The following is a contributed article by Pedro J. Pizarro, president and chief executive officer of Edison International, the parent company of Southern California Edison, and Tom Kuhn, president of the Edison Electric Institute, the association that represents all U.S. investor-owned electric companies.
The energy grid powers our nation’s economy and nearly every aspect of our lives, and protecting the grid is a critical job and top priority for all of us. It should come as no surprise that, every day, sophisticated state-sponsored actors and criminal hackers are seeking new ways to target critical U.S. infrastructure, including the grid. These threats are real, and the stakes are high.
October is National Cybersecurity Month, and we have a responsibility — this month and always — to stress to our employees, customers and suppliers the importance of remaining vigilant against cyber criminals. The ongoing COVID-19 pandemic, recent natural disasters and looming elections create the added risk of distraction — and opportunity. It is during times like these that America’s electric companies are most vigilant since we expect an uptick in targeted cyberattacks that aim to take advantage of perceived vulnerabilities. Cybersecurity teams across all industries must remain on high alert in order to identify, understand, adapt and defend quickly against any new attacks.
Electric companies across the country use many advanced tools and systems to monitor their networks and to defend against cyberattacks. Millions of attacks have been prevented this year in the electric power industry alone, and many more are expected by year-end. It is our goal to raise awareness of what we do to protect the grid, as well as employee and customer data, and we cannot emphasize enough how small actions by employees and customers can make a large impact. This is known as cyber hygiene, and it is important no matter who you are or where you live.
Electric companies monitor systems and protect against cyberthreats 24 hours a day, seven days a week, 365 days a year. Partnerships and information sharing — among peer electric companies, government agencies and other trusted organizations committed to protecting the energy grid — are equally important to helping block millions of malicious emails, domains and websites before they even have a chance to interact with electric company systems.
Leveraging the CEO-led Electricity Subsector Coordinating Council, we partner with government agencies like the Departments of Energy and Homeland Security and local law enforcement to share actionable intelligence quickly that helps to improve our collective security posture. Still, criminal groups and state-sponsored hackers are not deterred, and they continue to look for vulnerabilities. For this reason, we use a strategy called defense in depth.
Defense in depth is a layered approach that includes multiple opportunities to detect and prevent an attack through effective security countermeasures; close coordination among industry and with government partners at all levels; rigorous, mandatory and enforceable reliability regulations; and efforts to prepare, respond and recover should an incident impact the grid. Layering is important because no single security measure is enough to protect an entire system. Think of it as having a guard dog behind a security gate, as well as security cameras, safety lighting and a security system. The more layers of defense you have, the less likely that an attacker can do harm, even if they are able to gain access.
Within electric companies, teams regularly scan the technical environment for vulnerabilities in company digital assets such as cellphones and computers, software and servers, etc. Risk assessments are conducted regularly to ensure that projects are carried out with appropriate levels of cybersecurity protections, and these security requirements extend to the vendors and businesses that support these projects.
One of most important aspects of a defense-in-depth strategy is people — the workers who access the systems that run the energy grid every day. Having a strong security culture among the members of our workforce makes all the difference. We strive to accomplish this culture through security training, phishing exercises and companywide preparedness drills. We also have put in place new processes and procedures for, and have enhanced our contracts with, suppliers, vendors and other business partners to strengthen their security posture along with ours.
As cyberthreats grow and become more sophisticated, we remain committed to protecting the energy grid and to strengthening our defenses. We encourage you to join our fight to prevent cyberattacks by paying close attention to your own cyber hygiene and keeping a lookout for unusual messages and suspicious links that should never be clicked.