PPL CEO speaks about cyber security
by Cynthia Tintorri,
It's a worry many of us have and probably don't like to think about: How vulnerable to attack is our power grid? Thinking about that threat comes with the job for William H. Spence, chairman, president and CEO of PPL, one of the largest investor-owned utility companies in the United States. "The Energy Sector and Cyber Security: Protecting the Power Grid" was the topic he addressed on March 30 as Northampton Community College's Hal Shaffer Executive-in-Residence.
After a morning spent with NCC students in their classrooms, Spence gave a talk that was very reassuring in tone to a public audience of students, faculty, staff and community members, outlining the extensive preparations and safeguards PPL and other U.S. utilities make against threats to the grid.
Spence first gave a brief overview of PPL, its vision and mission. Headquartered in Allentown, PPL comprises seven utility companies in the U.S. and the United Kingdom, with almost 13,000 employees and more than 10.5 million customers.
The utility sector and its mission are taken very seriously by the federal government. "We have mandatory and enforceable standards that the electric industry must meet, from the Federal Energy Regulatory Commission (FERC). Ours is the only industry that has these standards and oversight," Spence said.
Cyber attacks are becoming more and more common around the world. PPL monitors reports of these attacks, many of which are related to customer information and intelligence. While PPL does have customer data such as addresses and phone numbers that it's very concerned about protecting, attacks to the power grid are the biggest threat to the utility, Spence explained.
Adversaries can be state-sponsored cyber attackers, or those from rogue nations, or criminals. But it is the "hacktivists" who are trying to push a political or personal agenda, and terrorists who want to inflict damage or injury, that are most worrisome to PPL.
Cybersecurity is challenging because there are millions of points of entry, but only a single entry point is needed for an attack. Most breaches, Spence explained, start and end with people. "That's why training is important, and PPL is very focused on that for our employees."
Risks to the energy industry include power grid interruption and safety and property damage. The December 2015 cyber attack in the Ukraine, which left many thousands of customers without power for several hours, was what Spence termed "a wake-up call for our industry."
The response was an investment of $52.8 billion by electric companies in 2016 to enhance the energy grid and to further support grid security efforts. "We share information and intelligence amongst ourselves and maintain partnerships with other utilities and with federal government agencies to make sure we're well-prepared for a cyber attack. That includes constantly refreshing the tools and technology we use."
PPL collaborates with agencies such as the Department of Homeland Security's National Cyber and Communication Integration Center (NCCIC) in Washington, D.C., as well as law enforcement agencies, to monitor for attacks. The industry maintains several collaborative organizations, such as the Electric Sector Coordinating Council (ESCC) that meets quarterly with the federal government to learn about current threats.
The Cybersecurity Mutual Assistance Program conducts drills in which Spence said "we learn something new every time to better protect the 33 million electric customers in the U.S."
In 2015, PPL participated in the North American Electric Reliability Corporation's (NERC) rigorous, two-day GridEx III drill that simulated terrorist attacks. "It challenged the industry as to how best to respond, and allowed us to test our own critical functions and playbooks," Spence said.
Other response measures include spare equipment and transformer sharing partnerships between utility providers, in the event of a widespread outage. Enhanced physical security includes highly impenetrable barriers to protect critical equipment.
"I'm very confident that our system is defended as well as it can be, but you can never be 100 percent sure you won't be hacked. That's why we prepare so well," Spence attested.
If a cyber attack did happen, Spence thinks the damage would be minimal. "In the Ukraine attack, they had very old software that had never been patched, so it was very easy for hackers to get in. It's unlikely that would happen in the U.S. -- our utilities are all fairly sophisticated."
Nevertheless, Spence answered "cyber attack" to a question from the audience about what threat keeps him awake at night. "But still, an outage would be only a matter of hours or days -- not months -- because we can operate the system manually if we need to."
In appreciation for his executive-in-residence status and as a thank you to PPL, students from NCC's welding program presented Spence with a large metal replica of the company's logo they had made.
See more photos of Spence's day at NCC in this album.
Begun in 1985, NCC's Executive in Residence program is funded by Jack and Cecile Shaffer in memory of their son Hal Shaffer. The program allows students to spend time with the area's most successful business leaders.