Cyber and Physical Security

New threats and security risks for the electric power grid are constantly emerging as we continue to deploy the Internet of Things (IoT), including sensors, routers and smart devices that feed critical data over the Internet, and cloud technologies that are essential to a modern grid and 24/7 business transactions. This increased connectivity creates many new entry points for potential internal and external attackers, posing new challenges for grid security.

AEP classifies all of its bulk electric system facilities based on the critical nature of the equipment to determine the level of security needed. This approach allows us to design security controls directly into new infrastructure from the start.

Mitigating these risks requires a coordinated approach to monitoring, response, employee education, cyber tools, physical barriers, and critical partnerships with the public sector, peer utilities and other industries. AEP’s Chief Security Officer (CSO) oversees coordination of these efforts, including governance of enterprise security and ensuring compliance with regulations and employee awareness. Under the CSO’s direction, the Enterprise Security team is charged with protecting AEP’s business networks, the power grid and customer and employee information.

Unlike other sectors in the U.S., the cyber and physical security of the bulk electric system is regulated by the federal government through the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) program. We are also routinely audited for compliance with federal cyber and physical security standards. In addition, the Audit Committee of the Board of Directors reviews our cyber and physical security efforts regularly and the full Board conducts an annual review.

In 2016, the Federal Energy Regulatory Commission (FERC) approved updated cybersecurity standards for the nation’s electric utilities. The revised CIP reliability standards broadened the scope and depth of issues ranging from employee training, response planning and recovery to security of cyber systems and information protection.

As a result of the revised NERC CIP standards, AEP now classifies all of its bulk electric system facilities based on the critical nature of the equipment to determine the level of security needed. This approach allows us to design security controls directly into new infrastructure from the start, building the costs into capital projects as needed. It also allows us to be more proactive with new and existing infrastructure while balancing risks with mitigation solutions.

The FERC also directed NERC, which is charged with assuring the reliability and security of the bulk power system, to develop a new supply chain risk management standard. AEP has more than 21,000 suppliers in our supply chain who conduct business with us, some of whom have access to our networks, sensitive information or critical infrastructure, such as substations, blueprints and confidential files.

To protect our cyber and physical assets, we need partners. Our most important partners are our employees, who receive training annually to understand the risks and their shared responsibility to protect our networks. At the same time, we must ensure that we have processes, procedures and technology in place to limit the risk of attack from a disgruntled or former employee.

In addition to training, we are establishing an insider risk management program that will aid us in identifying at-risk current and former employees and mitigation strategies that will allow us to protect personnel, assets and sensitive information. That program will include a governance committee that includes representatives from Human Resources, Legal, and Ethics & Compliance to ensure our employees are protected and treated fairly.

Another emerging risk is the growing use of the cloud to store and transfer data. To better understand this risk, we have established the Cloud Center of Excellence, a partnership between Enterprise Security and Information Technology. The Center will identify best practices for using the cloud while mitigating the risk of cyberattacks.

In addition, AEP is seeking regulatory support for supplementary security protections of distribution substations. In 2016, AEP Ohio filed a request with the Public Utilities Commission of Ohio to secure critical distribution infrastructure to protect reliability and public safety. Distribution substations are vulnerable to copper theft and vandalism that can disrupt service to customers, create safety risks for our employees who must repair the damage and put the public at risk. This activity is so dangerous that would-be thieves have been electrocuted trying to steal copper from substations.

Over the past decade, AEP Ohio customers have experienced nearly 17 million customer minutes of interruption caused by vandalism and theft at Distribution substations. If AEP Ohio’s pending request is approved, up to 100 of AEP Ohio’s most critical distribution substations would be equipped with additional security measures over four years, including sirens, intrusion sensors, cameras and signage.