On this week's episode of the PrOTect OT podcast, Sean Plankey joins us to examine the complexities of securing critical infrastructure in a landscape predominantly comprised of privately-owned utilities. We discuss the differing challenges faced by large utilities and smaller municipalities, particularly resourcing. We also spend some time talking about emerging EV infrastructure and the related cybersecurity concerns. Don't miss the full episode, as this is just a glimpse into the start of the discussion:
Aaron: Sean, thanks for joining the podcast. Will you introduce yourself?
Sean: Sean Plankey here. I'm currently chief architect over at Bedrock Systems. Bedrock is a prevention cybersecurity capability, so a little bit different than the traditional detect and respond. But the whole idea is it's a zero trust framework application that functions down at the chipset level, mathematically verified through formal methods. Came here after working at DataRobot, a leading AI company, trying to bring cybersecurity in the AI space, or I should say bring AI into the cybersecurity space. I was CTO there as well. And then of course, I have long history in and out of government. I worked the National Security Council on cyber policy and then I was at the Department of Energy where I ran the Office of Cybersecurity Energy Security and Emergency Response. That is the office that works with industry to protect the critical infrastructure of America. And then of course veteran prior military before that.
Aaron: So that's that CESER thing that everybody's heard about. Really interacting with the government and looking at how we protect critical infrastructure, especially in the energy space.
Sean: That's right. So that's energy, that's transportation, bridges, trains, planes, automobiles. Also, cloud computing is considered critical infrastructure, the financial sector, water, wastewater, and water treatment. Those are all majority owned by the private sector. Eighty plus percent is owned by the private sector, so the government can't just step in and impose operations on those environments. The government has to work with the private sectors to say, “Hey, how are we best protecting Americans from whether it be physical attack, which CESER covered, as well as cyber attacks.”
Aaron: And that’s interesting because a lot of our power utilities, there's big ones, all the big name players, but then there's the little small municipalities. And they don't have a technology staff. That's a big risk.
Sean: That's right. So municipalities generally have an IT person. And that IT person is supposed to be the security mechanism as well as doing everything from user accounts. Like, oh, I locked myself out. And then I've seen it where that person is also the handyman on the site, going out when a sensor is going off and they have an alarm going off in a pump system, resetting the alarm, maybe diagnosing an issue there doing some, some minor electrical work even. So they're doing it all.
While there are like small rural Pennsylvania or small rural Maryland or Texas, there's also major municipalities, right? So the people of Los Angeles County have a municipality that provides power distribution, and it provides water to Los Angeles County. And their agreement for water goes all the way back to Colorado on the Colorado River. So that's a public-private partnership where it's in a semi regulated industry.
So they can't just say, “Oh, well, we had this issue, so we're going to raise the rates.” And depending on the states this would have to be approved by votes. Or by government or by the governor signing over the ability to raise the rate for a capital expenditure or operating costs. And in that way things like security often get pushed to the bottom. Because we're so focused on just maintaining operations. I mean, you, me, as taxpayers, we're in America, we expect be able to turn on the water and be able to drink right from the tap. And we expect to turn on the light switch and the power to work.
Aaron: Yeah, I've been part of quite a few large OT programs - power utilities, etc - and some of those are regulated where, like you said, they go get a rate case and say “Hey, we're going do this large capital project, and here's what we're doing with it, and here's the timeline, etc.” And then they get a rate case for that, and then they use that budget for building out this capital program. But there's other municipalities and power utilities that don't have that. They can't go get a rate case. It has to come out of their bottom line. So I see different problems. One may be able to get a large capital program without O&M to ongoing support. And then the other may have a hard time getting that capital budget because that same budget would be used for maintenance on a pump, or deploying this cyber technology, and the pump may make my facility run more efficiently. Whereas the cyber in their eyes is just a cost center. It’s not providing them efficiencies. It's just something that they have to pay for that they don't really necessarily even understand a lot of the time.
Sean: We talk about the capital expenditures that have recently come out of the federal budget. From $329 billion, I think for green energy to The American Investment Infrastructure Investment Jobs Act. And so states are now putting in packages saying, “I'm going to put an EV charging corridor in.” Every state had plans from EV charging corridor on their main road systems to new/revitalized dams, bridges, railroad systems, whatever it may be.
The problem is, like you said, those CapExes don't come with follow on operating expenditure funds from the government. So many of the states are essentially nervous about what they're going do with it. Or you've seen states announce things like in California, they went from a $33 billion surplus or some exorbitant number to cutting the taxes, giving all that money back to people to a 25 billion deficit almost overnight. Because they're playing games with CapEx money versus OpEx money.
Aaron: So how often are they thinking about cybersecurity? Because if I'm plugging these things in, they’re more than likely smart, they've got a network connection, I can configure them, which means there's some kind of cyber risk that I'm bringing in and plugging into the grid. How much is that is even considered in those numbers when they're putting those budgets out?
Sean: Right. So right now it's very limited consideration. So a couple interesting items to note. So the White House held an EV charging summit a few months ago. And the National Institute for Standards and Technology a community of interest under the National Cybersecurity NEP program. They're starting to figure out the cybersecurity standard be for EV charging stations because it doesn't exist yet.
So 400 amps going down the line is a way to start fires. It's a way to potentially surge power. An EV charging station in and of itself draws more energy than an old school gas station. So when we think of that change to the grid and the 50 year old grid powered by municipal workers, who don't have the assets and resources to manage this now distribution part of the network that is surging, you have a lot more risk.
We have to think about what type of securities we're putting in vehicles, what type of cybersecurity we're putting on the charging station itself. Because although we love thinking that we're protected by these two great big oceans on both sides, that EV charging station is susceptible to somebody walking right up to it, pulling the cover off, plugging things in, even – it sounds crazy – but soldering something in connecting some of their own device. All of these things, we have to think about cybersecurity and that edge contested space. It's a computer.
Aaron: What is something that you think we should look at to really focus on improving all these areas, whether it be visibility, understanding unlimited budgets, regulation.
Sean: I'm going go two different answers on this, two different ways. The first one is we have to understand who's investing in the US in technology in our supply chain. And that's a full stop right now, right? There are other countries around the world that we have economic dependence on that don't allow us to invest in their commercial enterprise system. Yet we openly have allowed them to do it in ours. In fact, we rely on it in many of the electronics and digital devices that we use today.
And what we're doing there is we're allowing them to essentially infect the supply chain if they so choose. Yeah. And we've proven it. And so I would end that. I would say, “Hey, you have to know who your customer is and you can't be a customer of an adversary.”
My second activity is I think we still struggle to understand the connectivity of our networks. So We have to find ways to do better to understand, get through the fog of what we're talking about with IT-OT convergence and figuring out what we have - what systems, and not only how it impacts me, but how does that impact the downstream aspects? How does that impact the other players in the environment? So I would work those two areas.
This has been an excerpt of a PrOTect OT Cybersecurity Podcast episode (edited for clarity). For the full conversation, listen and subscribe here: https://podcasts.apple.com/us/podcast/the-protect-ot-cybersecurity-podcast/id1662081824