While the threat of cyberattacks isn’t new, the methods used by hackers continue to evolve. So it’s critical that utilities like OPPD stay vigilant in protecting their data and infrastructure from attacks.
Last month, the Department of Homeland Security (DHS) and the FBI provided analysis that led to an alert issued by the U.S. Computer Emergency Readiness Team (CERT). That alert alleges Russian hackers have mounted a long-term campaign to infiltrate and surveil critical U.S. infrastructure, including the energy and nuclear sectors. Other targets, according to the alert, include commercial facilities, water, aviation and critical manufacturing sectors.
It was an alert OPPD officials had already been made aware of due to active information analysis and monitoring processes which includes partnerships with the FBI and DHS.
The DHS and FBI characterized the action as a multi-stage “intrusion campaign” by Russian government cyber actors dating back to at least March 2016 “who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.”
OPPD must follow regulations for the now-decommissioning Fort Calhoun Nuclear Station under nuclear regulatory requirements, said Joshua Mauk, director of Security & Information Protection at OPPD. OPPD must also meet state and industry requirements.
“How do we ensure security of our information, security of our facilities, customer privacy and the resiliency of our systems? That’s the job of our teams. Implementing a program that helps us achieve both compliance and security,” Mauk said. “We have to balance all those objectives across the district.”
Mauk said cybersecurity for OPPD is a two-pronged approach: protecting the corporate side and protecting the critical infrastructure. This is done through different technologies and processes and, for the infrastructure, there is an added layer of security.
Like other companies, OPPD must protect customer data like credit card and payment information as well as sensitive employee information. Utilities like OPPD have the added concern of protecting critical infrastructure and maintaining the nation’s power grid.
OPPD is constantly analyzing the various risks and working to adapt security to those risks. Mauk said entities targeting utilities are a high concern. Ultimately, hostile entities seek to deny service to customers or damage safety protections at facilities.
Mauk said OPPD is constantly working to educate employees to recognize phishing attacks and other ways to protect themselves and the utility. Those educational efforts and working to stay ahead of threats will continue.
Nationally, work continues to make the electric grid more resilient against such attacks and remain operational should an attack prove successful.
In February, Secretary of Energy Rick Perry announced the new Office of Cybersecurity, Energy Security, and Emergency Response to focus on energy infrastructure security.
Tabletop simulation exercises, where electricity companies practice defending against major attacks, have become a critical means for preparing to deal with attacks, said Kate Brown, vice president of Business Technology & Building Services.
Through partnerships with other utilities, city and local governments, teams of people across the nation are significantly improving the security of the larger elements of the power system, such as power plants and high-voltage transmission networks, as well as gas and water systems.
“This work and these relationships are key to our preparedness as an industry,” Brown said.