Cyber and Physical Security

New threats and security risks for the electric power grid are constantly emerging as we continue to connect the Internet of Things (IoT), including sensors, routers and smart devices that are essential to a modern grid and 24/7 business transactions. Increased connectivity creates new entry points for potential attackers and poses new challenges for grid security. It is up to each utility to be prepared to contain and minimize the consequences of cyber and physical security incidents.

AEP classifies all of its bulk electric system facilities based on their criticality to determine the level of security needed. This approach allows us to design security controls for new infrastructure from the start.

The growth of smart energy devices, which are increasingly decentralized and interconnected, create more entry points for bad actors who want to cause harm. Increased distributed energy resources (DER) are an example of a growing resource type that will open more opportunity for increased exposure to the grid. As a result, we will need mechanisms to secure company software and physical assets to protect the bulk electric system (BES) from attacks.

AEP learns from and takes actions based on real-world scenarios affecting global companies such as Sony’s ransomware attack, Target’s third-party risk, the Equifax data breach and the attack on Ukraine’s electric grid. Our Defense in Depth approach to cyber and physical security allows us to deal with threats in real time. These strategies include: monitoring, alerting and emergency response; forensic analysis; disaster recovery; and criminal activity reporting. Through rapid notification and response when attacks and disasters are underway, we can delay cyberattacks and avoid or mitigate the damage before the full effect of the threat is realized.

Mitigating these risks requires a coordinated approach to monitoring, response and employee education, the use of cyber tools and physical protection systems, as well as critical partnerships with the public sector, peer utilities and other industries.

The cyber and physical security of the BES is regulated by the federal government through the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards. We are routinely audited for compliance with federal standards in both cyber and physical security. In addition, the Board of Directors’ Audit Committee reviews our cyber and physical security efforts, which also are reviewed annually with the full Board.

To ensure our security controls are comprehensive, effective and in compliance with regulatory requirements, we have established a robust, collaborative security policy management program that aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Our resulting policies and standards are jointly developed with AEP’s business areas to maximize adoption and implementation of standard controls, thereby reducing security risk to AEP.

AEP classifies all of its BES facilities based on their criticality to determine the level of security needed. This approach allows us to design security controls for new infrastructure from the start, building the costs into capital projects as needed. It also allows us to be more proactive with new and existing infrastructure while balancing risks with mitigation solutions.

AEP’s third-party risk governance program was developed to identify potential risks introduced through third-party relationships, such as vendors, software and hardware manufacturers or professional services providers.

Our most important partner in securing AEP’s cyber and physical security is our people. AEP’s Security Awareness program reduces risk by promoting security best practices and providing awareness education to the AEP workforce. The success of our program depends on constant communication and reinforcement. Our goal is to protect AEP assets and information, enable the business to work securely, and assist each employee and contractor in knowing what is necessary to keep AEP secure.

We provide annual training on enterprise security as well as NERC compliance. We also conduct regular phishing email tests and share trending security initiatives with employees and contractors. Our training is tailored to each audience and covers policies and standards, domestic violence, workplace aggression, personally identifiable information (PII), password protection, cyber hygiene, phishing and active shooter situations. Our awareness materials also address on-trend security topics, such as how to identify phishing emails, classify data and protect personal devices against new vulnerabilities.

We deliver security education through annual web-based training, security-focused newsletters and articles, enterprise security alerts, local lobby events, and security road shows that engage AEP employees and contractors throughout our regions. We cultivate face-to-face interaction and communication through our Security Champions program, as well as through AEP leadership-level security round-table events. Our Security Ambassadors help educate project teams and business areas on the risks introduced by new initiatives and identify ways to reduce those risks.

In 2018, we initiated a two-year project to assess security risks by evaluating vendors that partner with AEP. By assessing their security controls through a series of questionnaires and on-site assessments, we will seek to mitigate AEP’s exposure to excessive risk and comply with supply chain reliability standards.

In addition, FERC is proposing to approve new mandatory reliability standards to protect the BES from cybersecurity risks in the supply chain. FERC is seeking to expand NERC compliance standards that will help protect the grid from risks such as tampering, theft, insertion of malicious software and poor manufacturing and development practices.

Coordinated by NERC, GridEx is a biennial threat simulation aimed at coordination efforts during, and recovering from, a wide-scale cyber and/or physical attack. These exercises simulate attacks on the entire North American electric grid operation functions. It is a nationwide event encompassing more than 6,000 stakeholders from utilities, NERC and U.S. government partners. In November 2017, approximately 200 people from across AEP participated in the GridEx IV event. By design, GridEx is intended to challenge even the most prepared and mature organizations.

While GridEx is a simulation, the threat is real. More than 200,000 customers in the Ukraine lost power in 2015 when hackers successfully attacked that country’s electric grid. Every day in the U.S., hackers are probing utilities’ computer networks looking for weaknesses. Exercises such as GridEx help utilities both prepare for and guard against a potentially catastrophic attack.

Physical threats to our electric infrastructure could target substations, office buildings and our people. Our four priorities for physical security are workplace violence, attacks on employees by customers, attacks on substations and vandalism/copper theft. We address these priorities through employee training, access control at our facilities and the use of security technology where appropriate.