State regulators in Illinois are staking out a unique foothold in an area of growing concern among public utilities: the security of information and digital assets in the smart-grid era.
Late last month, the Illinois Commerce Commission (ICC) announced the establishment of an Office of Cybersecurity and Risk Management to prioritize and support “the ongoing efforts of regulated Illinois utilities to protect critical infrastructure from cybersecurity risk and unauthorized access to system and electronic data.”
The move comes amid a rising local and global awareness of hacking and other forms of cyber-intrusions. Institutions, private businesses and government agencies across a range of sectors have found themselves targets of high-profile digital breaches.
Just within the past two years, hackers exploited human and virtual weaknesses to shut off power to hundreds of thousands in Ukraine, steal personal information on millions of people from the U.S. Office of Personnel Management, and released emails from the campaign staff of a leading presidential candidate. Hacking has gone from a seemingly distant threat to an everyday reality and concern for the public and private sector alike.
Meanwhile, the U.S. power grid has been undergoing a transformation from a largely disconnected system to one that depends heavily on sensors, data and telecommunications to keep the lights on. This intersection of energy and information technology exposes the industry to the same kind of cyberattacks that have disrupted businesses in retail, technology, entertainment and other sectors.
“With the advent of smart grid technologies, which layer software on top of utility operations and computer systems, threats become increasingly likely and relevant,” reads a report on cybersecurity released by the National Association of Regulatory Utility Commissioners (NARUC) in January. “Although a smarter grid is generally more reliable, new vulnerabilities appear that must be managed as grids become two-way exchanges of kilowatts, as well as network data, and customer-usage data that may be valuable and desirable to bad actors.”
For the ICC, which regulates natural gas, telecommunications, water and sewer public utility companies in addition to the power sector, having an office focused on cybersecurity is a matter of being prepared in the event of Illinois’s critical infrastructure coming under attack from nefarious corners of the internet.
“If something does happen in this space, and we get the call from [the Illinois Emergency Management Agency] or our federal partners, we’ll know how to react,” says Cholly Smith, ICC’s executive director. “Also, proactively … we’re going to be in a very good position as a regulatory agency to answer questions about these technologies and how they are interacting with consumers’ everyday lives.”
‘We want to be a collaborator’
There are several federal agencies and regulatory bodies that are involved in the cybersecurity of critical infrastructure, but, to date, few state regulators have taken a significant step toward engaging in cybersecurity. Iowa, Washington, Texas and Pennsylvania have assembled cybersecurity teams, according to NARUC, but the ICC says they are unaware of any other state that has taken the formal step of establishing an office dedicated to the growing field.
ICC sees its role in the area less as a traditional regulator and more as a facilitator of dialogue and best practices among utilities that might not otherwise reach out to one another directly on the subject of information security.
Dominic Saebeler, director of the ICC’s new office, says he hopes the office can help utilities digest the massive amounts of studies, data and new information available daily in the cybersecurity realm.
“We want to be a collaborator,” Saebeler says. “We want to be viewed as someone who can add value as opposed to [being] just another person they have to report to and have look over their shoulders and tell them they’re not doing something right, or are doing something right.”
Saebeler, an Illinois attorney, has served previously as the state’s Chief Information Officer and General Counsel. Before coming to ICC, he was the chief of information technology policy at the Illinois Department of Innovation and Technology (DoIT), a state agency focused on technology that was established last January by Governor Bruce Rauner. For now, ICC’s Department of Cybersecurity and Risk Management consists of only Saebeler, but Smith says he hopes they can add more staff in the future.
‘Only as secure as the people who run it’
There have been no reported, major instances of a past cyberattack on Illinois utilities, though Saebeler says that utilities – as is the case in many sectors – regularly report of unauthorized users attempting to access secure systems. In 2011, a leaked intelligence memo claimed that Russian hackers destroyed a water pump at the Curran Gardner Public Water District near Springfield, Ill. This turned out to be false.
In 2016, the Illinois State Board of Elections officials reported that personal information on some 90,000 voters had been obtained by hackers, although no voting records were tampered with. It remains unclear who perpetrated the attack. Just last month, hackers reportedly accessed names, social security numbers and dates of birth of approximately 1.4 Illinois job seekers through a vendor with the Illinois Department of Employment Security.
As part of establishing the new ICC office, Smith says the commission itself will also be boosting its own internal cybersecurity efforts, including partnering with DoIT to implement mandatory cybersecurity training for all staff.
Indeed, the human element is often the most vexing part of securing digital assets, analysts say.
“A system is only as secure as the people who run and operate it,” reads the NARUC report. “In case after case, attackers have successfully bypassed even the best security by taking advantage of regular users’ naiveté or lack of awareness to give an attacker access.” The report highlights the “phishing” method, in which a user downloads an attachment containing malware from an email message.
ComEd, Illinois’ largest utility, implements a variety of cybersecurity measures including encrypting customer data and using multi-factor authentication processes when personnel connect to secure data sources, according to a company fact sheet. Ameren Illinois says it maintains “strict confidentiality and privacy policies, and use state-of-the-art cybersecurity and wireless technologies to safeguard customer information.”
“We’re pretty confident [utilities] are doing everything that they can do, but we respect that there’s a threat out there,” Saebeler says. “We don’t respect the actors, but we respect their capability.”