IATC - Energy Poverty and Potential Impacts to Other Critical Infrastructures

all right good morning and welcome to bides Las Vegas uh sorry Cavalry welcome to this track uh this is electric grid Plus+ given by uh Emma and David a few announcements before we begin sponsors we'd like to thank our sponsors especially our Diamond sponsor Adobe and our gold sponsor uh gold sponsors prism Cloud surab blue cat and some others it's their support along with other sponsors donors and volunteers that make this event possible these talks are being streamed live and as a courtesy to our speakers and audience we ask that you check to make sure your cell phones are set to silent as a reminder the bides LV photo policy prohibits taking pictures without the explicit permission of everyone in

frame these talks are all being recorded and will be available on YouTube in the future all right I'm going to pass this off now one more word all right I'm GNA since David's goingon to be our MC I'm going to slightly MC this one at least um plus I'm just a loud mouth so um these are two of our newest and favorite new collaborators um so no pressure uh but not only is am I going to outline some energy specific things but try to remember the things she's saying because they're going to touch on water on food supply on anything small medium oral Co-op or Target cyberport and thank David as well who's co-presenting because he helped make sure this track

happened again for the second year and we'll help MC today and tomorrow so welcome some of the newest change [Applause] agents hi there and that was quite the introduction thank you um today I'm actually going to talk about some of the work I've been doing with electric co-ops for the last few years but I was going to start with an introduction to me that explains why I actually care so much about the electric sector cuz usually people look at you like why do you care about electrons so much so this is me um the picture on the bottom is my first ever job working for an electric utility it's me wearing PP that's far too big for me because I was 18 years

old and it was in Scotland and they didn't actually have any women ever on the field crew so I turned up with uh gloves that were too big a giant yellow jacket that my dad probably could have worn and nothing fit me I did that for a little bit decided it was too cold and wet in Scotland for me to continue doing this I just didn't want to um went to University worked in electrical mechanical and electrochemical engineering so I like to spread between different topics um and then I decided I was kind of done with Scotland not going to lie it was cold again I moved to California um worked for four of the

National Labs currently working at Idaho National Lab um moved around quite a bit because every time I wanted to learn something new I ended up going to a different National Lab to do something different so Sandia worked in hydrogen barle worked in renewable energy and distribution grid Livermore worked in other stuff and and now Idaho um where I'm the chief parag grid scientist um for various things my more recent past before that was also working for a national Rural Electric Cooperative Association which is one of the big trade associations in DC that essentially uh looks after the 900 electric co-ops in the country so my entire career has been in the electric industry since I was probably 18 years

old at this point which is quite long ago I'm not going to lie um so I'm deeply passionate about how our electricity is delivered in multiple countries and that's somewhat how we got to hear in talking about all of this but I also have David here good morning so uh my name is David botz I work for the Edison Electric Institute um uh I started in computer science uh my first I I say my first real job after being an intern was for a utility company so I work for a utility company in the Midwest of the United States for like 20 years uh before having an opportunity to move to Edison Electric Institute if you're not

familiar with the electric industry you might say uh what is Edison Electric Institute and why does it matter why do I care so Edison Electric Institute is the trade Association for investor owned Electric utilities in un United States at a holding company level we've got approximately 63 members at a holding company level those 63 members are responsible for a little over 70% of the electricity that flows in the United States of America generation transmission and distribution the energy Market or the electricity Market in the United States is wild why because there are 3,000 Electric utilities in the United States Emma just mentioned 900 of them that are that are uh called co-ops and then in

addition there are about uh two almost 2,000 Public Power Municipal power companies most of them are teeny tiny um most of them are distribution only some of them are huge so let's talk about a huge one lwp they have uh on the order of 5 million customers so they're super big but most of them are not big most of them are small and we're going to talk about uh bigs and Smalls resourced and underresourced electric companies for the next 42 minutes Dr Emma so the other thing I wanted to add in here was a little bit of history of how we got here as well because 3,000 utilities is a kind of ridiculous number um we did form there is a long history

of how we actually got to having that starting in the 30s but I'll talk about that in a minute but the big thing that's going on just now with all of these Electric utilities is we are going through an energy transition also at the same time um if you've missed them talking about the energy transition the renewable energy uh climate change that is all happening just now and exactly the same time so what we're really been faced with just now in the electric sector is how do we do everything absolutely all together all at once we've got to make it clean reliable Equitable resilient and secure all at the same time when we're not really

there yet so interesting challenge but I like to tell stories um this actually happen summer 2020 again it's not really got a cyber angle but it's an interesting piece for how do we look at interdependent infrastructure and why everything actually matters um summer 2020 great time of the year went out for a run uh there was this giant lightning storm kicked off in Livermore California where I lived um huge dry lightning storm that eventually became known uh eventually caused what was known as the lightning complex fire um I was out running went back to my house I was like I am putting my stuff in the car this is how it ends so put everything in my car was ready to go it

was also 100° in Livermore at the time Cal ISO the independent system operator had called rolling blackouts for the area because the system was overloaded the grid was in trouble at that point also along with three giant fires that covered the majority of the bay area which is kind of insane um Livermore was having problems we were struggling the lightning also hit and massive power transformer there was two big Power Transformers sitting in limore it hit one of them as it turns out if you want to talk about cyber protections most of Northern California doesn't have lightning protection on their substations because we didn't have lightning until you know within the last 10 years lightning suddenly became more

common thanks to climate change so they didn't have lightning protection on this giant large power transformer worth millions of dollars the Transformer died half of lmore didn't have power cuz they were trying to roll power through lmore as well um at that point the Wastewater Plant also failed because they hadn't tested their failover which we told them they needed to do and they didn't do it Wastewater goes down as well at the same time at that point in this series of things happening the fire had turned around um the one on the bottom right of the red blobs essentially turned around and started heading for the city of Livermore rather than the rural area so

city of Livermore if you don't know already it also has a massive National Lab in it um which does a allow for confusion research for example um L the National Lab basically called that we were going to have to evacuate at that point most of us weren't even there at that point so we're trying to work out what we were going to evacuate from the lab at the same time um but evacuation orders all happened at the same time right along that time talking about politics and all of this intersecting Gavin n decided to announce that all of California was going to go for uh phase out gasoline powered cars by 2035 just announced this in the middle

of there being a massive emergency taking up half of California now we hadn't had power for 3 days at this point in various places and we're like so we're not going to have gas vehicles but we're evacuating a massive City just now that hasn't had electricity for 3 days what do you think would have happened so it's a really good example to me of how things aren't connected just now people are saying we need more electric vehicles on our network but they're not talking about the fact we need electrons um these small utilities are generally burdened with trying to with doing these things like electric vehicles renewable energy without us saying oh by the way it turned out you

actually needed bigger wires or you needed more cyber protections or you needed more Engineers even working on your system they get all of this put on them and that's what we're really talking about today so so a little bit of history repeating in a rather threatening picture um it's coming electricity for you this was actually an advert in the 30s that came out um I actually liken this to a lot of the threats we hear about cyber as well like cyber's coming for you this is the same thing they did telling everyone electricity was coming but it was mostly to the rural areas at that point so in the 1930s uh I believe only one in 10

rural Americans actually had power we were going through a revolution at that point electricity was coming to all the big cities people were changing their lives based on this but we still hadn't actually got power out to the rural areas in America which cover the majority of the land mass of the country um in 1936 uh they brought in the rural electrification act which essentially allowed lowcost loans to go to Farmer lowcost Federal loans to go to Farmers so that they could form electrical co-ops and work with larger utilities to actually get the lines run through contracts essentially to say hey we will serve everyone in the US power at this point so these social contracts came

into play for electric power these sorry electric Co electric co-ops were formed they were all not for profit but they were essentially the local community were all members of the Electric Co-op up and that's gone on to this day so this happened in 1936 and since then this has continued we ended up with the rural El electrification Administration which later I think evolved into USDA and the rural utility service um again when we talk about electric service we all think of Department of energy turns out USDA actually has a huge play in how the rural electric co-ops work as well most of their loans and financing actually come from the our us program instead of doe so when we're talking

about these small small rural utilities that's who we're talking about these electric co-ops not that there wasn't controversy about this this I'm looking at David just now with the holding companies um there was seven major holding companies in the US at this point um as part of this deal they were trying to break those up because they held monopolies over most of the electric service in the country um they created these fancy cartoons they were calling it the death sentence uh to the the electric service and So eventually the this is where the r electrification act came from and no okay so how did the grid actually evolve for my eyes like how did we get into this mess it's a very simple

picture so talking about 1936 we've got this nice dumb grid it works there's no fancy Electronics there it's working the electrons flow in a certain way it was remarkably reliable for what it was um so we created the Dum grid fantastic roll on 2008 we've decided to do the American reinvest act the smart grid program comes into play this is where we started getting all those devices that could talk onto the grid primarily Smart Meters ended up being one of the big things and solar energy those Smart Meters actually weren't as smart as everyone thought as it turns out because most of the customers actually rejected their being mostly Smart Meters connected to their house so we ended up

with very fancy Smart Meters that couldn't do anything which was great um then we had the clean grid I think this was around 2008 as well the sunshop program started for doe which had had a goal of uh a dollar per watt essentially we were meant a dollar per watt of solar um they actually achieved that goal in 2015 but S Note what that also meant was a lot of the solar industry moved their manufacturer offshore at this point and roll on to 2023 where we have certain problems with supply chain so decisions we make now generally for this sector roll on for the next 20 years um then we had the physical and cyber secure grid

we're around 2012 2013 at this point where we're starting to worry about physical attacks we're starting to worry about things that happened in the Ukraine um never everything has to be physical and cyber secure we change direction every few years and what we're worrying about on the electric system apart from now we we're worrying about everything um then we had the smartest grid we decided we've done it everything super smart we're doing really well with the physical and uh the physical and cyber secure grid uh you mentioned 2013 a big event happened in 2013 metf metf happened uh I I'm sorry we've got a mandatory tie policy here in the uh the propa there's your chocolate chip cookie

that's fair so far be it for me to uh defy dress code Mr Damon thank you um 2013 the metf substation attack occurred where unknown and they are as as to public record still unknown adversaries um they first uh physically attacked two underground communication vaults which which they're L literally underground the the covers are covered with dirt and leaves and branches and garbage they opened up the communication vaults they cut the fiber optics communication cables not in one one volt but in two volts one one right after another and then an unknown number of parties started to shoot um at Transformers that were in the metf substation so that is in 20 13 and we're going to talk in a

little bit about how old is new again so moving on a little bit we got to this interdependent grid which I'm moving pretty fast at this point all the blocks after physical and cyber secure essentially happened in The Last 5 Years um we got to interdependent which is where we get to the Colonial Pipeline and various other things that happened there fun fact is when Colonial happened it wasn't just that we depended on gas and that was the biggest worry when they had to restart that pipeline we had to pull out plans that had happened during Hurricane Katrina on how to restart that pipeline because all of the pumps had gone offline the pumps are lowed

starting a pump requires a whole bunch of power and affects your voltage pretty badly um at the time of Hurricane Katrina they Daisy chained diesel generators together to actually restart that pipeline because they didn't have the utilities working so to get the pipeline to start to get the utilities to work they were in a giant cycle so they Daisy chained these diesel generators together to get enough power and support the voltage to get the pipeline back on we were back there except this time at least we had electric power um so they got everything back online but again this was the circle of life that we had on the grid is when some big thing goes down we end

up stuck in a circle of problems but daisy chaining diesel generators worked out um then so then we have the uh I spoke too soon it turns out everything's interdependent everything's not that secure and we have a big problem with physical security and as it turns out when we try to make everything super smart we also left oursel open to a whole bunch of problems uh moving on really quickly we got to Shields up uh 2021 22 I'm getting dirty looks but it's okay we got to Shields up which is when we just started yelling at small co-ops that they needed to put their Shields up but not necessarily telling them how or why or how to do it we did tell people

there were certain instructions they could give that those were coming from DHS not necessarily from doe um and everyone was told this repeatedly and they got exhausted I'm not going to lie there was a number of small utilities calling me in my last position saying how are we meant to get our Shields up when we can't hold up our poles most of the time right now so then we got into climate impact um I think 2023 we had the most number ever of billion dooll weather events um causing damage to the Electric System including one that just happened about 12 hours ago in the uh Northeast where there was essentially a huge storm if you look at the news just

now there's pictures of entire distribution lines just laying flat on the ground because a tornado went through them um then we get to more physical security also um again people were shooting up Transformers in November that was that was a wonderful terrible event that was going on again we directed everyone one away from Shields up now to looking at physical security so everyone got distracted Again by the squirrel uh and then now we have money we have $1.2 trillion everyone's trying to push into the electric grid for this energy transition but what we going to do with it is a big question so where we are now um this is the picture of the three big types of

Utilities in this country there's investor owned that's his fault um there's publicly owned and then there's the Cooperative utilities but if you look at this map the large majority of the land mass is actually served by the smallest utilities where that's an issue the grid isn't interp the grid isn't independent little pieces of utility that all operate by themselves if you want to get from point A to point B most of the time you're going through five different utilities to get there and they could be three different types they could have three different regulations and three different styles of security that they're working on it's a large pathway of systems and we're having issues with how that's

defined so that's where everyone gets a slightly sad face and feels bad that they're in Vegas um there's around 21 million people in the US that owe over $700 on their energy bills that's uh one in four houses that don't actually aren't able to pay for their power with around 12% of those reported keeping their houses at an unsafe temperature that's pretty bad um when hurricane Yuri happened not hurricane Yuri storm Yuri happened uh around 200 people died because they didn't have power so they didn't have heating uh at the time it was freezing so they didn't have heating they died for various reasons because they didn't have power some of those people now um 12% of people are keeping

their houses too hot or too cold because they just can't afford the power why this is important our electric bills and what we do with security uh you pay for it we pay for everything that happens that the electric utility has to do there's no magic pot of money coming it's your rates that pay for it so whereas we might be okay there's around 25% of people in the country are not okay for paying for their power so how do we make this work how have we reached a point of no return um how do we actually make this work for everyone without burdening those that can afford at least other interesting part of this

picture um the co-ops serve 92% persistent poverty counties so those land masses in rural areas usually are where some of the persistent poverty counties really are if you look at this map also it's also where a lot of our military bases are so about 110 Co-op serve critical military installations I believe there's a lot more I and Unis as well but we have this uh group of things coming together that makes our issues with criticality pretty interesting one of the really interesting public policy issues is the following is it right is it appropriate to demand of an underresourced rural Cooperative that they themselves are responsible to defend themselves against nation state and state sponsored actors are they financed for that is it

going to show up in their rate base but it and it's just it's not just the co-ops it's it's also true I mean I think the question is a reasonable question to ask for utilities of any business model so both Public Public Utilities you know the city of Manasses public utility that is that they are responsible for the local distribution in that area or investor owned electric utilities is it the right thing to demand of electric companies to be responsible for defending themselves against nation state and state sponsored actors so another uh intersect of who delivers your power I guess it could be a game show quiz or something um and are they considered critical in the sector

you saw Josh show his picture earlier of all the different sectors to like how they're split up the electric sector to me is one of the most complicated ones in that um you had a line Josh had a line that goes from doe to again to the electric sector again there is also USDA and doe and USDA and EPA that currently have uh$ 10 billion for clean energy for utilities to apply for to um put on their system that's a lot of money but but it's not ran by Doe and the security requirements aren't necessarily being defined by Doe so clean energy is electrons going on to your system it's an interconnected system to your

operational Network do we have requirements for that yet or are we just running in into the clean energy world without actually working on that so I the little baby picture is basically showing I think if anyone has kids they probably remember that there was a baby formula shortage in the last year was pretty bad um that baby formula Factory was actually in Sturgis um I was doing a little math of where that was and what it was served by and who serves it and to try and work this out believe it or not with 20 years of electrical engineering I still had to sit and draw this out on a map because it's not that

easy um so essentially that baby formula Factory is served by a municipal electric company which Wheels power through a co-op which is served by an IOU for transmission so there was three different Utilities in play for what that was it was water that was their primary problem but if electric any one of those electric entities was down they'd have had exactly the same problem and probably not water as well so so the criticality piece for me um it becomes defined by The Entity by who they're owned by by what their boundary is on their system but I'm not sure that's working anymore for the electric sector there's too many pieces that are connected together that is relatively

unique to the electric sector um those critical functions that we've looked at make sense in the Metro areas that's great but not necessarily in rural because again we have our rural hospitals we have our other things that are out there we have mysterious baby formula factories that happen to sit that you've never hearded of until you didn't have baby formula these are all sitting in these rural areas served by multiple different utilities who are all struggling essentially to meet requirements for security so David already mentioned the military functions again private defense from the baddies I have worked with a number of the locations that Ser of military bases or have contracts that keep them alive to

serve those bases to meet the requirements they have and they all Wonder like what's going to happen when the next requirement come and they can't change their contract with the military base to increase that rate as well so people aren't necessarily working together to fix this problem which is something I would really like to work on solving so this is the other scary slide that makes people have a sad face there's over 900 Utilities in this country that don't have a single person working on it not even not once again 900 over 900 thank you less than one person and that person might not even be the person focused on it um I was doing

instant response with a 7,000 person utility as in the S of 7,000 customers they had a $3 million ransomware event happened where that Ransom was actually on their outage management system um they were in Texas there was another storm heading for them this was right after stor Yuri and I get a phone call from their singular person to say they think they're about to be fired they're crying and I'm instead of on instant response immediately I was on Mental Health response so I was more worried about this person than I was about what was going on cuz they were going to be okay but she was distraught and she was told she was going be fired by our board

that didn't understand what had happened even though a months ago she'd said hey I think we need to spend some money to fix this and the board was like nah let's not do that um but she was working with the outage managers it turned out she was also the storm responder finally enough and the communicator for this utility in particular so she was going to have to first of all tell the customers they had a ransomware event while also responding to it while coordinating their insurance which turned up to try and help while also being threatened to be fired while being paid paid $70,000 a year for doing this um but she was dedicated to her

community and that was part of this this is something I think we should work on um her dedication to her community meant she was taking it from all sides at that point but also standing there trying to stand up this utility and keep things going while everything was falling apart in both her life and the utility itself so this community angle is something I'm very interested in like how do we look at these areas differently instead of them being electric Hospital gas food is there a way that we look at them as actual units of importance that can work together on fixing this um again I've covered most of this but salaries are lower in rural areas we can't they can't

compete like there's in most utilities they actually can't compete if you've ever been paid by utility or a trade Association um most of them are using managed Services I know some that are using the Geek Squad for for their utility um and again we've got infrastructure dollars flowing there's OT providers like never before some of those are actually shadow it as in people have got this distributed resource management system installed it's sitting on the cloud yeah look at us we've got a cloud managed distributed resource system they don't have an OT Network they never had one they think it's been managed by the cloud provider they have a generation transmission entity that runs their scada but they never actually had a

cloud entity before doing this so they don't have the people to actually support it so the other pieces we've got mixed messaging from federal funding I mentioned the 20 or yeah 20 billion just now from EPA doe and USDA um what the federal funding went towards from cyber security in the same program for the electric sector in particular was 50 million a year so we've got 20 billion going into clean energy but then they also put 50 million towards cyber security so if you can do the math on the percentage that's what we're telling them is most important like that's the message they get is that's how much money your provider should put in into cyber security for

that system we do have all of these low to moderate income programs also that are saying hey we're going to give everyone that can't afford their electric bills some solar on their house great we did that really well when we built a load of Housing and flood planes um so now we're at the point where we're putting solar on people's roofs and basically creating another cyber flood because we're making them responsible for their own cyber security as well so again you'll never be able to read this but the whole point is who's responsible for keeping the lights on just as a factor um distribution system operators independent system operators transmission system those are the only

people actually legally responsible for keeping the lights on who isn't responsible for it is the energy Market providers the distributed resource operators your cloud provider um the manufacturers and implementers the installers of the solar in your house have zero responsibility for this and they definitely do not want it but they're becoming respon they're becoming what's the word responsible for installing the devices not responsible for keeping the lights on if that managed you to somehow spread into a utility system so the number of providers is impossible um when we talk about regulation for distribution this is why it's not because I don't think distribution should be doing better with their cyber security it's because I don't know who is actually responsible

for keeping the lights on at this point when we look at this system so good example that recently happened um who's actually responsible for securing the grid um when when it's behind the meter essentially your solar on your house um I worked in Hawaii um at some point they yeah I know I'm super lucky um at some point they actually installed a whole bunch of uh invertors on the system the part that connects the solar to the grid um because one particular manufacturer was super engaged with the partic with aahu essentially everyone ended up with this one particular manufacturer inverter it was how many how many different manufacturers one one just one one um everyone ended up with these invertors

across the island and um again that was great until there was a firmware pit that went arai and everybody's invertors started misbehaving and the whole system had an issue but again this recently had an impact from the Cyber perspective um again we're asking people to install solar on their houses about a few weeks ago n phas themselves had a vulnerability in their system the the alert that came out um one of the guidance pieces was make sure your firmware or your firewalls are up to date for the system and I'm like and house like you think I've firewalled my solar like I I might have I don't know anyone else that has so the guidance was

for the customer behind the meter to somehow secure their devices on the system and that's that's not going to work especially if we give it to people who don't your grandpa your grandpa needs to update his intor and his firewall yes okay that should be pretty straightforward that should be easy you know you're getting that phone phone call so last sort of example of where I think we have challenges um again I do have some solutions I just like to rant about the problems initially um you might have gathered my accent in Scottish so bear with me on this story um this is a a load curve from uh the UK um a few years ago Andy Murray the

tennis player was winning Wimbledon and Scotland's pretty pathetic at sports so when when Andy Murray was winning the whole country was super excited like everyone's like he's winning he's a hero we're doing well so how why this is important um everyone in Scotland at a couple points in that day sat down at the same time and also turned on their tea kettle exactly the same time so I'm not joking it really happened like what they did when they all turned on like there was two different sets where Andy Murray was winning they broke for the set the te kettles went on they caused a frequency swing because the whole of Scotland did this like one half of the

country and so this happened twice tce during the day and then if the red line is essentially what was happening the blue line is a normal day the red line was what was happening during Wimbledon the Blue Line uh when the red line dips dramatically that was the very last set where they thought he was going to win and everyone just sat down and so the country lost 800 megawatts of load at the same time because all of Scotland stopped so the UK isn't that big a country compared to the US but what I'm saying here is our behind the me are load is really important it can have massive impact the humans actually control it

and we don't really secure it that well at all like I know who you all are I'm fairly sure you can break into a tea kettle when it has uh a Twitter feed on it so we're causing some issues here by making everything smart but making the customers responsible for it and the small utilities so are we creating a cyber tsunami is my my question by pting lots of federal funding into our smart grid into our clean energy into our smart kettles for some unknown reason I just bought a house and my Kettle is actually smart and I don't know why Emma I'm sorry I didn't know what to do the guy had it in the house like but can we fix

it is the question and I really want to as you can gather I deeply care about the electric grid and all the things it serves but can we fix it is what I've been asking myself for the last few years so what I really think to be honest is we need to go towards an old as new approach where there was this contract to try and serve those small Utilities in a way that made sense or those customers in the rural area we need to do the same thing from a security perspective it's not really about what products or what profit anymore it's about making sure they aren't the ones that are affected by this and working out who's actually

responsible for it so again I also believe in climate change and I believe we should be securing the path to Net Zero and we should be going towards a renewable energy future I think we just should be doing it right um so securing the pathways to get to that Net Zero future is something I think is really important also securing the people that do it um again all these renewable energy providers I worked for one I I didn't care about security when I did that I wasn't in this field we didn't have requirements to do it we were just evaluating if that system was bankable for the next 20 years for a particular developer not once was I asked a

question if it was Secure not once um then secure the technology again we can't be making customers responsible for updating their firewalls to stop the energy system from crashing so secure the technology is really important again we need to look at building digital resilience through these Partnerships from the ground up I really want to look at how we redefine critical I know some of this is going on but for these particular regions um by region or utility class isn't working anymore or Sorry by utility class isn't working anymore I think Regional or um boundaries around locations would be more valid for what they're serving I think we need to look at how we design the future grid like

okay we've got a grid it relatively works sometimes most of the time um we need to focus on getting that future grid secure because it's going faster than us um consider the defense communities and also again build from the ground up so decision support has been one of the biggest challenges I helped a number of utilities work on what they were meant to deploy for for their security posture I couldn't make hide in or hair of a lot of what was available on the market I I I'm a smart person I there'd be 10 different products and it would be really hard to work out which one they need and for what because they were all

pushed with different words decision support is something we absolutely could and need to provide to the smaller locations like what do you the ground actually need to make your system secure one of the things I did was um I basically took the DHS core performance goals I have worked with a number of co-ops like which ones of these do you think are the basic 10 that your Co-op should be doing and we created a program for them that essentially was hey we're going to give you a shiny coin if you do Al 10 of these and it worked like people were excited by it they got a reward for doing these 10 things and it gave them

an actual Baseline to even get to the next level which was these goals we need to set the bar in a way that makes sense um the bar is a spinning plate from my perspective right now we don't have a a consistent discussion on what is the bar for security in this country it's I know it's constantly moving but we need a bar for people to actually get to that doesn't move 10 minutes later um I do think the public private Partnerships we need to consider taking those that profit the most out the equation for what decisions are being made for what's necessary on the system um again that's not popular I'll probably get yelled at

by 20 people for saying this but I don't necessarily think profit should be in that partnership as uh far these not for profits themselves again holistic approaches for local communities um that one person that works the utility who's the the singular it person or the point8 of a utility it person that's there they're probably also working for the hospital they're probably also helping the the small businesses in the community if there's water they're probably doing that too because they're doing everything so how do we look at backing up those people in a better way that accounts for the fact that they're not going to have independent people at every location I'm going to move on to this

one I despite I work at Idaho um I I'm very excited about cyber informed engineering I had to say it but I was excited about it beforehand cuz I think it did give people an opportunity to improve what they're doing now without worrying about different pieces um one of the things I was thinking about was how to design better principles for the interconnection of Renewables that does include security um but isn't necessarily saying again the customer needs to secure it or the utility needs to secure it um I mentioned the end phase problem again that's local that goes everywhere now everyone is keeping up with the Joneses and solar in particular your those installers that

walk around the neighborhood that I terrify every time they come near my house um they basically they'll sell a single invertor to the whole neighborhood I think one of the analyses I've actually done is if you just changed the invertors out in one feeder and made a rule saying you can only have 10% of one particular brand we'd actually be in a much better position if all of those tripped off all at the same time it there could be a massive Cyber attack on those invertors we'd still have power that would be I did this analysis for one large state that won't talk about but we'd still have power um we wouldn't cause a voltage event

everything would recover the system would be okay even at very high penetrations of Renewables that's a basic principle to apply that is very difficult to get through just now so even just looking it uh more heterogeneity on the network would be helpful as a whole and that's where the Cyber informed engineering and secure by Design principles can come from so again the other piece that people have talked about we're stuck in the middle of this this right now one of the most reliable and resilient things we could do to the electric grid with all of these devices is connect everything as in if you connect every single device and make them all work in concert we actually could have a fully

renewable operational system electrically electrically yes if you connect everything and make it all working concert we could have a very insecure system that falls apart tomorrow so we're it depends who you're talking to what we do I'm joking with my Meme here about uh from Forgetting ter Marshall where there was a surf RoR who said do more do more no do less that's where we're at with this like what how what is the optim optimal amount of connectivity that we need again cybered engineering I won't go into too much but I do think we need to set future data standards for cyber security monitoring in particular um data quality and quantity I worked in sensors I developed a sensor it before

we even got as far as it being installed anywhere we wrote a taxonomy that's not able to see but it was what grid state are we actually trying to measure with this sensor like what's our expected outcome before we actually develop a new device to measure it um I've noticed insecurity we tend to say let's just monitor everything and we'll work out afterwards we've never done that in the grid before ever like that's not a thing we don't monitor everything we don't monitor distribution Transformers the recent GAO report that said all distribution Transformers are insecure have never looked to a distribution transformer which is concerning um there not they are secure um because they have

no communication and no measurement on them at all they're just these devices sitting on the top of poles you can shoot them but you can't necessarily attack them from a cyber perspective unless you go through an interconnected system so data fusion and data taxonomy to me are Big Technical pieces that would actually help us Define what's needed a last point on data science um one of the bits of research I did in the past which is completely not cyber security but is relevant here um was looking at healthc care data I've spent an unfortunate amount of time in the hospital um I was looking at Healthcare data if you can fuse together MRI data measured data voltage data

infrared data together you can actually help transform Healthcare outcomes this was a big thing we did with multimodal multivariate data um transforming those outcomes at that time was to prevent deaths it was to prevent the death of actually in this case veterans with traumatic brain injury as sat and was doing some of this work and I was like humans kind of look like Transformers in this regard you're like you're looking at me like oh God but humans in this case actually looked like Transformers and we used that to create a new system for evaluating failure on a Transformer that you can't see with measured data so it's called incipient failure from our perspective a Cyber attack to a grid

person looks like insipient failure we can't see it the lights are still on the we actually wait for Transformers to fail believe it or not the smoke signal is usually the first sign that it's failed so data fusion and breaking data silos is really important for our future again Community Workforce engagement something that's working really well and I think needs to continue is uh they've created these centers for regional engagement I think supporting those is really important um there are a few different states Arkansas is one of the big ones just know who created a center for regional engagement it's bringing in students people that actually don't need to be paid that much sorry um but the

students are coming in to help be the they're helping being analysts they're helping learn their trade from the bottom level but they're also helping support um this has got multiple cooperative and Municipal Utilities that have bought into being part of this Regional engagement and that means they're getting support from this Center that's also federally funded which is helpful from the state funding that is more than the federal funding for cyber security so they're being helped to do that with these centers and I think supporting those has been a really big success and something we can continue to do in the future so I've probably gone slightly over time but I'm excited about opportunities and challenges and the big

questions and how to improve the electric I do have hope it can get better um I do have hope that there is a way to fix it but it's going to take more than just people that work in the electric sector to do it so that's it thank

you so we've got a couple of seconds um for questions uh yes and so uh if you got a question come on up to this mic and uh or the mic will maybe come to you I might have to turn up the mic because I turned it down thanks go that's fine okay he's multi-talented I will start singing until okay I'll stop so first of all thanks a lot awesome um the question is you you said you know you want to restrict the number of of of vendor devices in in certain areas uh it made me think about something that happened in Germany a few years back where it was more on the other side there was a free skater

system in the cloud and everyone started connecting their solar systems to that free skater system causing the same type of isue so I think we need to as an industry to start thinking you know how are we managing those kind of things yeah and also who's responsible for it because the free cloud system and the solar industry like they're responsible for it but they're not responsible for security so so it was on well one more thing a great presentation and uh in terms of the point around cyber informed engineering uh what we also may need to be thinking about because you talked about criticality at the start of the presentation is more around consequence driven engineering as well because

that's going to help shape up how all these individual sectors and the impact it has on global societies to kind of Drive the risk impact to drive how consequence engineering could be reinforced in small and medium scale organizations so that could be one of the critical factors going into the future what's really cool about the electric grid is we actually do consequence before we actually connect anything we just don't do it from a cyber perspective we look at consequence of interconnecting any renewable device we know what will physically happen if it just disconnects from the system but the rest of it is still a question so hey there great great presentation thank you so much um you mentioned on

the solar side um you know that we were successful in expanding solar capacity but a lot of that was as a result of offshoring production of the critical pieces panels and the supporting infrastructure as I understand it talking to some of my cyber security friends a lot of that sporting infrastructure is talking back to the country of origin for many of that for a lot of that infrastructure uh presenting some um challenges uh in terms of cyber risk um is that from what you know is that something that's on the radar of folks who are looking at you know overall risk of of uh the system uh and what ideas are floating around on how to

deal with that so it's absolutely something everyone should actually be talking together about um it was not well known by a lot of the utilities for a while that their electric inverters would talk to their country of origin some of us knew it some of us that played with them knew fine well there was a radio sitting there that was talking back to wherever um interesting fact is I also bricked one of those devices and then made a support call and they managed to unbrick it somehow with that radio device so they have control features in some of them also which is concerning um yeah I mean it's a the thing is we have to balance how much it

costs versus what it does if that makes sense so it's a difficult challenge but people need to actually talk about it at this point and accept our supply chain is interesting at best for us and part of Emma said something that's really important and that is as a general matter we have not priced resilience into the equation of items that are purchased maybe there's an opportunity to change that and to think about resilience and think about um I'll say nearshoring uh some of these things for a lot of reasons the United States has gotten out of the business of manufacturing I think there's a great opportunity to um if not not if not bring back more manufacturing to the

United States which I think we should do but there are there are allies that are close that can also do manufacturing so it doesn't all have to come back to the United States but it can definitely go to friendly countries as opposed to countries that are not like Scotland like Scotland so question just how can we push those changes like for example data standards in the government can take a really long time to be pushed through uh how can we as a community help push that to happen also how can we get smart people like yourself to be helping to make those decisions because it just seems like there's a lot it's hard for us all to make this

happen I'll very quickly answer that before we say we need to measure something everyone needs to actually tell others what they need to measure from my perspective you're an expert in analyzing data work out what you need to measure and tell people that is what you needed like cuz not everyone understands everybody else's like expertise I could give you a physics presentation on the electric good and you'd all want to kill me um but I couldn't tell you exactly what data to measure in some of those cases so that's my biggest comment would be actually people just telling people what they need as opposed to trying to sell giant data sets to everyone so I'm going to try to squeeze in

a combo of three questions because we might get the hook um number one are any countries doing it well like differently than us but could be a model for us to repeat number two the 900 number S Felt small uh was that just electrical co uh municipalities or does that include the water and the other things and number three of three um isn't it you often the same person doing the electrical the water and wastewater the healthc care the fire and what if they get sick because there's no Municipal hospitals because all the small medium hospitals go away 900 was electric co-ops so I'll go with part one um so it's 2,000 for municipals yeah um 900 just the number it was

actually mixed for the number of co-ops immunities that don't have a person that was the the number um yes if that one person gets sick it's a disaster uh there was actually a co-op or a utility it was a co-op that had a person go out having a heart attack um not a heart attack their father was having a heart attack they were leaving there was an email sent to say hey I need to leave my dad's had a heart attack and they were hit with ransomware at that moment um that was lovely it was horrible to hear but yeah that when that one person goes out sick and I hope he got to the

hospital in 4.4 minutes or whatever the number was yeah I did good um but yeah he was okay um but there was the the rep reper of that were terrible so there's a lot of opportunity to look at resilience across that whole Space what entrepreneurial things have been happening that that one person ends up forming their own little managed service provider that then manages to hire more people in the community and builds it up from there but they need support to do that right because once they do that they're outside the boundary of uh reliability for the utility and then we're in a circle so they need support right and and if a city operates

literally both electricity and water then in fact it it can actually be the same human and they're super

busy which country is doing it well from a distributed resource perspective Australia's started to do really well with actually considering security requirements for that so if anyone's Australian good job all right I was told we had a room announcement from someone in purple is that you

okay don't shouldn't be Tak pict I know like

slides

affirmative

consent okay let's thank our speakers I hope