Cybersecurity addressed at U.P. Energy Summit
EDITOR’S NOTE: This is the final story in a four-part series that focuses on topics discussed during the U.P. Energy Summit held June 14 in Marquette.
MARQUETTE — How safe are the communication systems that keep our utility infrastructure up and running? During the recent U.P. Energy Summit at Northern Michigan University, the three-member panel of the Michigan Public Service Commission said cybersecurity plays a critical role.
“The cybersecurity industry recognizes that there are two kinds of people, those who have been hacked and know it, and those who have been hacked and don’t know it.” MPSC Commissioner Norman Saari told the audience. “So I would submit to you that there is a lot of internal training that companies do, that the university does to give employees more of an awareness of cyber issues and potential threats and IT security. We take it very seriously.”
The commission, which is appointed by the governor and charged with protecting the public by ensuring safe, reliable and accessible energy and telecommunications services at reasonable rates for Michigan residents, approved Technical Standards for Electrical Service in December that include provisions requiring both investor-owned and cooperative utilities to report cybersecurity breaches in an effort to protect utility infrastructure.
The measure states that utilities “must provide the MPSC with annual reports on programs and planning, descriptions of employee training and notifications as soon as a cyber incident that results in loss of service, financial harm, or breach of sensitive business or customer data is detected.”
Commission Chairwoman Sally Talberg said the MPSC’s assessments will help to ensure that utilities are protecting themselves and their customers against the threat of cyber attacks.
“So our staff engaged in an annual assessment and it really creates a dialogue on those issues. We know these are happening, they happen every day, but what are they doing to make sure the defenses are there,” Talberg said “And we have an appreciation for how they are using dollars that are being recovered through rates, that those are being used prudently.”
Saari noted that a 2016 incident involving the Lansing Board of Water and Light brought the issue of cybersecurity to the forefront in Michigan.
The utility paid a $25,000 ransom to unlock its internal communications system after it was disabled during a cyber attack, according to an article published in the Detroit Free Press in 2016.
“It encouraged a lot of people to do a lot of serious thinking about the potential for, ‘What if it was my utility?’ or, ‘What if it was my pipeline or transmission system?’ I speak as a commissioner, and I think I echo the sentiment of all three commissioners,” Saari said. “The phone call that we do not want to receive is that there has been a problem on the system and it has to do with anonymous or any of the particular foreign nation agents that have had an intrusion. In talking to the governor and the state police and the federal agencies who are involved, take it very seriously.”
MPSC Commissioner Daniel Scripps said a breach in one utility, such as a gas pipeline, could easily have an impact on an electric utility if safeguards are not in place.
“This is just one of those clear cases where the chain is only as strong as its weakest link. You know, the hackers don’t care at all about utility service territory lines or who regulates what. They are trying to find a way into this interconnected grid and interconnected energy system,” Scripps said. “So I think that requires vigilance on all of our behalfs and real communication across jurisdictional boundaries to make sure that the whole Michigan grid, the whole Michigan energy system, is secure and reliable.”
Talberg said the new Cybersecurity Institute at NMU, which will be funded in part by $2.4 million in Michigan Marshall Plan for Talent innovation grants, is especially important to those in the business of providing energy.
Commissioners met with leaders at NMU tasked with creating the curriculum prior to the June 14 U.P. Energy Summit, Talberg said, to discuss the specific needs of the energy industry as it relates to cybersecurity training and education.
“Communication networks are critical to ensuring the fact that we are keeping the lights on, we are keeping homes heated and the economy booming,” Talberg said. “So it’s really excellent to see Northern taking on this leadership roll and developing a curriculum, working with IBM and others to support this important industry.”
The Upper Peninsula Cybersecurity Consortium, convened by NMU, is one of 13 consortia statewide awarded funding to “develop talent pipelines for high-wage, high-demand occupations through enhanced education and training initiatives,” a June 9 NMU press release states.
Saari said programs such as those being developed at NMU are critical as utilities continue to defend against cyber attacks.
“It will never be robust enough. I think that the bad guys are always trying to be ahead of what the good guys are thinking,” Saari said. “The focus that we are seeing in Marquette, it’s critically important, not just for the Upper Peninsula, but for the state of Michigan and, frankly, for this nation to have a better understanding of, let’s make sure that cybersecurity is something that we understand better, manage appropriately and avoid the potentially really, really negative consequences.”
Lisa Bowers can be reached at 906-228-2500, ext. 242. Her email address is firstname.lastname@example.org.