The energy sector is largely prepared to counter cyberthreats, Southern Co.'s CEO said March 27, but he is still cognizant of challenges facing the industry.
"I think the issue in cybersecurity is not so much to dwell on the dream" of innovation, "but rather to prevent the nightmare," Southern Chairman, President and CEO Tom Fanning said at the Energy Thought Summit in Austin, Texas. "I am focused on preventing the existential threat: that is, for well-organized entities to essentially take out our American way of life."
Those threats come from traditional actors such as nation-states but also from amorphous entities Fanning likened to the shadowy criminal organization in the eponymous James Bond film "Spectre." Southern and its peers are fixated less on who the adversaries are and more on what they are trying to accomplish, Fanning told two reporters on the conference sidelines.
Fanning demurred in saying whether it was a surprise that Russia waged a cyber campaign against critical American infrastructure, revealed in a report earlier this month by the U.S. Department of Homeland Security. Rather, he said attention should be on the "morphing of the nontraditional combatants" and the creation of "real serious threats."
The most extreme scenario, a missile-delivered electromagnetic pulse, is not likely to occur at this point, Fanning said. Neither is a physical attack on infrastructure such as the 2013 sniper attack on a Pacific Gas and Electric Co. substation. Fanning called the latter prospect "garbage," adding that Southern has an intelligent, self-healing system that can adapt to disruption.
More realistic developments relate to communication, the CEO said. Rather than generation facilities themselves being targeted for physical destruction, their management systems could be taken offline. The same could happen to the networks and devices needed for utility field operations.
To prepare for an attack on a plant's management system, Southern implemented a four-level protection system, including a real-time duplicate of plant operating systems that can be disconnected from networks and run manually.
To defend against an attack on field operation infrastructure, Fanning said Southern has developed a "MacGyver"-esque system to maintain communication if such a "seriously deteriorated environment" were to occur.
Southern, which operates vertically integrated utilities throughout the southeastern U.S., is better prepared for a cyberattack than companies in regional transmission organizations, which makes it easier to develop plans and take actions in a self-contained space, Fanning said.
"The so-called organized markets are exceedingly more complex," Fanning added. "Complexity, in this environment, is a risk factor."
He pointed out that the National Infrastructure Advisory Council, a Homeland Security division, has praised utility CEOs for leading the charge on cyber initiatives and for their cooperation with the federal government.
"These are boardroom issues, these are financial disclosure issues," Fanning said. "We need to have the intelligence and capability throughout the organization and the culture in order to forestall the threat."
"I didn't say everything's fine," Fanning said of his assessment delivered to conference attendees. "What I did say was the capability of the United States, in my opinion, is the best in the world, and it's really this notion of skating where the puck will be. That is the challenge today."