Workshop C The Electric Grid One of America's 3 Biggest Cyber Security Vulnerabilities Requiring Significant Capital Expenditures Impacting Electric Rates: What Actions Are Being Taken in Pennsylvania to Protect the Grid 11:00 a.m. to 12:15 p.m.
Biographical Information Pamela A. Witmer, Commissioner, Pennsylvania Public Utility Commission Keystone Building, 3rd Floor, 400 North Street, Harrisburg, PA 17120 717-783-1763 pawitmer@pa.gov Pamela A. Witmer took the oath of office as a Pennsylvania Public Utility Commissioner on June 30, 2011. She was nominated to serve as Commissioner by Gov. Tom Corbett on June 7, 2011, and unanimously confirmed by the Senate on June 27, 2011. Commissioner Witmer s term will expire April 1, 2016. In her confirmation hearing remarks, Witmer promised she would be a strong, independent Commissioner, thinker and decision-maker on behalf of Pennsylvania s consumers. Witmer most recently led the energy and environment practice for Harrisburg-based Bravo Group, a governmental and public relations firm. She also recently served on the Corbett Transition Team s Energy & Environment Committee. From 2000 to 2007, she was President and CEO of the Pennsylvania Chemical Industry Council, a trade association. She formerly served in the Department of Environmental Protection under Gov. Tom Ridge as the lead legislative liaison, where she successfully steered legislation through the General Assembly to create the Department of Environmental Protection and the Department of Conservation and Natural Resources. She also previously worked as a research analyst for the Pennsylvania House of Representatives. Commissioner Witmer has served as a member of Women in Pennsylvania Government Relations and the Pennsylvania Association for Government Relations, and has been involved with the Historical Society of East Hanover Township, the YMCA Youth and Government Program, and the Escape Center for Domestic Violence. Witmer earned a bachelor s degree in public service from the Pennsylvania State University. A native of Altoona in Western Pennsylvania, Commissioner Witmer resides in Hummelstown, Dauphin County. Steven McElwee, Manager, Corporate Information Security PJM Interconnection, 955 Jefferson Ave., Valley Forge Corporate Center Norristown, PA 19403-2497 610.666.3194 mcelws@pjm.com Steven McElwee oversees a variety of cybersecurity functions at PJM Interconnection, including cyber threat and risk analysis, security policy, vulnerability management, security monitoring and response, and cyber forensics. He is responsible for a variety of industry, government, and academic collaborative partnerships related to cybersecurity. He has over 25 years of experience in information technology and cybersecurity roles, the most recent six years at PJM. McElwee is CISSP certified and holds a BA in Computer Science from Thomas Edison, an MBA from Alvernia University, and an MS in Computer Information Systems from Boston University.
Biographical Information Alan M. Greenberg, Senior Director IT Security and Risk Compliance PPL Corporation, Two North Ninth Street #GENN1B, Allentown PA 18101 610-774-6130 agreenberg@pplweb.com Mr. Greenberg is the Senior Director for IT Security and Risk Compliance at PPL Corporation. PPL is an Energy company headquartered in Allentown Pennsylvania and has subsidiaries in Kentucky, Montana and the United Kingdom. Mr. Greenberg is responsible for cyber security, security regulatory compliance and supports security design, implementation, testing across all of the company s business areas. This includes IT Operations; Network and Cloud Systems; Data Centers; Mobile Device Security; policies, technologies, cyber security personnel, and protecting the energy generation operations systems. Mr. Greenberg has previously served as Technical Director for Boeing s Cyber Security Business Unit; supporting activities in the federal sector, energy, aviation, automotive and satellite industries and Department of Defense programs; Additionally, Mr. Greenberg has also been with Raytheon s Communication Network Group Division as the Information Assurance Group Program Manager. Alan is retired from the U.S. Army as a Signal Corps Officer serving in a variety of assignments including Battalion, Brigade and Division G6 assignments, Signal Battalion Operations Officer; serving on multiple communication systems fielding teams; Communications Officer at the VII Corps TAC during Desert Storm, and as a Program Manager at NSA s Information Assurance Division. Mr. Greenberg has a MSA from Central Michigan University and a B.S. from Western Illinois University.
Cybersecurity and the Commission s Initiatives with the Regulated Utilities Commissioner Pamela Witmer Manufacturers Education Council Conference October 23, 2013
PA PUC Role in Cybersecurity Ensure Compliance with law and regulation Conduit of information Break down silos: State Federal Industry Sectors Industry Sectors We are ALL working toward a common goal
Public Utility Confidential Security Information Disclosure Protection Act (Act 156 of 2006) Two Key elements of the statute: Exempts from disclosure, including Right to Know Requests, confidential security information Penalizes Commission employees for disclosing covered information
PA PUC Utility Security Regulations 2005 All hazards approach to security planning events may have impacts in multiple areas Requires utilities to identify mission critical functions and equipment Develop plans covering physical security, cybersecurity, emergency response, and continuity of business operations Submission of a self certification Annually review, alter and TEST
How does the PA PUC certify compliance with the regulations? Technical Utility Services PUC s Emergency Coordinator may visit Participate in drills Ask questions Do inspections/investigations as needed Audits Management Audit Division Will perform audits on all utilities whose plant in service is valued at not less than $10,000,000 May help in special investigations as needed Tasked with performing a one time Emergency Preparedness Audit of all PUC jurisdictional water companies regardless of size
What Else is the PUC Doing? Released a draft Policy Statement Critical Infrastructure Interdependency Working Group Creating a voluntary cybersecurity contact list for our regulated and nonregulated companies Creating a set of best practices that will be provided to industry partners Facilitated cybersecurity workshop with US DHS and PA OHS for regulated and non regulated companies Started a multi state Commission working group Working with the PUC IT folks and the Administration s OA to review and harden the Commission s systems Developing cybersecurity training for Commission staff
We Are ALL Working Toward a Common Goal Ensure Compliance with law and regulation Conduit of information Break down silos: State Federal Industry Sectors Industry Sectors We are ALL working toward a common goal
Protecting the Power Grid Against Cyber Attacks Steven McElwee Manager, Corporate Information Security PJM Interconnection www.pjm.com PJM 2013
Reliability Grid Operations Supply/Demand Balance Transmission monitoring 1 PJM Focus on Just 3 Things Regional Planning 15 Year Outlook 2 Market Operation Energy Capacity Ancillary Services 3 www.pjm.com 9 PJM 2013
Air Traffic Control for the Electric Power Grid www.pjm.com 10 PJM 2013
PJM as Part of the Eastern Interconnection KEY STATISTICS Member companies 800+ Millions of people served 61 Peak load in megawatts 165,492 MWs of generating capacity 183,604 Miles of transmission lines 62,556 2012 GWh of annual energy 793,679 Generation sources 1,376 21% of U.S. GDP produced in PJM Square miles of territory 243,417 States served 13 + DC As of 6/1/2013 www.pjm.com 11 PJM 2013
Cyber Threats to PJM NATION STATES Phishing, Malware, APT, Network Scans CRIMINALS Phishing, Malware, Drive-by Attacks edata INSIDERS Cooperation with outside actors, policy abuse, disgruntled HACTIVISTS Distributed Denial of Service, Defacement TERRORISTS Denial of Service, electronic jihad www.pjm.com 12 PJM 2013
Security Starts at the Top CEO Champion of corporate cyber security goal Sponsors increased investment in cyber security SVP, Operations VP, Information Technology Services Chief Security Officer Director, IT Operations & Infrastructure Director, IT Support Services Security Program Product Owners Directs priorities and assigns resources www.pjm.com 13 PJM 2013
Information Security Strategic Framework Risk Assessment R I S K T R E A T M E N T P L A N S Cyber Attacks DEFEND RESPOND EDUCATE PARTNER Metrics Measure Effectiveness www.pjm.com 14 PJM 2013
Vulnerability Management Penetration Testing Vulnerability Assessment Security Assessment Committee Security Patch Management www.pjm.com 15 PJM 2013
Round the Clock Security Monitoring Level 1 Level 2 Business Hours Escalation Escalation Level 2 On-Call After Hours Level 1 www.pjm.com 16 PJM 2013
Spear Phishing Campaigns Baseline 20% Results 4% www.pjm.com 17 PJM 2013
Cyber Risk Information Sharing Program CRISP Industry Participants www.pjm.com 18 PJM 2013
Cyber Security in Energy Companies Presentation to MEC Conference Alan Greenberg Senior Director IT Security October 23, 2013
PPL Corporation One of the largest companies in the U.S. utility sector $12 Billion Dollar Company and a Fortune 200 Company Headquartered in Allentown, PA, PPL controls or owns approximately 19,000 megawatts of generating capacity in the United States Supports Power Generation in Pennsylvania, Kentucky, Montana and the U.K. 2013 PPL Corporation
Today s Grid has Increased Connectivity Critical Loads Energy Consuming Equipment Non-Critical Loads Housing Electric Vehicles (Charging & Storage) Distributed Energy Resources (DER) Wind Solar Storage Other Installation Utility Grid Interface Intelligent Sub Station Intelligent Transformer Vault (HTV) Distributed Generators Geothermal Power On-Site Peaker Purchase/Demand Response/ Stability Support Utilities Energy Providers Installation or Regional Networked Energy Operations Center (NEOC) Energy Demand Driving Information Every node on the System represents a Point of System Entry for an attack 2013 PPL Corporation Points of System Entry 21
Security Challenges Facing Utilites External threats Sharp rise in external attacks from non-traditional sources Cyber attacks Organized crime Corporate espionage Denial-of-Service Attacks State-sponsored attacks Social engineering Phishing and executive attacks Internal threats Ongoing risk of careless and malicious insider behavior Administrative mistakes Careless inside behavior Internal breaches Disgruntled employee actions Mix of private / corporate data Insider attacks Compliance Growing need to address an increasing number of mandates National regulations Industry standards Local mandates Potential new legislation Mobility Generation Operational Impact Intelligent Substations Operations Center Protecting Customer Data 2013 PPL Corporation
The Big Picture - Good News PPL and most Utilities have a solid foundation in cyber security technology, policies, processes and people. Board-level and executive leadership emphasizing the importance of cyber security. Business line management realizes the importance and desires to build secure operational system. Good security awareness programs. Cyber security groups are talented. A major strength for cyber security is the NERC compliance program. 2013 PPL Corporation
Remember Your Security is Only As Good As Your Entire System 2013 PPL Corporation
2013 PPL Corporation Questions?