Managing Cyber-Physical Risk Across Evolving Infrastructure

Managing Cyber-Physical Risk Across Evolving Infrastructure

Show Video

>>Emily Mousel: Welcome, everyone, again. We're  going to get started. We are so glad that you   could join us today, and I would like to kick  us off by turning it over to Pete Tseronis,   the founder and chief executive officer  of Dots and Bridges, and the former chief   technology officer at the U.S. Department  of Energy. Pete, please take it away. >>Pete Tseronis: Thank you, Emily. Thank  you, Nika. Thank you, John White, and,   of course, all the great folks at the National  Renewable Energy Lab. I'm super honored, and,  

as I said earlier today, when we were just  getting prepped, was I wish we had several   hours. And for our audience who are attending,  thank you. There's so much we will cover, and I'm   going to steal from Emily. This is an  appetizer, folks, of the kind of dialogue that   we may have over the course of the year with folks  like Adrienne, and Jim, and, of course, Juan.

So, I'm going to—yes, I'm Pete Tseronis. I worked  at DOE, and I love this space. And, really,   I just want to be a part of the conversation.  I'm going to set some context of what you'll take   away today. The title, Managing Cyber-Physical  Risk Across Evolving Critical Infrastructure,  

it's a lot, but when you really think  about it, what's going on in the world,   these are the sectors that, by definition,  are those assets, systems, and networks,   whether physical or virtual, that are  considered so vital to the United States   that their incapacitation or destruction  would have a debilitating effect on security,   national economic security, national public  health or safety, or any combination thereof.   A mouthful, but that comes directly from our  United States Department of Homeland Security,   and the organization that really governs the  sectors that we depend on each and every day. Today, we may reference terms like  national critical infrastructure functions,   cyber-physical security. You're going to get  to hear from Juan Torres and Jim Hempstead and  

Adrienne Lotto, who I'll introduce here  in a minute. But we have a lot to cover,   and this is, again, a sampling. So, we encourage  dialogue, questions, and hopefully some follow-up. So, with that, our guests today, Juan Torres,  associate laboratory director, Energy Systems   Integration, at the National  Renewable Energy Laboratory,   one of 17 national laboratories in our  country. Juan, it's great to see you, buddy. >>Juan Torres: Hey, Pete. Great  to be here. Thanks for having me. >>Pete Tseronis: You got it. I'm not reading your  bio or anybody's. So, I'll allow that—that'll   be our first question, talk a little about  everyone's journey and background. Adrienne Lotto,  

chief risk and resilience officer at the New  York Power Authority, a colleague and a friend,   and someone who had a really great walkabout at  the United States Department of Energy, of which   we will discuss when we fill in some blanks on her  decorated career. Adrienne, it's great to see you. >>Adrienne Lotto: Same here. Good  morning, everyone. Thanks for joining. >>Pete Tseronis: And last, of course, and  not least, my brother from another mother,   Villanova graduate, Jim Hempstead, managing  director at Moody's Investors Service, who   I am super excited to have in this conversation  because Jim is a cyber-physical security expert,   understands critical infrastructure from the New  York City, Wall Street investment perspective,   which I think will really round out our  discussion. So, it's great to see you, Jim.

>>Jim Hempstead: Good to see you,  too, Pete. Good to be here. Thank you. >>Pete Tseronis: All right. Well, without  further ado, context, I hope, was set. There   will be references throughout to executive orders,  and references and artifacts for our audience to   review, but we will cover a lot, but at the end of  the day, what we hope to convey here is the role   that government, academia, what [the] National  Renewable Energy Laboratory is doing in spaces,   how utility consumers and stakeholders and folks  that deliver the electricity and power to our   homes each and every day, and, of course, how  we can help that sector, in the case of Moody's,   improve upon and accelerate or move the needle  towards a more resilient power grid, and leverage   the opportunity that cyber and physical security  can do for our lives and protect humanity. So, Juan, I'm going to kick it back to you to  start out, if that's okay? A little bit about you,   your passion. You've had an incredible career  serving the national laboratory community,   and you had some great news recently  with the recent announcement, that is, of   the Clean Energy Cybersecurity Accelerator. So,  

take the floor, talk a little bit about your  passion and why you love doing what you do. >>Juan Torres: Hey, Pete. Thanks. Yeah. This  conversation here is kind of—it's decades in   the making, right? We've been working on the  area of cybersecurity, physical security,   cyber-physical systems, for a long time, but,  in a way, that's been really different because   the systems have been evolving much more  rapidly over the past couple of decades. I've been in the labs for a long time. My career  started at Sandia 31 years ago. And [I] came over   to NREL because as I worked more and more in  the cyber energy space, I really wanted to work   at a laboratory that—whose mission was around  energy, and where there was a big need.

Back in, I think, the early days of my career  in cybersecurity, in the nineties, people were   just worried about putting—making sure that they  have their firewalls in facing the right direction   in the energy space. That's where  we were in the conversations.   And I'd say over the last 15 years or  so, we've seen significant acceleration   in what I would say [is] the use of variable  generation, but also technologies that are   what [are] called the grid edge around  the energy infrastructure, specifically,   near the consumer, where the consumer has  much more touch and control and interaction. And we're seeing that's even going to change  more because of things like electrification   of the transportation system. Much more—many  more electric vehicles, and charging stations,   and things of that nature. We’re seeing way  more distributed generation near the consumer,   with smart buildings, smart homes. I mean, my  thermostat, I can control from my cell phone.  

And we can do things like  that on [the] mass scale. So, what really excites me is the fact that there  is so much opportunity. There are many challenges,   but there's a lot of opportunity right now. And  you bringing together the various stakeholders  

here are what's needed, and what's key. This is  not something we at the national laboratories   can address alone. This is—we don't own the  infrastructure. We do great research. We do   great science, and not just at NREL, but at all  the national laboratories. We partner with them. But having Adrienne and Jim here [is]  really important because this is not   just a technology solution space. This is—we  have to bring technology and align it with  

operations, and with regulation, and  policy and business models in order   to really address some of these big  challenges that we see coming at us. But, in the end, I think we can be much better  off if we're having these kinds of conversations. So, my passion, you asked about that, is really  around addressing this big challenge around   cyber energy. I say that, in my early career, I  was a cyber guy doing energy work, and I kind of   moved over to becoming an energy guy doing cyber  work, right, and seeing it from both sides there.

In the end, the big challenge here is really  getting us all talking. This is where it all   starts. So, I really appreciate the opportunity  to be here and have this kind of conversation. >>Pete Tseronis: Thank you, Juan.  And we're going to move to Adrienne,   but some of the things you mentioned—grid edge,  electrification, distributed energy—folks, if   you've tracked in the news about edge computing,  zero trust architecture, sensor-based networks,   this is that smart grid concept that's been around  for at least—I go back to 2008, and we will—again,   I will reference some artifacts for  our audience to read up on because   there's a lot to take in. So, thank  you for those opening remarks, Juan. Adrienne, listen, New York Power Authority  is leading that charge. It's a utility,  

one of many in our country. Climate change is big  to the DNA. Same question to you: your passion,   your purpose, and why NYPA is really trailblazing  in this space of clean energy and innovation. >>Adrienne Lotto: Thanks so much, Pete. So,  personally, my passion has revolved around   really getting my alignment between some of  the work I did at DOE and operationalizing   that inside of the utility, right? So, I think,  simply, there's a little bit of a disconnect,   maybe sometimes a big disconnect, between  national federal policy and maybe perhaps   some of the lack of understanding of how it  would actually get implemented into a utility. And, so, providing that insight to  the federal government, being able to   influence those types of federal policies, and  then taking some of that really good work that   is coming out of things like the DOE lab—we have a  partnership with NREL on the clean energy side—and   making it tangible, making it real.  As Juan articulated clearly, right,   these are big problems. EV technology, for  example, here in New York, largely, if you look,  

the infrastructure buildout is done by Tesla.  When you pull that away, there's a big gap. So,   understanding what role NYPA can play to  be—to lean forward in areas like that. And then I think the point Juan also raised about  incentivizing, right? So, the stakeholders in   this area are vast. It's not just, right, the  federal government issues a policy, the DOE   labs kind of create a technology to solve a  problem. Jim can articulate [that] there is   an entire regulated industry around this, not  just on the operational side at FERC and NERC,   but we also have Moody's, S&P, shareholders,  regulators, who are—influence business decisions. And, so, whether you're an IOU,   a muni, or a co-op, understanding the different  business models and what can incentivize and   drive some of these technologies out of the labs,  but into [the] market, into a utility like NYPA,   I think, is key. So, that's sort of where I think  this panel is going to be so informative because  

you've brought together all key stakeholders  that really play a role, and I'm grateful. >>Pete Tseronis: Yeah. Thank you, Adrienne.  And, again, this is a taste, folks, because,   Adrienne, you hit on operationalizing policies,  right? There's plenty of them. Folks, again,   I'm just going to shoot a few out there right now.  We have the Executive Order 14028 on improving the   nation's cybersecurity. It's a great read. May  2021. The Clean Energy Cybersecurity Accelerator.   Juan will get to that. It was just announced this  month. National Security Memorandum on Improving  

Cyber Security for Critical Infrastructure Control  Systems, July of this year. And don't forget   about the National Cyber Strategy that's three  years old. There's ten others I can shout out. So, thank you, Adrienne, for talking  about that. And partnerships you stressed,   the multiple stakeholders, and the business models  that vary from utility to utility. So, thank you. Jim, segue to you. Obviously, Moody's has a  very unique role, and I think this is a very  

exciting opportunity to have you on  this panel. I know you've done this   before in the government beltway circuit, but  having your perspective as a cybersecurity expert,   talk a little bit about obviously your  passion, but what makes Moody's unique   in this space? Because not only are you the  Moody's that we know to be, but you also   rely a lot on analytics and engagement  with these stakeholder communities. >>Jim Hempstead: That's right,  Pete. Thanks. So, personally,  

it's been a fun ride. I got involved in  the utility power—energy and power sector   back in 1991, and, so, I've done a long time,  started out as an investment banker for a couple   of firms, and then I've been at Moody's  now coming on almost 20 years, actually. And, so, it's been absolutely outstanding  to work with critical infrastructure,   like utilities, like water, pipelines, gas,  but also the other infrastructure sectors, so,   airports, toll roads, and seaports, and things  of that nature. This critical infrastructure is   very important on many different levels. From a credit rating perspective,   our project and infrastructure finance team,  we rate over $3 trillion of debt globally   in this critical infrastructure space. And  critical infrastructure securities have a much  

lower default rate than nonfinancial corporates.  And, so, it really speaks to the business model,   and the revenue model, and the jurisdictions  that these assets and businesses operate in. And a number of years ago, we started to focus  a lot on cyber risk. And cyber risk is a rising  

risk. We still see it as event risk. We see it  as an enterprise-wide risk, so it resides at the   board of directors, or the trustees, or the other  governance organization that's involved in that.   And we're very excited to learn more  about it, get our arms around it, define   cyber risk because there's lots of words  that people think about when you say cyber,   and sometimes it's good to get  everybody on the same page,   define it, identify it, measure it, and  track progress, and things of that nature. And that's what Moody's is doing right now.  Our parent organization, Moody's Corporation,  

recently announced a transaction with  a company called BitSight, which is a   cybersecurity ratings assessment company.  And we're very happy to start marrying the   quantitative data that we could look at to inform  and enrich our credit analysis as much as we can. >>Pete Tseronis: Well, thank you, Jim. And  you used some terms that I think our audience   may or may not be as familiar with, inside the  beltway, but credit ratings. I think that's   something that is significant because your  purpose—at least I feel—is to help a utility,   large and small, as Adrienne pointed out, get  where it needs to in understanding [that] some   have maybe more funding or can allocate dollars to  investment. But, again, it’s a bipartisan role you  

play, which is educating, as I say, the C-suite  to the Main Street folks, and you do an incredible   job at that, and I know that's something  that is important to you, and making sure   everybody understands, and with your analytics at  Moody's, I think it paints a wonderful picture. Before we jump into the first segment, where I'm  going to come back to Juan, and we're going to   talk about the accelerator Jim mentioned, and so  did Adrienne, folks—the Infrastructure Investment   and Jobs Act, if you Google it, it will talk about  safety, public trust, passenger/freight rails,   power infrastructure, environmental  protection, all the things that we're   trying to improve for humanity's sake, right?  A smart grid, a smart building, a smart car. Yes, there's the fear of the Internet, and breach,  and the threat landscapes expanded. Today, we'll   talk a bit about how we're bringing together those  communities of interest to learn from one another   and recognize we're never going to eliminate risk,  but we can mitigate it. And I think moving to Juan   here, talking about this announcement earlier this  month, it's a huge step in the right direction.

So, Juan, back to you. Can you speak to  specifically the Clean Energy Cyber[security]   Accelerator and what its promise is,  even though it's in these early stages? >>Juan Torres: Yes, Pete, we're really excited to  kick off the accelerator. The background on that,   if you think about it, just in the electricity  sector, we've got over 3,000 utilities.   And with how quickly cybersecurity  and cyber technologies are advancing,   we really want to get things deployed—I  should say the threat is really advancing.   We really need to make sure we get the security  technologies deployed as quickly as possible.

And there's not always great coordination across  all these member stakeholders in that sector.   The government, through [the] Department  of Energy—specifically the Office of Energy   Efficiency and Renewable Energy, and CSESER, Cyber  Security, Energy Security, and Emergency Response,   who I know Adrienne knows really well—they've  come together to seed a capability and a program   where then utilities can kind of pull some  resources together to get the benefit,   right, of those resources, in partnership with  some of the innovators in the cybersecurity space,   so that we can really advance the development of  those technologies, and we're validating those   with some of the experts at NREL, a  capability called the ARIES Cyber Range. So, ARIES is Advanced Research on Integrated  Energy Systems. It is a unique capability. It   brings together capabilities at the facility  behind me, the Energy Systems Integration   Facility, as well as a larger capability. I can  go into more detail on specifically what’s there,   but, basically, we can see how these technologies  would really work in a lab setting but be able to   scale to our virtual environment so that we can  reduce that risk of the owners and the operators.   And they say, hey, how—if I deploy this on my  entire utility, how would this really work? And when we can hypothesize on the system that  they don't have today, but they're saying, hey,   in five or ten years, I know I'm going to  have way more distributed resources, and   way more charging points, and whatever it is,  where we don't have to wait for them to build   that. We can actually explore how some of  these cyber technologies would work here.

So, there's huge benefit for the utilities to  pull resources—as well as explore hypothetical   scenarios, situations, but get some real  confidence—because we have real hardware,   we have real systems here, real experts to  really be able to push those technologies   out the door, get them deployed, get them  commercialized, and start making a difference. The DOE is providing the initial resources to  get this thing kicked off. Ultimately, I think   we'd really like to see the partners out there  having much more say in what technologies we need   to look at, what things we need to evaluate and  test, where are the threats going, what are the   real issues? So, it'll be a great conversation  with all of these different stakeholders there.

And where NREL comes in is we just want  to provide that independent perspective.   We want to provide the insights as to where we see  energy systems going. And the other piece is the   threats. Our work at the Department of Energy  gives us that perspective of how is the threat   evolving? How is it changing? And how can we  address it with concepts, not just the technology,   but how you actually deploy  it and operate the system.

So, super excited to get this kicked off.  We had a great event here a couple of weeks   ago. The Deputy Secretary of Energy,  Deputy Secretary Turk announced it. So,   we're rearing to go. People can get more  information at our website at   about the accelerator. And looking forward to  getting many, many more partners in industry. >>Pete Tseronis: Yes. Thank you. And,  again, that was just a sampling because,  

folks, this accelerator is really, to  me—to me personally—something that is   an opportunity if you're an investor, if you're  an entrepreneur, if you are another national lab,   if you are a utility to be involved. This is  a bigger challenge we face each and every day   as human beings, and we depend on the operational  technology, the information technology.   And kudos to NREL, which, again, folks, is a  national laboratory that is globally recognized.   It's not just an energy—if you will—not that  there's anything wrong with that—institution. By the way, if you have questions  for participants, please   send us a note or a question to our guests  as we can answer those in real time.

Okay, let me go down—thank you again,  Juan. That was a good taste of the   cyber energy—Clean Energy Cybersecurity  Accelerator. That's a mouthful. Adrienne, Vision 2030. New York Power—its focus  and its strategic priorities on digitization   and cybersecurity, something that's near  and dear. Your role mitigating risk, and   enhancing resilience, and doing whatever it takes,  hearing what is being built at NREL. Can you talk  

a little bit about this opportunity for any  and all utilities and how it aligns with NYPA? >>Adrienne Lotto: Absolutely. So, I think  Juan touched on a couple of key things there,   right? First, he mentioned the  path of the—of where we are to go,   where we believe we’re going, right? DERs,  the future, building energy that—energy   infrastructure systems that are secure from the  outside, designed for security at the outset. But then he also mentioned that he noticed legacy  equipment, right? Which still exists in the   system. So, I think one of the keys that a program  like ARIES affords is the ability to understand   the pathway of the future—PV, DERs, will  happen, but it's a journey. We're not there yet. So, understanding kind of what that United States  roadmap would look like, how it will impact   business, these are things that are  contained within Vision 2030 here at NYPA,   the plan for a more—the first  end-to-end digital utility.   But that comes with challenges, right? Cloud  infrastructure is a key—is a key challenge for us.  

Understanding who's operating what clouds, whether  it should be a private cloud, a support cloud.   Looking at things like market capitalization,  right? So, for example, if we build our own NYPA   secure cloud, we can capitalize that. And  if we use something like the Amazon cloud,   which likely will have a lot more built-in  security, we can't capitalize that. That's O&M. So, understanding the different business  models with the security overlay becomes   critically important. And I think in my role  as the chief risk and resilience officer here   at the New York Power Authority, you have to  be able to connect all of those dots, right?   Connect what's happening on the federal level  with policy, where the pathway of the future is,   and then make it really tangible  in terms of your investments,   where you're going to spend your dollars,  and how you're going to get your—the return. So, there's a lot here to unpack, but I  think understanding the journey and how   we're going to get there, it's not  going to happen overnight. I think,  

as Juan said, bringing key  stakeholders together is prime. >>Pete Tseronis: Adrienne, I'm going to  go to Jim here, but you brought up this   introduction of things like the cloud, analytics,  leveraging data for actionable intelligence.   A smart city, I always like to  say, is not something we buy.   It's something you build and develop, and  it requires a lot of the communication,   the most basic form of connectivity, communication  that is interoperable, and works, and is secure. Jim, coming to you as someone who is out there  having discussions, and running surveys, and   having conversations that matter as a  cyber-physical security expert working with your   brethren in the utilities, not so much as—you’re  not big brother. It’s sharing and understanding.   Do they understand the risk that they take on  each and every day as our technology evolves? And I'm looking at challenges like  multi-stakeholder environments that a utility   maintains, the heterogeneity in regulatory and  business environments that speaks to Adrienne's   business models. Putting on your cyber hat, IT guy  that you are, what are some of those conversations  

and challenges that you're feeling like maybe  a couple of years ago were tough to have,   and now folks are kind of getting it, that you see  Colonial happen, you see ERCOT, you see Hurricane   Katrina and Ida and Sandy, and then we realize,  man, we've got to beef up our infrastructure? >>Jim Hempstead: Right. So, at  Moody's, what we're trying to—so   what we do is we provide the capital markets  [with] our opinion around credit risk, the   probability of default and  the losses given a default. What we're doing as an organization, as   our entire company, is we're working towards a  one Moody's integrated risk assessment strategy.  

And there are lots of complementary services  that we have in our other parts of our   organizations at Moody's Analytics. We recently  purchased RMS, which is a climate risk and   cyber modeling company; 427, which is a physical  climate data company; and things of that nature. And we're using and leveraging the data and the  metrics to inform and enrich how we're thinking   about credit analysis. And the hard lift  that we're chasing is the ability to do this   consistently, consistently across asset classes  and consistently across regions and jurisdictions,   without the rigidity in the implementation  of our process. And that's important because   each airport is different, each utility  is different. Is it publicly owned? Is it  

privately owned? Is it a cooperative?  Is it a JAA? And things of that nature. And this is important because our journey in  the cyber area has grown a lot over the last   five years. We are doing an issuer survey. We  launched it to the utility space in the very   beginning of the pandemic, in March of 2020. We  published the anonymized and aggregated results in  

late last year, in October/November  of last year. We've published about   seven or eight other reports on other  sectors. And we'll wrap that all up. An issuer survey is just one simple tool that  we can use to provide insight. But Moody's is a   trusted brand with investors, and it's a trusted  brand with what I call issuers because we don't   say companies because we rate lots of governments  and other types of enterprise organizations. And we're trying to use that trust  to create a dialogue and to create a   language around bridging the gap between cyber  risk and the technicals around that with credit   risk, cost of capital, and the conversations  that are often held in the board of directors. And, so, that effort requires a lot  of stakeholder engagement. And cyber  

as a big cyber risk process  is a risk management process   that needs stakeholder engagement. And  that is what we're mostly working on. The conversation has shifted. Five years ago,  a lot of people didn't want to talk to us,   especially CISOs didn't want to talk  to us and engage because they were   concerned that if I say something bad, Moody's  is going to downgrade my credit rating. Today, that has mostly been ironed  out, and the engagements that we're   having with utilities, with CISOs, and  other technology officers, is much more   proactive and more detailed because we're getting  better at asking the questions, and we're getting   better at understanding the answers, and we're  getting better at having a more wholesome dialogue   with the stakeholders, and the technology people  are no longer afraid that if they say something to   us it's going to result in a downgrade partly  because the treasury department and the chief   financial officer have weighed in and said  no, no, no, we need to engage in this. We want   the ability to have an independent, objective,  third party like Moody's help move the dialogue,   define the framework. That's going to  help our interactions with regulators.   It's going to help our interactions on showing  progress, and things of that nature. So,  

we're seeing a really good momentum with  this effort to have a common language. >>Pete Tseronis: Yeah. I appreciate that.  I'm seeing Adrienne and Juan nod, and   I love that you brought this C-suite  dialogue, the translation. And, hey,  

I still—every day of the week and twice on  Sunday—remind my mother that I'm not in computers.   She says, my son, he's in computers. I love you,  Mom, but no. It's having a conversation about   the digitization of something that is 100 years  old, the engineering marvel that is of the grid. >>Adrienne Lotto: Can I expand on something here? >>Pete Tseronis: Absolutely.  Adrienne, get in the conversation. >>Adrienne Lotto: I just want to make what  Jim just said maybe a bit more tangible for   some of the folks that are tuning in like  from NREL because it's why does it matter,   right? So, many years ago, if you—like, let’s  say NYPA, wants to do a solar installation,   or LED traffic lights, right? Some of  our energy-efficiency work with some   of our own—we have 50 munis and co-ops.  MTA is one of our major clients, right,  

or customers. Let’s say we want to  do some of that energy-efficiency,   forward-leaning, customer-facing work, a lot  of which comes out of the DOE national labs. The same analysis that Jim and his team do over  at Moody’s on a company like NYPA, we do that same   thing here within NYPA in terms of credit risk for  those other organizations. So, getting something   like even a solar panel installation goes through  that same credit review, just at a much smaller   scale, Moody's input being one of them—you  know, we look at all sorts of different things. But it becomes—this is where some of the  financial implications really become tangible   as we're trying to advance DERs out in the market.  It's a cascading impact. So, I just think it's—I   know when I was sitting at DOE, quite frankly,  this connection of dots—I love your thing, Dots   and Bridges, right? That connection of dots from  something like Moody's all the way down to like   the installation of a solar panel didn't really  kind of hit home, but now sitting where I sit   as the CRO, all of those dots and bridges have  been connected, to play off your company name.

>>Pete Tseronis: Adrienne, thank you.  And, again, folks, that wasn't staged.   I love Adrienne, but—I appreciate it. It's  just an innate thing. My wife came up with it. Juan, let's pivot to you in light of  that because I want to tee it up with   cybersecurity at the end of the day. It is  in your DNA, and I'm looking at some of the   guests we have. We see another Villanovan out  there, Kevin Buggy, on the webinar. Thank you,   Kevin, for joining, and someone who—in Chi-Town  respects this discussion. Appreciate that. Cybersecurity. The innovation, balancing risk  and innovation, Juan. You talked about the grid  

edge and the evolution of sensor-based, and  measurement, and using science to determine   where we could be more prescriptive in  the health of our grid. Cybersecurity.   I was on a call this week with Avi Gopstein at the  NIST, and he talked about some of those challenges   that we face, yes, but secure design principles,  securing by designing from within, not bolting on.   Defense in depth, zero trust, fail secure,  comprehensive auditing. Putting on that hat, Juan,   you're a strategic associate lab director, but  your experience is growing up in this space.   The threat landscape is real. Ransomware is real,  right? What excites you about this moving the  

needle and bringing people together, knowing that,  hey, we're going to beat this, but we also need to   keep the conversation going? It's not a quick fix,  buy something, plug it in, and say you're safe. >>Juan Torres: No, you're exactly right,  Pete. There's—I'll give you a quick story,   and maybe set the stage on this particular topic. Go back a few years ago, when we were—let's just  say it was in the early 2000s, and the ARRA days,   the American Recovery and Reinvestment Act  days. And we were in a mode where the nation,   we're investing in our infrastructure,  investing in smart grid, and things like that.

And I remember getting a phone call   during that time, and [I] said, look, we’re  putting out mass numbers of smart meters, and   we just realized now, these have remote  disconnect functions. Did we really think about   the security that we should have—maybe [we] should  be implementing there, so if somebody hacks in,   they don't just start shutting off everybody's  lights? And en masse, if you were to shut off   a lot of meters, that actually can affect the  stability of the grid. Losing a lot of the load   rapidly, or even adding a lot of load rapidly,  is going to affect the stability of the grid. And, back then, we just weren’t having those  conversations. Our response was, at this point,   it's something we can jump on. It's something  we can address now. But if we wait too long,   we're going to have many of these meters  without those security functions in place.  

And, so, we need to get on it pretty quickly. Well, we did address it—so, it started—it  forced conversations that we haven't been   having in the past. We had—there was the  market driver, saying, we need to get   more of these technologies that make us more  efficient in operations at the utility level,   that make things easier for consumers, that  make things easier for utilities. But the people   getting into those markets weren't necessarily  security experts—because they were developing some   really awesome technologies, but they didn't  necessarily have the threat understanding. We're at a different place now. We have a better  understanding of where IT and OT is used, how it's  

used, how it's evolved, what are the standards,  what are these new technologies? And then you   get into things that are now coming into play.  Artificial intelligence and autonomous systems,   right? And machine learning. And how is  all this going to be used in our everyday   energy systems? And how does that change how  we should be thinking about security, right? So, your point about the fact that we need to be  inherently designing security into these systems   starts with that initial conversation. What's  really needed? How is it going to be used? Where   is it going to be used? And before we ever even  consider deploying anything like that, you need   to have the stakeholders. And I think Adrienne's  right on point here. She's got that bird's-eye  

view of where can we have an impact? Where  can we make a difference across the spectrum,   of actually getting something deployed, and  then even afterwards, operating it, right? And, so, this is where I get really excited that  we are in a different place, right? We're much   smarter about even considering or thinking [about]  the various aspects of securing these systems. So,   that doesn't mean we have it figured out, and  that's why—it doesn't mean we have it figured out   because the threat continues to evolve. Technology  continues to evolve, and it will continue. That's   just the nature, right, of a market-based  economy. It's the nature of advancement,  

us getting smarter about technologies, and how we  as consumers even change how we use the systems,   right? The things we're asking our energy systems  to do today are not the things our grandparents   were asking it to do back then. They were not  talking about hooking up their Bluetooth, and   I want to be able to charge my car, and I want  to do—that just wasn't part of the conversation. And I can tell you, in ten years, we're  going to be talking about other things   that we're not doing with our systems today.  So, we always have to be forward-thinking,   and we need to make sure we're getting  the right people in the conversation. >>Pete Tseronis: I appreciate that. Jim,  

you have a comment? Because I have a question  for you that's coming in from the audience. >>Jim Hempstead: I was going to just make  a quick comment that what we have seen,   some of the work that's been done, is most  of the cyber events that have been disclosed   publicly, they're not the kind of events  that'll knock an organization down in the   sense that they're affordable. The median  loss is not overwhelming to an organization. But as the median loss continues to rise,   the standard deviation, those extremes,  are also rising, and those events can knock   a company down. The Colonial pipeline interruption  in May was a wake-up call because it wasn't about   the operations as much as it was about the IT  and how the IT obscured the ability for them   to effectively work on the operations.  And that got a lot of attention across us. But what we're looking for are the big,  permanent impacts. How does a cyber event  

affect your revenue or your reputation,  or a regulatory response, or litigation?   Or how does it affect your liquidity and things of  that nature? So, we’re very much focused on those.   And we have had a handful of credit rating actions  that have been directly related to cyber events,   and our expectation is that that could be  rising going forward because of the advancement   of ransomware, and AI threats, and things of that  nature, just exactly what Juan was talking about. >>Pete Tseronis: Appreciate that, Jim.  I’m going to jump down to Adrienne,  

which is a question that I’m taking in here from  Mike about analyzing or doing due diligence when   looking at new capabilities, or needing  capability, right? Technology diligence.   The investor community, I had a  great opportunity during my time,   and to this day working with and helping  [to] distill value to a specific company.   Not everything can do everything for  everyone. But there’s a niche, usually. And [a] shoutout really quickly.  The research areas that Juan and   team—renewable energy to grid  integration, energy storage,   energy security, energy resilience, advanced  mobility, grid-interactive buildings,   hydrogen and fuel systems—there’s a lot of  work being done there to develop an event. Adrienne, you’re a utility. You work with the  C-suite. You’re looking to mitigate risk. And  

you will purchase products. The question  is how do you do that due diligence at a   utility? Is it your decision? Are you part  of the discussion? Is it the CIO, the CISO? >>Adrienne Lotto: Yeah, that’s a great  question. So—and I think you actually   cued it up well. There's—I think the first thing  is what is the problem you are trying to solve,   right? So, clearly identifying the problem  statement because—as you just said, Pete—not   every cyber tool, if you think of like  the Mitre Att&ck framework, not every   tool is meant to address the full spectrum,  right? Some are going to be—trying   to be in transparency. Some are—it  just depends on what the issue is. So, I think being on the lookout for—we are, NYPA,   is obviously a government authority. So,  all of our stuff with regard to cyber,  

any problems we’re trying to solve, get issued  via an RFP or an RFI, that type of thing. But there is a component of our budget  that is set aside for what we call R&D,   and that's how we've partnered with—NREL is  one of our labs that we've partnered with,   partnering with Argonne National Lab on some  climate study work that they're doing for us   to understand what the grid in New York will look  like as a result of the impacts of climate change.   And then we also work with a group called  EPRI, and we have a significant investment,   I think it's around $5 billion or something—well,  it is $5 billion—for R&D with EPRI.

So, the short answer is utilities are leaning  forward, right? We are all—and I feel comfortable   saying this—I don't know any big utility that  isn't seeking to lean forward and solve problems   in this area. We all have R&D budgets that are set  aside. So, I think to the extent that you have a   program that's out there, that's unique, that's  offering something that the market hasn't seen,   that is something that we're interested  in, and we want to bring in. And it does go   through our procurement processes. It's  usually a panel. The CISO is one of them.

And I think Jim has twice now, if you've noticed,  talked about [the] board of trustees' role. Any   major investment does go through the  board of trustees, and cyber—boards   of trustees never used to even talk about cyber.  That is a thing of the past. We talk about cyber   every time we meet with our board. So, they  do have a critical role to play as well.

>>Pete Tseronis: Jim, comments? >>Jim Hempstead: Talking to the board  of directors about this is critical. The   board of directors—the average demographics  of the board of directors—raises   a question as to how well are they comprehending  the three-ring binder full of technical   reports that go to them? And what we're trying  to do at Moody's is distill that down into the   language of the board, the language of the capital  markets, the language of the financial markets   because it is hard to allocate capital when you  only see the cost and you don't see the return. And that is something that we have really been  zeroed in on and have been wrestling with. It's   easy to allocate capital to a new renewable  energy project or some other widget maker   because you know what the return could be  based on your model. You don't have that   when you're talking about cyber mitigation or  cyber defense in some other way, shape, or form.   And we're trying to bridge that gap to identify  what those issues are for the board so that they   can frame that consideration in the terms of risk  versus return and cost-of-capital implications.

And we believe that you don't have to be a  cyber expert to understand cyber risk. And, so,   you have technical people like Juan, and Adrienne,  and others that can bring you the technical   knowledge so that you can make a decision  based on what's good for your organization. >>Pete Tseronis: Thank you. Juan, I see you  nodding. Comments before a question for you?

>>Juan Torres: Yeah. No. Absolutely. I think  having Jim and Adrienne here, who live in   this space, it's good to hear that some of the  things I've seen and learned over the years, it   just reemphasized—years ago, when I was conducting  a cyber vulnerability assessment, we found—this   is for the utility space. We found that  those—the consequences of concern fell   typically into three bins, right? Number one was  safety. Could somebody get hurt or die? That was   something you really worried about. And in  the—when you're talking about a power grid,   absolutely. Those are some  things you worry about . Secondly was the financial loss.  

From a cyber perspective, how would this affect  the revenue, or could something get damaged to   a point that it's going to cost a lot of money  to replace, or fix, or whatever it is, right? And the third, actually, was reputation, and  image, and impact there on the business, right?   Would somebody trust this organization anymore?  Would somebody trust this utility anymore,   if they are—if they can't protect the information?  Maybe it's privacy, or whatever it is. But from a general cyber perspective, those  are kind of the three general categories,   and it's consistent. It starts there. You don't  have to be a cyber expert to know those things.   But then once you've figured out what are those  things you're worried about, then you bring in   the cyber experts to help you figure out how can  we prevent this from actually being exploited,   and one of these things, one of these consequences  [is] coming to be through a cyber means. So, it's consistent, regardless of where the   system goes. I believe those are going  to be really important to understand. >>Pete Tseronis: Appreciate it. Don't  go anywhere. I have a question coming  

back to you, and it's kind of—as  we kind of come to a close here.   And we've still got about ten  minutes and some parting shots. The national lab, though, Juan, I threw out—I  hope I didn't steal any of your thunder there—some   of just the research areas as I look at the  capabilities—the lab's amazing, right? The Energy   Systems Integration Facility, which you lead,  and the ARIES initiative is just one of many. And I always like to hear from—and I hope our  audience does—that there's so much activity   happening every day of the week and twice  on Sunday, and as in any sector. And there   are people that go to the NREL every day to  solve problems, to Adrienne's point. What's   the problem you're trying to solve? And there's  some really smart people who are there doing it.

Can you just talk a little bit  about some of the excitement   around next-generation—people ask me all the  time, oh, what are we doing with ransomware,   and blockchain, and how is that going  to impact the energy sector? And   I'm like, jeez, where do I start?  What are some exciting initiatives,   though, that you are working on, and your  colleagues, that give people hope for humanity? >>Juan Torres: Yeah, absolutely. This is why I  love working at the national labs, these exciting   challenges, big challenges, too. This is foreign   nation-state threats. This is  impact on the national economy.

And to touch on one of the questions I saw  in the chat as well about wind turbines,   so we're looking at how do we address the security  challenges of today's infrastructure and the   things that are moving really rapidly, like  more wind, more solar, things of that nature?   We're working with the wind sector.  We've got a wind-cyber consortium. So,   we are addressing what are the  risks around those specific systems. Jon White is the expert in that particular space,   but you can hit our website. We have some  more information about that consortium. So,   if you want to know about what we're doing with  the wind industry, and the solar, and so on,   and where we see technology can help,  and so on, that activity is going on.

But I briefly mentioned earlier some of the  exciting things, like artificial intelligence.   We have a lot of work going on in our autonomous  systems. In the future, the operators,   they're just—right now, they're overwhelmed with  the amount of information they need to operate   these systems, the energy infrastructure. Imagine  as we add millions and millions of more devices.   Even on the Eastern Interconnect, the most  complex grid in the world, the Eastern grid,   there are about 10,000 or so control  points on that—at that level.

We're seeing, as with more devices at the grid  edge, the distribution-level utility may have   millions of devices that they are collecting  information from, or they may even control. So, our work in autonomous systems, and how do you  secure these? We have some great research going on   around how you secure the potentially, at times,  untrusted devices, and how do you know that the   information you're getting is okay, and what  do you do with it if you get something that   doesn't look quite right? But the human in  the loop can't do that. We're going to have   to put a lot more intelligence in the system  and be able to trust that system as well. So, we have a lot of work  in there. We've developed a  

really unique capability called the Cyber  Energy Emulation Platform. So, that allows us   to have that visualization of the power  system layers, the cyber layers, and be   able to emulate, create expansions on your  utility, expansions on your community. We have some work going on with the City of  L.A. They're trying to get to 100 percent   clean energy, and how do you do that,  with the size of [the] community/city   that they have? We're working with the  L.A. Department of Water and Power.

So, we can go from simulating and understanding  what's possible, and then work with the ARIES   capability, and the real hardware,  and so on, and explore what’s doable,   right? So, that—we provide that link, that  bridge. This is not just science. This is not just   a simulation because a lot of times people will  say all models are wrong, some models are useful.   We go from that to let's really validate and  see what we can do that will make a difference.

So, smart systems, next-generation devices, and at  the hardware level, virtual devices; large-scale,   next-generation systems. Hydrogen. Where does  hydrogen play in the future infrastructure?   Transportation. Electrical vehicle  charging, next-generation charging,   and how do you secure that? Because  the user has to interface with that. So, I can go on and on, Pete. >>Pete Tseronis: Oh, no. >>Juan Torres: This is just good stuff.

>>Pete Tseronis: Yeah. I love it. [Crosstalk] >>Pete Tseronis: Yeah. It's—in the theme  of sampling, folks, we can talk for hours   on each one of those. Adrienne, I want to  give a shoutout back to the Vision 2030.   What are you hoping or looking towards in terms  of just a goal for the next year with that   program underway? Give a shoutout  to NYPA and its efforts there. >>Adrienne Lotto: Thanks. So, I think it's  fundamentally what Jim articulated, looking at   Vision 2030, and as we move down the approach and  move down, create—making that vision a reality,   ensuring that we're utilizing sound risk  management principles with all of our partners.

So, for example, Juan just talked about hydrogen.   We are about to do a first-in-the-nation  hydrogen project where we're going to use   one of our fossil plants, right—we have in-city  fossil—in-city meaning—sorry, I'm in New York,   so Manhattan, we have a plant right outside of  Manhattan that's one of our peaker plants. We're   going to test it for the first time, we think,  in the nation, going up to 40 percent hydrogen. That's going to be a challenge,   right? There's a lot to ensure there when  you're using hydrogen as a fuel source.  

But to the point—if we want to get where we  believe the nation wants to go of having a clean   energy, decarbonized footprint here in the State  of New York, and frankly in the nation, we believe   these are some of the leaning-forward tests that  we need to do to ensure we're going to get there. Ensuring sound risk management principles along  the way is crucial because we don't want to—we,   of course, always have safety first, and we  want to make sure that things like, as Juan   just said—I mean, what he was fundamentally  describing there is a control, right? So, we have a risk management that identifies all  these risks. He's talking about AI, which is—so   you have an inherent risk. You have  a control. If we could get that human   out of the loop in that control, that's  as good as we're possibly going to get.   And then all that's left is a potential  inherent risk—excuse me, a residual risk. So, bringing all of these concepts  together to ensure that Vision 2030   is no longer a vision but can actually be  effectuated in the next ten years is what   I'm excited about working with all the partners  that—two of which are here today on the call.

>>Pete Tseronis: Well, I think it's— >>Adrienne Lotto: Thanks, Pete. >>Pete Tseronis: Oh, thank you. Appreciate that.   But I agree 100 percent. I think it's a  beacon. I think anybody who's watching,   look at the documents publicly available. I  looked at it last night. There's a cheat sheet,   and then there's just the lengthy, here's our  plan. So, I think it's awesome, and thank you.

And, Jim, before we hit parting shots,  you mentioned BitSight. You mentioned   what Moody's doing. It has its own plan  to keep this conversation going and to   help utilities maybe understand that  there's innovation happening in a lab,   and there's things off the shelf that you can buy.   What are you hoping to accomplish in the next year  maybe as part of this collaboration with BitSight? >>Jim Hempstead: Okay, so one of the  things that we're going to be doing   is in 2019 we published a cyber risk heat  map, where we looked at vulnerability   and impact across, I don't know, 30-some odd  sectors. I think it was $80 trillion of global   rated debt. Now that includes sub-sovereigns  and governments and things of that nature. And we're going to update that, and so a  lot's changed since 2019. And we think that  

incorporating a curated data set from BitSight  that kind of zeroes in on the things that we're   thinking about the most from a credit perspective,  as opposed to a cybersecurity posture perspective   in terms of how you look at it, that  can inform the way we look at this.   And heat maps are relatively simple tools,  but they're very useful for the capital   markets because you very quickly can rank  order different sectors, different regions,   and things of that nature, to see at least how  one organization is talking about cyber risks. So, we'll define it, and then we'll apply it to  this global portfolio and put that out next year.  

And I hope to see all of our credit research  next year use more and more consistent data,   like from BitSight and other organizations.  We have our issuer survey results that   we're always incorporating. So, every time  T-Mobile or somebody else has a cyber event,   we can enrich the discussion by showing how that  particular industry compares to other industries   in terms of various different measures,  whether it's cloud adoption, or patching, or   how many levels does it take to get  to the CEO, and things of that nature.

So, I think there's going to be a very significant   shift in how much you see coming out of the rating  agency next year with respect to cybersecurity. >>Pete Tseronis: Yeah, 100 percent. Love  it. And, again, I’m excited. Keep writing   those reports. Folks, again, the Moody’s  reports are easy to digest and distill.

All right, 30 seconds or less because I got to do  the parting shots. It’s my favorite part. Juan,   we’ll go with you to start. What do you want to  leave with the audience from today’s discussion? >>Juan Torres: Yeah. Continue to  engage. This is huge. We need to   get people talking about these issues,  the challenges, where are things coming.   What’s on the forefront? What’s the next  big thing? So, stay tuned. The accelerator  

is going to continue to advance. But there are  other things that we’re doing in this space,   especially around clean energy. And I  didn’t get into all of that, but stay tuned. >>Pete Tseronis: Thank you, JT. Adrienne? >>Adrienne Lotto: Took my words.  I was going to say engage. I mean,   and I would say particularly for any female  leaders out there who are curious about the area,   here's only one set. There's a lot of stuff.  This is an area that's continuing to evolve.  

It's continuing to grow. If you have a teenager at  home, maybe about to go into college, encouraging   him— or he or she—to take a look at cyber  as an area of interest. Please do so. And I think that there's—it's  not an area—I think sometimes   utilities in the past got looked at as, like,  oh, humdrum, not particularly innovative,   not really forward leaning, like Silicon Valley.  But the truth is it's changing drastically. So,   it's an exciting field. Lean in, and  you can really make a difference. >>Pete Tseronis: Thank you.  Wonderful. Jimmy, bring us home. >>Jim Hempstead: Three for three, Pete. Cyber  risk is part of the risk management process,  

and it requires engagement with a lot of  stakeholders, and not just the people around you.   And I encourage that engagement. >>Pete Tseronis: Well, my parting shot is we hit  on trusted partnerships, technical translation,   credit risk, clean energy. Folks, this  was the sampling, stealing, again,  

from Emily. Shoutout to John White and the  entire team that helped pull this together.   We will do this again. I'm meeting with Ann  Dunkin later today, the CIO of Energy FYI on   cybersecurity for smart cities. So,  again, this conversation is active,   and we appreciate all of those who attended and  registered. And thank you, again, to everyone.

2021-12-12 04:44

Show Video

Other news