In the U.S., critical infrastructure consists of sixteen essential sectors that make daily life possible. National critical functions are the functions of government and the private sector so vital to the U.S. that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety.

Here, we talk to Brian Harrell about the importance of protecting critical infrastructure, the threats and hazards that pose the greatest risks to critical infrastructure and more.

Security magazine: What is your title, and what are some of your current responsibilities?

Harrell: I recently transitioned back to the private sector and I’m currently the Vice President and Chief Security Officer (CSO) at AVANGRID (AGR), a large sustainable energy company operating in 24 states across the country. AGRs growing list of utilities are focused on the Generation, Transmission, and Distribution of electric power, as well as Gas Operations. My portfolio includes physical and cybersecurity, security compliance, intelligence, and fire protection.

While I work with government, intelligence, and industry stakeholders to help “keep the lights on,” my current focus remains on building resilience into our system. Recognizing that hope is not a strategy, I assume that my worst day is right around the corner. So, I’m pushing my team to anticipate, harden, exercise, and constantly improve our cyber infrastructure and security “posture.”

Prior to arriving at AGR, I served at the Department of Homeland Security (DHS) and the US Cybersecurity and Infrastructure Security Agency (CISA) where I focused on Infrastructure Security risk reductions and resilience to the nation.

Security magazine: Why is a secure, reliable grid vital to all Americans?

Harrell: The bulk power system and electric reliability is the foundational backbone to all of our critical infrastructure sectors. Attacks on critical infrastructure, specifically electric generation and transmission facilities, could be used to cause widespread panic and create economic distress in a country already on-edge. The good news is, significant investment and progress has been made in the electricity industry surrounding the issue of security and resilience.

Critical infrastructure protection is a cyclical process incorporating prevention, detection, mitigation, response and recovery. The energy sector is no different. The key to this protection is the identification of credible threats, which will assist energy companies in assessing risks and potential vulnerabilities (weaknesses) of their facilities. While the security of the grid is a shared responsibility between the government and the private sector, the primary responsibility rests with utility owners and operators. Industry has a responsibility to ensure we are able to receive and act upon intelligence and be prepared to identify risk. Nobody is going to do this for us and the Calvary is not coming.

Security magazine: What are the current challenges around securing energy systems and critical infrastructure?

Harrell: Securing our nation’s critical infrastructure is a vast and complex endeavor. The convergence of information technology (IT) and operational technology (OT), and the expansion of internet-connected people, places and things creates an expanded attack surface. OT is an attractive target for those who wish us harm because critical infrastructure functionality, reliability, security, and safety depends so heavily on OT. Together, these factors make securing these digital networks increasingly difficult. In addition, cyber threat actors — including nation states — continue to demonstrate their willingness to conduct malicious cyber activity against critical infrastructure by exploiting internet-accessible OT assets. 

While these risks are significant, companies have risen to the occasion and have taken several positive steps to manage these risks. For example, through established information sharing mechanisms, companies are detecting compromises sooner. Companies are also adopting more rigorous cybersecurity standards for their OT and IT environments. In addition to these important steps, organizations are placing greater emphasis on the adoption of sound software development, acquisition processes and practices.

The energy sector has also been involved in a full spectrum of cyber exercises, workshops, and seminars designed to assist organizations at all levels in the development and testing of cybersecurity prevention, protection, mitigation, and response capabilities. For example, the North American Electric Reliability Corporation (NERC) hosts a Grid Security Exercise (GridEx) every two years, and it is an outstanding example of the public-private partnership. Through GridEx, utility companies can demonstrate how they would respond to and recover from cyber and physical security incidents, strengthen their crisis response plans, and provide input for lessons learned. Only by continuing to proactively test our plans and processes will we strengthen the country’s critical infrastructure security and resilience.

Security magazine: How vulnerable is critical infrastructure to cyberattacks and other security threats? How concerned should we be with respect to supply chain?

Harrell: When it comes to making an organization cyber resilient, in today’s environment the stakes are increasing, and the decisions are challenging. In addition, a cyberattack on any organization can often result in substantial financial and reputation loss for a business. As the month of December (2020) has shown us, all companies are a target and it’s nearly impossible to eliminate all risk.

Supply chain risk management is very important, especially with the globalization of vendors and suppliers, as well as the upcoming rollout of new technologies, including information and communications technology (ICT) like 5G.  Additionally, as the cyber and physical worlds converge, threat actors are using a variety of tactics to exploit any weakness. Rarely do we see a “cyber-only” attack, or a “physical-only” attack. A cyberattack will likely have physical consequences and vice-versa. The worlds are too closely linked to operate in a silo, and so our security organizations should reflect this new threat landscape.

Security magazine: What advice do you have for the modern CSO?

Harrell: The modern CSO is business savvy and fully understands the impact that security has with respect to “keeping the lights on”, business resilience, reputational risk, and regulatory compliance. Today’s CSO must be an educator rather than an enforcer as they must be able to re-frame the conversation away from mere loss avoidance and towards competitive advantage, efficiency, and risk reduction. The CSO must be technically adept, with an intuitive understanding of a company’s assets, how attackers might penetrate them, and how to keep the crown jewels secure. And because no company, no matter how invested it is in security is fully immune from risk, the CSO must also understand how to deter, detect, and mitigate from the barrage of attacks.