‘It’s about risk management’
In terms of maintaining the safety and security of the North American power grid, the good news is that the energy industry is "very in tune" with what it needs to do.
"The bad news is that there is an enemy that is very attuned to what it needs to do," former Director of Homeland Security Michael Chertoff said Tuesday at the GridSecCon 2013 conference in Jacksonville.
Chertoff was secretary of the U.S. Department of Homeland Security from 2005-09.
He is a former judge in the U.S. Court of Appeals and assistant U.S attorney general.
Now, as chairman and co-founder of The Chertoff Group, he provides security consultation to corporations and government agencies.
More than 300 IT and security managers from utility companies in the United States and Canada are meeting through Thursday at the Hyatt Regency Jacksonville Riverfront.
They will discuss topics including fending off cyber attacks and how to recover when their power generation and distribution facilities are attacked either electronically or more conventionally.
It's the third annual meeting of North American Electric Reliability Corp., said President and CEO Gerry Cauley. He said the conference is "an opportunity to share best practices to protect critical infrastructure."
Cauley said NERC collects security information from energy companies worldwide and helps the industry develop and adopt new security procedures.
During the conference, speakers and workshops will be presented to help the security professionals build defenses against attacks of all kinds, develop plans for managing the risk of an attack and recover when their utility is targeted by terrorists or others intent on disrupting the North American power grid.
Cauley said that in the past year, there has been a "shifting of intent" in terms of attempts to disrupt energy infrastructure.
"We expect a continuous onslaught of malicious attacks," he said.
"We face known and unknown vulnerabilities. The electric and power industries are at the top of the list of attractive targets," he said.
"There is no shame in being attacked. The shame is not being able to handle being attacked," Chertoff added.
The level of incursion is increasing and invasions via the Internet are not always aimed at disabling power generation and distribution.
"We are seeing increased intensity of nation-state activity" including cyber-espionage, Chertoff said.
Many attacks are merely reconnaissance. "There is a desire to understand networks," he said.
Activist groups motivated by political agendas are on the list of possible attackers, as are disgruntled employees.
Attacks from within can be malicious or merely a case of negligence.
Chertoff advised the managers to monitor who has access to critical systems and to have contingency plans.
"All of this is part of the new landscape," he said.
Chertoff described the vigilant environment for energy industry security managers as "the new normal" and said there is no end in sight.
"We are under attack and some attacks will be successful. It's about risk management, not risk elimination," he said.