Cyber Safety

Stephen King, Director of Technology, Irby Construction Company

Stephen King, Director of Technology, Irby Construction Company

I’m the Director of Technology at Irby Construction. We are part of the Quanta family of companies. We build and maintain high voltage transmission lines, local distribution power networks, substations, and renewable energy systems. I get to work with some real heroes. These folks are brilliant, well educated, hardworking professionals. Can you imagine working on 500,000 volt powerlines 150 feet in the air? How about one of those residential intersections where you see dozens of bare lines crossing overhead? Or riding out a hurricane in bunker so you can be the first out in the weather as the storm passes to start restoring power hoping someone does not kick off an ill wired generator backing power down the line you are working on? The guys I work for are true heroes.

If there is one thing these heroskeep at the forefront of their minds, it’s safety. One slip-up can cost them their lives. When they say, “I am my brother’s keeper!” they mean it. What they don’t think about as much is security. That’s not a bad thing. To a lineman, “Safety” is an idea personal wellbeing. “Security” is an equipment idea. Making sure you leave work healthy is about safety. Making sure your tools are not stolen is security.

In this industry, a job site accident that causes injury or death can cause a company to lose a contract. Our Safety Team has the power to shut down a job site if there is a safety concern. This protects our employees and secondarily our company and projects. Employee safety is key!

We are seeing a change in our industry in the importance of CyberSecurity. My company’s customers ARE the Critical Infrastructure of our nation. These utilities are targets of bad guys. The failure of any part of our nations power grid places many lives at risk. Our customers are being held to NERC, FERC, and NIST standards for cyber security just to name a few. As a part of this industry, we are held to these standards as well.We are having to look at the power grid system as a whole and our customers systems specifically as to how we protect these.

The local utilities are demanding more from our IT Security.So, I’m changing the nomenclature to “Cyber Safety”with the emphasis on Safety. Just a few years ago, we were thinking about cyber security in the swim lane of PCI / PII information. That’s not a big part of my company’s day-to-day data. We don’t handle that kind of information outside of Accounting and HR departments. This “Zombie Apocalypse”we have navigated over the last of the last couple of years has changed how we do business. Our hardware and systems have become more tightly interwoven with our customers and vendors. We have expanded our digital footprint across the company with more employees than ever having computers and mobile devices as a part of their standard job equipment.

While our company builds the “brute force” side of the grid, we do interact more with the “digital side” of the grid now. That interaction is growing as the grid becomes more intelligent. We are adapting as the grid’s intelligence is growing and maturing. Our linemen are installing cyber components and have deeper access to the backend systems that manage the grid.

We are being required to connect to the power companies’ systems to update progress and get work instructions. What had been backoffice functions in the past are moving closer to the job site. These connections can be via web access, VPN style access, or customer provided applications to name a few methods. We even have customers requiring that we enroll our mobile devices in their MDMs.

With this paradigm shift in the industry, it’s important for the IT leaders to change the culture of our companies. We need to review the RFPs and Bids. Are there requirements in these that you will be held to that you can’t meet? You need to be talking with the field leadership regularly. Helping them understand the Cyber Safety requirements we are being required to follow. What may seem obvious to an IT professional may be a foreign concept to a foreman leading a crew that’s building a substation. Our folks in the field often think they would never be a target of a bad guy since they are “just a superintendent” or “just a whatever-their-job-title-may-be.” To them, they often think it’s just the executives or accounting or someone else that would be a target. They don’t see themselves as potential ingress point to the grid. Just like a groundman can shut down a job if they see a safety issue that could injure someone, they need to see their value in protecting the Cyber Safety.

Our job will be everchanging. We have to be alert to the fluid threats. There are some quick actions that we can take to start beefing up our Safety. Moving all systems to Multi-Factor and preaching Anti-Phishing best practices are a great start. Remove local admin right from all accounts . . . even the IT accounts. (Create elevated privilege accounts for key IT folks to use to install software only.) Get all your mobile devices in a good MDM. We need to be doing constant security audits of our systems. Assume you are a target.