Like all major infrastructure, the nation’s power grid is subject to an array of threats, from naturally caused phenomena such as extreme weather to vandalism, terrorism and insider risks that jeopardize reliability, safety and data security. The stakes are high; our response to an event affects our customers, our reputation and the reliability of the power grid.
Growing risk from third-party products and services has prompted new regulations to protect the grid’s resilience and reliability. As threats become more sophisticated and massive breaches occur, it is a constant challenge to achieve the appropriate level of risk management. Our comprehensive security strategy – known as “Defense in Depth” – assumes a broader range of possibilities such as physical theft, unauthorized access to data and incidental threats that do not specifically target protected systems or assets.
We continue to incorporate cyber and physical security risks into our enterprise risk management framework. This provides a more comprehensive approach to understanding these risks in relation to other enterprise risks. It also allows us to make security decisions based on the level of risk, as well as our priorities and resources.
In May 2018, AEP Ohio awarded The Ohio State University a $250,000 grant to fund research on cyber-resilient power grids. The research is being done through OSU’s Electric Power Grid Research Group, which is focused on electric power distribution networks to make electricity supply more reliable, secure, energy efficient and environmentally friendly.
- Cyber & Physical Security
New threats and security risks to the electric power grid are constantly emerging as we continue to connect a greater variety of web-connected devices, also referred to as the Internet of Things (IoT). This includes sensors, routers, drones and smart devices that are essential to a modern grid, 24/7 business transactions and data transfers. New mobile apps and services that we develop or buy for customers and our own increasing reliance on cloud-based programs increases external connectivity to our network, creating new entry points for potential attackers and posing new challenges for grid security. It is up to each utility to be prepared to contain and minimize the consequences of cyber and physical security incidents.
We recognize that technology is rapidly changing and that we have to keep pace to stay relevant with customers, modernize the grid and become more efficient in our work. But the fact remains that the growth of smart energy devices, which are increasingly decentralized and interconnected, creates more entry points for threats to cause harm. Breaches can come from anywhere, even a trusted contractor connecting to the AEP network. We’ve put a new security access program in place to monitor and manage these connections while providing controlled access that allows us to get our work done. And, we have a new procurement policy prohibiting the purchase of anything that requires connecting to the network without first following steps to protect the system. We are proactively considering possible ways attackers could breach our systems, and we are preparing for recovery if a breach occurs, through policies, procedures and technology, as well as educating our workforce about the growing threat.
AEP learns from and takes actions based on real-world events that occur. Our Defense in Depth approach to cyber and physical security allows us to deal with threats in real time. These strategies include monitoring, alerting and emergency response; employee education; forensic analysis; disaster recovery; and criminal activity reporting. We also maintain critical partnerships with the public sector, peers and other industries. Through rapid notification and response when attacks and disasters are underway, we can reduce the impacts of cyberattacks and avoid or mitigate the damage before the full effect of the threat is realized.
In 2018, AEP established a working group to vet IoT technology to further strengthen our defenses against cyber risks. Our goal is to align business units with consistent processes and policies to ensure security across the enterprise.
The AEP Foundation awarded Louisiana Tech University a $1 million grant in 2018 to support a new cyber and academic center in Bossier City, La. The new Academic Success Center located inside Bossier Parish Community College STEM Building in the National Cyber Research Park will enable enhanced educational services, provide cyber education and research, support economic development and engage in workforce development activities. This investment will help to increase opportunities for students to pursue cyber careers and strengthen the future workforce in this high demand field.
Drones have great potential to improve efficiency and safety but can also pose physical and cyber risk. AEP is seeking to develop consistent processes and policies for drone usage. In 2018, AEP developed a new Drone Governance Team to identify and implement recommendations that enhance the coordination of AEP’s drone operations.
- Security Policy Management
The cyber and physical security of the bulk electric system (BES) is regulated by the federal government through the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards. We are routinely audited for compliance with federal standards in both cyber and physical security. In addition, the Board of Directors’ Audit Committee reviews our cyber and physical security efforts, which also are reviewed annually with the full Board.
To ensure our security controls are comprehensive, effective and in compliance with regulatory requirements, we have established a robust, collaborative security policy management program that aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Our resulting policies and standards are jointly developed with AEP’s business areas, through the Enterprise Security Advisory Council, to maximize adoption and implementation of standard controls, thereby reducing security risk to AEP.
We classify all BES facilities based on their criticality to determine the level of physical security needed. This approach allows us to design security controls for new infrastructure from the start, building the costs into capital projects as needed. It also allows us to be more proactive with new and existing infrastructure while balancing risks with mitigation solutions.
- Security Training
Our most important partner in protecting AEP’s cyber and physical security is our people. AEP’s Security Awareness program reduces risk by promoting security best practices and providing awareness education to our employees and contractors. The success of our program depends on constant communication and reinforcement. Our goal is to protect AEP’s assets and information, enable the business to work securely and efficiently, and educate employees and contractors about their responsibility to keep AEP secure.
We provide annual training on enterprise security, including regulatory compliance. We use web-based training programs, newsletters, articles, security alerts and road shows to engage employees and contractors. In 2018, we also conducted phishing email tests and shared security trends and initiatives with employees and contractors. Our training covers a wide variety of topics such as policies and standards, domestic violence, workplace aggression, personally identifiable information (PII), password protection, phishing and active shooter situations. We focus on current security topics, such as techniques for identifying phishing emails, classifying data and protecting personal devices against new vulnerabilities. Our Security Ambassadors help educate project teams and business units on the risks introduced by new initiatives and help them identify ways to reduce risk.
Physical threats to our electric infrastructure could target our people, office buildings and substations. Our priorities for physical security are workplace aggression, threats and attacks by customers against employees, attacks on substations, and vandalism/copper theft. We address these priorities through training, access control at our facilities and the use of technology where appropriate. Learn more about our employee training for workplace aggression.
- Supply Chain Security
In 2018, we initiated a two-year project to assess the security risks posed by third party vendors. By evaluating their security controls through a series of questionnaires and on-site assessments, we seek to mitigate AEP’s exposure to excessive risk. We’ve also added a new set of security requirements to all primary contracts.
In addition, FERC has approved new mandatory reliability standards to protect the BES from cybersecurity risks in the supply chain. The new and revised standards take effect in June 2020. We have already begun the process of gathering information and planning for compliance. Our plan is to achieve full compliance when the rules take effect.
As technology evolves, more and more devices are participating in cloud computing. While the cloud opens new opportunities, we must mitigate the additional cybersecurity risks that come with it. We recognize the role of cloud technology, and we continually work with cloud vendors to secure the solutions they provide that connect to our systems. As this area evolves, we’ll continue to identify and assess risks as we invest in our technology infrastructure.