if things go wrong and we do not protect ourselves."In our lifetime for the next year 10 or 20 years, artificial intelligence is not about a rebellion of the robots (a-la the Terminator). It's industrial revolution. It's a rewiring of business, military, the economy, our society with AI and automation in all its various forms...In these scenarios, AI is not just about prediction, it's also about influence."

Hackers may be our best, last hope as our dependence on connected technology is increasing faster than our ability to safeguard ourselves. This episode you will learn about I Am the Cavalry - a volunteer organization of cybersecurity experts devoted to improving the security of medical devices, transportation, connected homes, and infrastructure - and its co-founder, Joshua Corman, who serves as an ambassador between the security community and federal officials protecting us on the front lines. 

“Our dependence on connected technology is growing faster than our ability to secure it, especially in areas affecting public safety and human life.” Author and strategist P.W. Singer examines the future of war, and explains the difficulty in securing critical infrastructure against cyber attacks and technologies that are cheaper and easier for foreign and non-state actors to acquire. He also discusses how he uses the "technothriller" novel type to communicate his nonfiction research to more audiences.---Learn more about the R Street Institute at www.rstreet.org and follow them on Twitter @RSI. Learn more about ICS Village at www.icsvillage.com and follow them on Twitter @ICS_Village.  Learn more about P.W. Singer at www.pwsinger.com and follow him on Twitter @peterwsinger. He is strategist and senior fellow at New America and the author of several books including Ghost Fleet, Burn-in, LikeWar, Wired for War, Corporate Warriors, and others. 

Learn more about ICS village at http://www.icsvillage.com. Learn more about the R Street Institute at http://www.rstreet.org. Follow Bryson Bort on Twitter @BrysonBort. Follow the R Street Institute on Twitter @RSI.