Managing Cyber-Physical Risk Across Evolving Infrastructure
>>Emily Mousel: Welcome, everyone, again. We're going to get started. We are so glad that you could join us today, and I would like to kick us off by turning it over to Pete Tseronis, the founder and chief executive officer of Dots and Bridges, and the former chief technology officer at the U.S. Department of Energy. Pete, please take it away. >>Pete Tseronis: Thank you, Emily. Thank you, Nika. Thank you, John White, and, of course, all the great folks at the National Renewable Energy Lab. I'm super honored, and,
as I said earlier today, when we were just getting prepped, was I wish we had several hours. And for our audience who are attending, thank you. There's so much we will cover, and I'm going to steal from Emily. This is an appetizer, folks, of the kind of dialogue that we may have over the course of the year with folks like Adrienne, and Jim, and, of course, Juan.
So, I'm going to—yes, I'm Pete Tseronis. I worked at DOE, and I love this space. And, really, I just want to be a part of the conversation. I'm going to set some context of what you'll take away today. The title, Managing Cyber-Physical Risk Across Evolving Critical Infrastructure,
it's a lot, but when you really think about it, what's going on in the world, these are the sectors that, by definition, are those assets, systems, and networks, whether physical or virtual, that are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. A mouthful, but that comes directly from our United States Department of Homeland Security, and the organization that really governs the sectors that we depend on each and every day. Today, we may reference terms like national critical infrastructure functions, cyber-physical security. You're going to get to hear from Juan Torres and Jim Hempstead and
Adrienne Lotto, who I'll introduce here in a minute. But we have a lot to cover, and this is, again, a sampling. So, we encourage dialogue, questions, and hopefully some follow-up. So, with that, our guests today, Juan Torres, associate laboratory director, Energy Systems Integration, at the National Renewable Energy Laboratory, one of 17 national laboratories in our country. Juan, it's great to see you, buddy. >>Juan Torres: Hey, Pete. Great to be here. Thanks for having me. >>Pete Tseronis: You got it. I'm not reading your bio or anybody's. So, I'll allow that—that'll be our first question, talk a little about everyone's journey and background. Adrienne Lotto,
chief risk and resilience officer at the New York Power Authority, a colleague and a friend, and someone who had a really great walkabout at the United States Department of Energy, of which we will discuss when we fill in some blanks on her decorated career. Adrienne, it's great to see you. >>Adrienne Lotto: Same here. Good morning, everyone. Thanks for joining. >>Pete Tseronis: And last, of course, and not least, my brother from another mother, Villanova graduate, Jim Hempstead, managing director at Moody's Investors Service, who I am super excited to have in this conversation because Jim is a cyber-physical security expert, understands critical infrastructure from the New York City, Wall Street investment perspective, which I think will really round out our discussion. So, it's great to see you, Jim.
>>Jim Hempstead: Good to see you, too, Pete. Good to be here. Thank you. >>Pete Tseronis: All right. Well, without further ado, context, I hope, was set. There will be references throughout to executive orders, and references and artifacts for our audience to review, but we will cover a lot, but at the end of the day, what we hope to convey here is the role that government, academia, what [the] National Renewable Energy Laboratory is doing in spaces, how utility consumers and stakeholders and folks that deliver the electricity and power to our homes each and every day, and, of course, how we can help that sector, in the case of Moody's, improve upon and accelerate or move the needle towards a more resilient power grid, and leverage the opportunity that cyber and physical security can do for our lives and protect humanity. So, Juan, I'm going to kick it back to you to start out, if that's okay? A little bit about you, your passion. You've had an incredible career serving the national laboratory community, and you had some great news recently with the recent announcement, that is, of the Clean Energy Cybersecurity Accelerator. So,
take the floor, talk a little bit about your passion and why you love doing what you do. >>Juan Torres: Hey, Pete. Thanks. Yeah. This conversation here is kind of—it's decades in the making, right? We've been working on the area of cybersecurity, physical security, cyber-physical systems, for a long time, but, in a way, that's been really different because the systems have been evolving much more rapidly over the past couple of decades. I've been in the labs for a long time. My career started at Sandia 31 years ago. And [I] came over to NREL because as I worked more and more in the cyber energy space, I really wanted to work at a laboratory that—whose mission was around energy, and where there was a big need.
Back in, I think, the early days of my career in cybersecurity, in the nineties, people were just worried about putting—making sure that they have their firewalls in facing the right direction in the energy space. That's where we were in the conversations. And I'd say over the last 15 years or so, we've seen significant acceleration in what I would say [is] the use of variable generation, but also technologies that are what [are] called the grid edge around the energy infrastructure, specifically, near the consumer, where the consumer has much more touch and control and interaction. And we're seeing that's even going to change more because of things like electrification of the transportation system. Much more—many more electric vehicles, and charging stations, and things of that nature. We’re seeing way more distributed generation near the consumer, with smart buildings, smart homes. I mean, my thermostat, I can control from my cell phone.
And we can do things like that on [the] mass scale. So, what really excites me is the fact that there is so much opportunity. There are many challenges, but there's a lot of opportunity right now. And you bringing together the various stakeholders
here are what's needed, and what's key. This is not something we at the national laboratories can address alone. This is—we don't own the infrastructure. We do great research. We do great science, and not just at NREL, but at all the national laboratories. We partner with them. But having Adrienne and Jim here [is] really important because this is not just a technology solution space. This is—we have to bring technology and align it with
operations, and with regulation, and policy and business models in order to really address some of these big challenges that we see coming at us. But, in the end, I think we can be much better off if we're having these kinds of conversations. So, my passion, you asked about that, is really around addressing this big challenge around cyber energy. I say that, in my early career, I was a cyber guy doing energy work, and I kind of moved over to becoming an energy guy doing cyber work, right, and seeing it from both sides there.
In the end, the big challenge here is really getting us all talking. This is where it all starts. So, I really appreciate the opportunity to be here and have this kind of conversation. >>Pete Tseronis: Thank you, Juan. And we're going to move to Adrienne, but some of the things you mentioned—grid edge, electrification, distributed energy—folks, if you've tracked in the news about edge computing, zero trust architecture, sensor-based networks, this is that smart grid concept that's been around for at least—I go back to 2008, and we will—again, I will reference some artifacts for our audience to read up on because there's a lot to take in. So, thank you for those opening remarks, Juan. Adrienne, listen, New York Power Authority is leading that charge. It's a utility,
one of many in our country. Climate change is big to the DNA. Same question to you: your passion, your purpose, and why NYPA is really trailblazing in this space of clean energy and innovation. >>Adrienne Lotto: Thanks so much, Pete. So, personally, my passion has revolved around really getting my alignment between some of the work I did at DOE and operationalizing that inside of the utility, right? So, I think, simply, there's a little bit of a disconnect, maybe sometimes a big disconnect, between national federal policy and maybe perhaps some of the lack of understanding of how it would actually get implemented into a utility. And, so, providing that insight to the federal government, being able to influence those types of federal policies, and then taking some of that really good work that is coming out of things like the DOE lab—we have a partnership with NREL on the clean energy side—and making it tangible, making it real. As Juan articulated clearly, right, these are big problems. EV technology, for example, here in New York, largely, if you look,
the infrastructure buildout is done by Tesla. When you pull that away, there's a big gap. So, understanding what role NYPA can play to be—to lean forward in areas like that. And then I think the point Juan also raised about incentivizing, right? So, the stakeholders in this area are vast. It's not just, right, the federal government issues a policy, the DOE labs kind of create a technology to solve a problem. Jim can articulate [that] there is an entire regulated industry around this, not just on the operational side at FERC and NERC, but we also have Moody's, S&P, shareholders, regulators, who are—influence business decisions. And, so, whether you're an IOU, a muni, or a co-op, understanding the different business models and what can incentivize and drive some of these technologies out of the labs, but into [the] market, into a utility like NYPA, I think, is key. So, that's sort of where I think this panel is going to be so informative because
you've brought together all key stakeholders that really play a role, and I'm grateful. >>Pete Tseronis: Yeah. Thank you, Adrienne. And, again, this is a taste, folks, because, Adrienne, you hit on operationalizing policies, right? There's plenty of them. Folks, again, I'm just going to shoot a few out there right now. We have the Executive Order 14028 on improving the nation's cybersecurity. It's a great read. May 2021. The Clean Energy Cybersecurity Accelerator. Juan will get to that. It was just announced this month. National Security Memorandum on Improving
Cyber Security for Critical Infrastructure Control Systems, July of this year. And don't forget about the National Cyber Strategy that's three years old. There's ten others I can shout out. So, thank you, Adrienne, for talking about that. And partnerships you stressed, the multiple stakeholders, and the business models that vary from utility to utility. So, thank you. Jim, segue to you. Obviously, Moody's has a very unique role, and I think this is a very
exciting opportunity to have you on this panel. I know you've done this before in the government beltway circuit, but having your perspective as a cybersecurity expert, talk a little bit about obviously your passion, but what makes Moody's unique in this space? Because not only are you the Moody's that we know to be, but you also rely a lot on analytics and engagement with these stakeholder communities. >>Jim Hempstead: That's right, Pete. Thanks. So, personally,
it's been a fun ride. I got involved in the utility power—energy and power sector back in 1991, and, so, I've done a long time, started out as an investment banker for a couple of firms, and then I've been at Moody's now coming on almost 20 years, actually. And, so, it's been absolutely outstanding to work with critical infrastructure, like utilities, like water, pipelines, gas, but also the other infrastructure sectors, so, airports, toll roads, and seaports, and things of that nature. This critical infrastructure is very important on many different levels. From a credit rating perspective, our project and infrastructure finance team, we rate over $3 trillion of debt globally in this critical infrastructure space. And critical infrastructure securities have a much
lower default rate than nonfinancial corporates. And, so, it really speaks to the business model, and the revenue model, and the jurisdictions that these assets and businesses operate in. And a number of years ago, we started to focus a lot on cyber risk. And cyber risk is a rising
risk. We still see it as event risk. We see it as an enterprise-wide risk, so it resides at the board of directors, or the trustees, or the other governance organization that's involved in that. And we're very excited to learn more about it, get our arms around it, define cyber risk because there's lots of words that people think about when you say cyber, and sometimes it's good to get everybody on the same page, define it, identify it, measure it, and track progress, and things of that nature. And that's what Moody's is doing right now. Our parent organization, Moody's Corporation,
recently announced a transaction with a company called BitSight, which is a cybersecurity ratings assessment company. And we're very happy to start marrying the quantitative data that we could look at to inform and enrich our credit analysis as much as we can. >>Pete Tseronis: Well, thank you, Jim. And you used some terms that I think our audience may or may not be as familiar with, inside the beltway, but credit ratings. I think that's something that is significant because your purpose—at least I feel—is to help a utility, large and small, as Adrienne pointed out, get where it needs to in understanding [that] some have maybe more funding or can allocate dollars to investment. But, again, it’s a bipartisan role you
play, which is educating, as I say, the C-suite to the Main Street folks, and you do an incredible job at that, and I know that's something that is important to you, and making sure everybody understands, and with your analytics at Moody's, I think it paints a wonderful picture. Before we jump into the first segment, where I'm going to come back to Juan, and we're going to talk about the accelerator Jim mentioned, and so did Adrienne, folks—the Infrastructure Investment and Jobs Act, if you Google it, it will talk about safety, public trust, passenger/freight rails, power infrastructure, environmental protection, all the things that we're trying to improve for humanity's sake, right? A smart grid, a smart building, a smart car. Yes, there's the fear of the Internet, and breach, and the threat landscapes expanded. Today, we'll talk a bit about how we're bringing together those communities of interest to learn from one another and recognize we're never going to eliminate risk, but we can mitigate it. And I think moving to Juan here, talking about this announcement earlier this month, it's a huge step in the right direction.
So, Juan, back to you. Can you speak to specifically the Clean Energy Cyber[security] Accelerator and what its promise is, even though it's in these early stages? >>Juan Torres: Yes, Pete, we're really excited to kick off the accelerator. The background on that, if you think about it, just in the electricity sector, we've got over 3,000 utilities. And with how quickly cybersecurity and cyber technologies are advancing, we really want to get things deployed—I should say the threat is really advancing. We really need to make sure we get the security technologies deployed as quickly as possible.
And there's not always great coordination across all these member stakeholders in that sector. The government, through [the] Department of Energy—specifically the Office of Energy Efficiency and Renewable Energy, and CSESER, Cyber Security, Energy Security, and Emergency Response, who I know Adrienne knows really well—they've come together to seed a capability and a program where then utilities can kind of pull some resources together to get the benefit, right, of those resources, in partnership with some of the innovators in the cybersecurity space, so that we can really advance the development of those technologies, and we're validating those with some of the experts at NREL, a capability called the ARIES Cyber Range. So, ARIES is Advanced Research on Integrated Energy Systems. It is a unique capability. It brings together capabilities at the facility behind me, the Energy Systems Integration Facility, as well as a larger capability. I can go into more detail on specifically what’s there, but, basically, we can see how these technologies would really work in a lab setting but be able to scale to our virtual environment so that we can reduce that risk of the owners and the operators. And they say, hey, how—if I deploy this on my entire utility, how would this really work? And when we can hypothesize on the system that they don't have today, but they're saying, hey, in five or ten years, I know I'm going to have way more distributed resources, and way more charging points, and whatever it is, where we don't have to wait for them to build that. We can actually explore how some of these cyber technologies would work here.
So, there's huge benefit for the utilities to pull resources—as well as explore hypothetical scenarios, situations, but get some real confidence—because we have real hardware, we have real systems here, real experts to really be able to push those technologies out the door, get them deployed, get them commercialized, and start making a difference. The DOE is providing the initial resources to get this thing kicked off. Ultimately, I think we'd really like to see the partners out there having much more say in what technologies we need to look at, what things we need to evaluate and test, where are the threats going, what are the real issues? So, it'll be a great conversation with all of these different stakeholders there.
And where NREL comes in is we just want to provide that independent perspective. We want to provide the insights as to where we see energy systems going. And the other piece is the threats. Our work at the Department of Energy gives us that perspective of how is the threat evolving? How is it changing? And how can we address it with concepts, not just the technology, but how you actually deploy it and operate the system.
So, super excited to get this kicked off. We had a great event here a couple of weeks ago. The Deputy Secretary of Energy, Deputy Secretary Turk announced it. So, we're rearing to go. People can get more information at our website at NREL.gov about the accelerator. And looking forward to getting many, many more partners in industry. >>Pete Tseronis: Yes. Thank you. And, again, that was just a sampling because,
folks, this accelerator is really, to me—to me personally—something that is an opportunity if you're an investor, if you're an entrepreneur, if you are another national lab, if you are a utility to be involved. This is a bigger challenge we face each and every day as human beings, and we depend on the operational technology, the information technology. And kudos to NREL, which, again, folks, is a national laboratory that is globally recognized. It's not just an energy—if you will—not that there's anything wrong with that—institution. By the way, if you have questions for participants, please send us a note or a question to our guests as we can answer those in real time.
Okay, let me go down—thank you again, Juan. That was a good taste of the cyber energy—Clean Energy Cybersecurity Accelerator. That's a mouthful. Adrienne, Vision 2030. New York Power—its focus and its strategic priorities on digitization and cybersecurity, something that's near and dear. Your role mitigating risk, and enhancing resilience, and doing whatever it takes, hearing what is being built at NREL. Can you talk
a little bit about this opportunity for any and all utilities and how it aligns with NYPA? >>Adrienne Lotto: Absolutely. So, I think Juan touched on a couple of key things there, right? First, he mentioned the path of the—of where we are to go, where we believe we’re going, right? DERs, the future, building energy that—energy infrastructure systems that are secure from the outside, designed for security at the outset. But then he also mentioned that he noticed legacy equipment, right? Which still exists in the system. So, I think one of the keys that a program like ARIES affords is the ability to understand the pathway of the future—PV, DERs, will happen, but it's a journey. We're not there yet. So, understanding kind of what that United States roadmap would look like, how it will impact business, these are things that are contained within Vision 2030 here at NYPA, the plan for a more—the first end-to-end digital utility. But that comes with challenges, right? Cloud infrastructure is a key—is a key challenge for us.
Understanding who's operating what clouds, whether it should be a private cloud, a support cloud. Looking at things like market capitalization, right? So, for example, if we build our own NYPA secure cloud, we can capitalize that. And if we use something like the Amazon cloud, which likely will have a lot more built-in security, we can't capitalize that. That's O&M. So, understanding the different business models with the security overlay becomes critically important. And I think in my role as the chief risk and resilience officer here at the New York Power Authority, you have to be able to connect all of those dots, right? Connect what's happening on the federal level with policy, where the pathway of the future is, and then make it really tangible in terms of your investments, where you're going to spend your dollars, and how you're going to get your—the return. So, there's a lot here to unpack, but I think understanding the journey and how we're going to get there, it's not going to happen overnight. I think,
as Juan said, bringing key stakeholders together is prime. >>Pete Tseronis: Adrienne, I'm going to go to Jim here, but you brought up this introduction of things like the cloud, analytics, leveraging data for actionable intelligence. A smart city, I always like to say, is not something we buy. It's something you build and develop, and it requires a lot of the communication, the most basic form of connectivity, communication that is interoperable, and works, and is secure. Jim, coming to you as someone who is out there having discussions, and running surveys, and having conversations that matter as a cyber-physical security expert working with your brethren in the utilities, not so much as—you’re not big brother. It’s sharing and understanding. Do they understand the risk that they take on each and every day as our technology evolves? And I'm looking at challenges like multi-stakeholder environments that a utility maintains, the heterogeneity in regulatory and business environments that speaks to Adrienne's business models. Putting on your cyber hat, IT guy that you are, what are some of those conversations
and challenges that you're feeling like maybe a couple of years ago were tough to have, and now folks are kind of getting it, that you see Colonial happen, you see ERCOT, you see Hurricane Katrina and Ida and Sandy, and then we realize, man, we've got to beef up our infrastructure? >>Jim Hempstead: Right. So, at Moody's, what we're trying to—so what we do is we provide the capital markets [with] our opinion around credit risk, the probability of default and the losses given a default. What we're doing as an organization, as our entire company, is we're working towards a one Moody's integrated risk assessment strategy.
And there are lots of complementary services that we have in our other parts of our organizations at Moody's Analytics. We recently purchased RMS, which is a climate risk and cyber modeling company; 427, which is a physical climate data company; and things of that nature. And we're using and leveraging the data and the metrics to inform and enrich how we're thinking about credit analysis. And the hard lift that we're chasing is the ability to do this consistently, consistently across asset classes and consistently across regions and jurisdictions, without the rigidity in the implementation of our process. And that's important because each airport is different, each utility is different. Is it publicly owned? Is it
privately owned? Is it a cooperative? Is it a JAA? And things of that nature. And this is important because our journey in the cyber area has grown a lot over the last five years. We are doing an issuer survey. We launched it to the utility space in the very beginning of the pandemic, in March of 2020. We published the anonymized and aggregated results in
late last year, in October/November of last year. We've published about seven or eight other reports on other sectors. And we'll wrap that all up. An issuer survey is just one simple tool that we can use to provide insight. But Moody's is a trusted brand with investors, and it's a trusted brand with what I call issuers because we don't say companies because we rate lots of governments and other types of enterprise organizations. And we're trying to use that trust to create a dialogue and to create a language around bridging the gap between cyber risk and the technicals around that with credit risk, cost of capital, and the conversations that are often held in the board of directors. And, so, that effort requires a lot of stakeholder engagement. And cyber
as a big cyber risk process is a risk management process that needs stakeholder engagement. And that is what we're mostly working on. The conversation has shifted. Five years ago, a lot of people didn't want to talk to us, especially CISOs didn't want to talk to us and engage because they were concerned that if I say something bad, Moody's is going to downgrade my credit rating. Today, that has mostly been ironed out, and the engagements that we're having with utilities, with CISOs, and other technology officers, is much more proactive and more detailed because we're getting better at asking the questions, and we're getting better at understanding the answers, and we're getting better at having a more wholesome dialogue with the stakeholders, and the technology people are no longer afraid that if they say something to us it's going to result in a downgrade partly because the treasury department and the chief financial officer have weighed in and said no, no, no, we need to engage in this. We want the ability to have an independent, objective, third party like Moody's help move the dialogue, define the framework. That's going to help our interactions with regulators. It's going to help our interactions on showing progress, and things of that nature. So,
we're seeing a really good momentum with this effort to have a common language. >>Pete Tseronis: Yeah. I appreciate that. I'm seeing Adrienne and Juan nod, and I love that you brought this C-suite dialogue, the translation. And, hey,
I still—every day of the week and twice on Sunday—remind my mother that I'm not in computers. She says, my son, he's in computers. I love you, Mom, but no. It's having a conversation about the digitization of something that is 100 years old, the engineering marvel that is of the grid. >>Adrienne Lotto: Can I expand on something here? >>Pete Tseronis: Absolutely. Adrienne, get in the conversation. >>Adrienne Lotto: I just want to make what Jim just said maybe a bit more tangible for some of the folks that are tuning in like from NREL because it's why does it matter, right? So, many years ago, if you—like, let’s say NYPA, wants to do a solar installation, or LED traffic lights, right? Some of our energy-efficiency work with some of our own—we have 50 munis and co-ops. MTA is one of our major clients, right,
or customers. Let’s say we want to do some of that energy-efficiency, forward-leaning, customer-facing work, a lot of which comes out of the DOE national labs. The same analysis that Jim and his team do over at Moody’s on a company like NYPA, we do that same thing here within NYPA in terms of credit risk for those other organizations. So, getting something like even a solar panel installation goes through that same credit review, just at a much smaller scale, Moody's input being one of them—you know, we look at all sorts of different things. But it becomes—this is where some of the financial implications really become tangible as we're trying to advance DERs out in the market. It's a cascading impact. So, I just think it's—I know when I was sitting at DOE, quite frankly, this connection of dots—I love your thing, Dots and Bridges, right? That connection of dots from something like Moody's all the way down to like the installation of a solar panel didn't really kind of hit home, but now sitting where I sit as the CRO, all of those dots and bridges have been connected, to play off your company name.
>>Pete Tseronis: Adrienne, thank you. And, again, folks, that wasn't staged. I love Adrienne, but—I appreciate it. It's just an innate thing. My wife came up with it. Juan, let's pivot to you in light of that because I want to tee it up with cybersecurity at the end of the day. It is in your DNA, and I'm looking at some of the guests we have. We see another Villanovan out there, Kevin Buggy, on the webinar. Thank you, Kevin, for joining, and someone who—in Chi-Town respects this discussion. Appreciate that. Cybersecurity. The innovation, balancing risk and innovation, Juan. You talked about the grid
edge and the evolution of sensor-based, and measurement, and using science to determine where we could be more prescriptive in the health of our grid. Cybersecurity. I was on a call this week with Avi Gopstein at the NIST, and he talked about some of those challenges that we face, yes, but secure design principles, securing by designing from within, not bolting on. Defense in depth, zero trust, fail secure, comprehensive auditing. Putting on that hat, Juan, you're a strategic associate lab director, but your experience is growing up in this space. The threat landscape is real. Ransomware is real, right? What excites you about this moving the
needle and bringing people together, knowing that, hey, we're going to beat this, but we also need to keep the conversation going? It's not a quick fix, buy something, plug it in, and say you're safe. >>Juan Torres: No, you're exactly right, Pete. There's—I'll give you a quick story, and maybe set the stage on this particular topic. Go back a few years ago, when we were—let's just say it was in the early 2000s, and the ARRA days, the American Recovery and Reinvestment Act days. And we were in a mode where the nation, we're investing in our infrastructure, investing in smart grid, and things like that.
And I remember getting a phone call during that time, and [I] said, look, we’re putting out mass numbers of smart meters, and we just realized now, these have remote disconnect functions. Did we really think about the security that we should have—maybe [we] should be implementing there, so if somebody hacks in, they don't just start shutting off everybody's lights? And en masse, if you were to shut off a lot of meters, that actually can affect the stability of the grid. Losing a lot of the load rapidly, or even adding a lot of load rapidly, is going to affect the stability of the grid. And, back then, we just weren’t having those conversations. Our response was, at this point, it's something we can jump on. It's something we can address now. But if we wait too long, we're going to have many of these meters without those security functions in place.
And, so, we need to get on it pretty quickly. Well, we did address it—so, it started—it forced conversations that we haven't been having in the past. We had—there was the market driver, saying, we need to get more of these technologies that make us more efficient in operations at the utility level, that make things easier for consumers, that make things easier for utilities. But the people getting into those markets weren't necessarily security experts—because they were developing some really awesome technologies, but they didn't necessarily have the threat understanding. We're at a different place now. We have a better understanding of where IT and OT is used, how it's
used, how it's evolved, what are the standards, what are these new technologies? And then you get into things that are now coming into play. Artificial intelligence and autonomous systems, right? And machine learning. And how is all this going to be used in our everyday energy systems? And how does that change how we should be thinking about security, right? So, your point about the fact that we need to be inherently designing security into these systems starts with that initial conversation. What's really needed? How is it going to be used? Where is it going to be used? And before we ever even consider deploying anything like that, you need to have the stakeholders. And I think Adrienne's right on point here. She's got that bird's-eye
view of where can we have an impact? Where can we make a difference across the spectrum, of actually getting something deployed, and then even afterwards, operating it, right? And, so, this is where I get really excited that we are in a different place, right? We're much smarter about even considering or thinking [about] the various aspects of securing these systems. So, that doesn't mean we have it figured out, and that's why—it doesn't mean we have it figured out because the threat continues to evolve. Technology continues to evolve, and it will continue. That's just the nature, right, of a market-based economy. It's the nature of advancement,
us getting smarter about technologies, and how we as consumers even change how we use the systems, right? The things we're asking our energy systems to do today are not the things our grandparents were asking it to do back then. They were not talking about hooking up their Bluetooth, and I want to be able to charge my car, and I want to do—that just wasn't part of the conversation. And I can tell you, in ten years, we're going to be talking about other things that we're not doing with our systems today. So, we always have to be forward-thinking, and we need to make sure we're getting the right people in the conversation. >>Pete Tseronis: I appreciate that. Jim,
you have a comment? Because I have a question for you that's coming in from the audience. >>Jim Hempstead: I was going to just make a quick comment that what we have seen, some of the work that's been done, is most of the cyber events that have been disclosed publicly, they're not the kind of events that'll knock an organization down in the sense that they're affordable. The median loss is not overwhelming to an organization. But as the median loss continues to rise, the standard deviation, those extremes, are also rising, and those events can knock a company down. The Colonial pipeline interruption in May was a wake-up call because it wasn't about the operations as much as it was about the IT and how the IT obscured the ability for them to effectively work on the operations. And that got a lot of attention across us. But what we're looking for are the big, permanent impacts. How does a cyber event
affect your revenue or your reputation, or a regulatory response, or litigation? Or how does it affect your liquidity and things of that nature? So, we’re very much focused on those. And we have had a handful of credit rating actions that have been directly related to cyber events, and our expectation is that that could be rising going forward because of the advancement of ransomware, and AI threats, and things of that nature, just exactly what Juan was talking about. >>Pete Tseronis: Appreciate that, Jim. I’m going to jump down to Adrienne,
which is a question that I’m taking in here from Mike about analyzing or doing due diligence when looking at new capabilities, or needing capability, right? Technology diligence. The investor community, I had a great opportunity during my time, and to this day working with and helping [to] distill value to a specific company. Not everything can do everything for everyone. But there’s a niche, usually. And [a] shoutout really quickly. The research areas that Juan and team—renewable energy to grid integration, energy storage, energy security, energy resilience, advanced mobility, grid-interactive buildings, hydrogen and fuel systems—there’s a lot of work being done there to develop an event. Adrienne, you’re a utility. You work with the C-suite. You’re looking to mitigate risk. And
you will purchase products. The question is how do you do that due diligence at a utility? Is it your decision? Are you part of the discussion? Is it the CIO, the CISO? >>Adrienne Lotto: Yeah, that’s a great question. So—and I think you actually cued it up well. There's—I think the first thing is what is the problem you are trying to solve, right? So, clearly identifying the problem statement because—as you just said, Pete—not every cyber tool, if you think of like the Mitre Att&ck framework, not every tool is meant to address the full spectrum, right? Some are going to be—trying to be in transparency. Some are—it just depends on what the issue is. So, I think being on the lookout for—we are, NYPA, is obviously a government authority. So, all of our stuff with regard to cyber,
any problems we’re trying to solve, get issued via an RFP or an RFI, that type of thing. But there is a component of our budget that is set aside for what we call R&D, and that's how we've partnered with—NREL is one of our labs that we've partnered with, partnering with Argonne National Lab on some climate study work that they're doing for us to understand what the grid in New York will look like as a result of the impacts of climate change. And then we also work with a group called EPRI, and we have a significant investment, I think it's around $5 billion or something—well, it is $5 billion—for R&D with EPRI.
So, the short answer is utilities are leaning forward, right? We are all—and I feel comfortable saying this—I don't know any big utility that isn't seeking to lean forward and solve problems in this area. We all have R&D budgets that are set aside. So, I think to the extent that you have a program that's out there, that's unique, that's offering something that the market hasn't seen, that is something that we're interested in, and we want to bring in. And it does go through our procurement processes. It's usually a panel. The CISO is one of them.
And I think Jim has twice now, if you've noticed, talked about [the] board of trustees' role. Any major investment does go through the board of trustees, and cyber—boards of trustees never used to even talk about cyber. That is a thing of the past. We talk about cyber every time we meet with our board. So, they do have a critical role to play as well.
>>Pete Tseronis: Jim, comments? >>Jim Hempstead: Talking to the board of directors about this is critical. The board of directors—the average demographics of the board of directors—raises a question as to how well are they comprehending the three-ring binder full of technical reports that go to them? And what we're trying to do at Moody's is distill that down into the language of the board, the language of the capital markets, the language of the financial markets because it is hard to allocate capital when you only see the cost and you don't see the return. And that is something that we have really been zeroed in on and have been wrestling with. It's easy to allocate capital to a new renewable energy project or some other widget maker because you know what the return could be based on your model. You don't have that when you're talking about cyber mitigation or cyber defense in some other way, shape, or form. And we're trying to bridge that gap to identify what those issues are for the board so that they can frame that consideration in the terms of risk versus return and cost-of-capital implications.
And we believe that you don't have to be a cyber expert to understand cyber risk. And, so, you have technical people like Juan, and Adrienne, and others that can bring you the technical knowledge so that you can make a decision based on what's good for your organization. >>Pete Tseronis: Thank you. Juan, I see you nodding. Comments before a question for you?
>>Juan Torres: Yeah. No. Absolutely. I think having Jim and Adrienne here, who live in this space, it's good to hear that some of the things I've seen and learned over the years, it just reemphasized—years ago, when I was conducting a cyber vulnerability assessment, we found—this is for the utility space. We found that those—the consequences of concern fell typically into three bins, right? Number one was safety. Could somebody get hurt or die? That was something you really worried about. And in the—when you're talking about a power grid, absolutely. Those are some things you worry about . Secondly was the financial loss.
From a cyber perspective, how would this affect the revenue, or could something get damaged to a point that it's going to cost a lot of money to replace, or fix, or whatever it is, right? And the third, actually, was reputation, and image, and impact there on the business, right? Would somebody trust this organization anymore? Would somebody trust this utility anymore, if they are—if they can't protect the information? Maybe it's privacy, or whatever it is. But from a general cyber perspective, those are kind of the three general categories, and it's consistent. It starts there. You don't have to be a cyber expert to know those things. But then once you've figured out what are those things you're worried about, then you bring in the cyber experts to help you figure out how can we prevent this from actually being exploited, and one of these things, one of these consequences [is] coming to be through a cyber means. So, it's consistent, regardless of where the system goes. I believe those are going to be really important to understand. >>Pete Tseronis: Appreciate it. Don't go anywhere. I have a question coming
back to you, and it's kind of—as we kind of come to a close here. And we've still got about ten minutes and some parting shots. The national lab, though, Juan, I threw out—I hope I didn't steal any of your thunder there—some of just the research areas as I look at the capabilities—the lab's amazing, right? The Energy Systems Integration Facility, which you lead, and the ARIES initiative is just one of many. And I always like to hear from—and I hope our audience does—that there's so much activity happening every day of the week and twice on Sunday, and as in any sector. And there are people that go to the NREL every day to solve problems, to Adrienne's point. What's the problem you're trying to solve? And there's some really smart people who are there doing it.
Can you just talk a little bit about some of the excitement around next-generation—people ask me all the time, oh, what are we doing with ransomware, and blockchain, and how is that going to impact the energy sector? And I'm like, jeez, where do I start? What are some exciting initiatives, though, that you are working on, and your colleagues, that give people hope for humanity? >>Juan Torres: Yeah, absolutely. This is why I love working at the national labs, these exciting challenges, big challenges, too. This is foreign nation-state threats. This is impact on the national economy.
And to touch on one of the questions I saw in the chat as well about wind turbines, so we're looking at how do we address the security challenges of today's infrastructure and the things that are moving really rapidly, like more wind, more solar, things of that nature? We're working with the wind sector. We've got a wind-cyber consortium. So, we are addressing what are the risks around those specific systems. Jon White is the expert in that particular space, but you can hit our website. We have some more information about that consortium. So, if you want to know about what we're doing with the wind industry, and the solar, and so on, and where we see technology can help, and so on, that activity is going on.
But I briefly mentioned earlier some of the exciting things, like artificial intelligence. We have a lot of work going on in our autonomous systems. In the future, the operators, they're just—right now, they're overwhelmed with the amount of information they need to operate these systems, the energy infrastructure. Imagine as we add millions and millions of more devices. Even on the Eastern Interconnect, the most complex grid in the world, the Eastern grid, there are about 10,000 or so control points on that—at that level.
We're seeing, as with more devices at the grid edge, the distribution-level utility may have millions of devices that they are collecting information from, or they may even control. So, our work in autonomous systems, and how do you secure these? We have some great research going on around how you secure the potentially, at times, untrusted devices, and how do you know that the information you're getting is okay, and what do you do with it if you get something that doesn't look quite right? But the human in the loop can't do that. We're going to have to put a lot more intelligence in the system and be able to trust that system as well. So, we have a lot of work in there. We've developed a
really unique capability called the Cyber Energy Emulation Platform. So, that allows us to have that visualization of the power system layers, the cyber layers, and be able to emulate, create expansions on your utility, expansions on your community. We have some work going on with the City of L.A. They're trying to get to 100 percent clean energy, and how do you do that, with the size of [the] community/city that they have? We're working with the L.A. Department of Water and Power.
So, we can go from simulating and understanding what's possible, and then work with the ARIES capability, and the real hardware, and so on, and explore what’s doable, right? So, that—we provide that link, that bridge. This is not just science. This is not just a simulation because a lot of times people will say all models are wrong, some models are useful. We go from that to let's really validate and see what we can do that will make a difference.
So, smart systems, next-generation devices, and at the hardware level, virtual devices; large-scale, next-generation systems. Hydrogen. Where does hydrogen play in the future infrastructure? Transportation. Electrical vehicle charging, next-generation charging, and how do you secure that? Because the user has to interface with that. So, I can go on and on, Pete. >>Pete Tseronis: Oh, no. >>Juan Torres: This is just good stuff.
>>Pete Tseronis: Yeah. I love it. [Crosstalk] >>Pete Tseronis: Yeah. It's—in the theme of sampling, folks, we can talk for hours on each one of those. Adrienne, I want to give a shoutout back to the Vision 2030. What are you hoping or looking towards in terms of just a goal for the next year with that program underway? Give a shoutout to NYPA and its efforts there. >>Adrienne Lotto: Thanks. So, I think it's fundamentally what Jim articulated, looking at Vision 2030, and as we move down the approach and move down, create—making that vision a reality, ensuring that we're utilizing sound risk management principles with all of our partners.
So, for example, Juan just talked about hydrogen. We are about to do a first-in-the-nation hydrogen project where we're going to use one of our fossil plants, right—we have in-city fossil—in-city meaning—sorry, I'm in New York, so Manhattan, we have a plant right outside of Manhattan that's one of our peaker plants. We're going to test it for the first time, we think, in the nation, going up to 40 percent hydrogen. That's going to be a challenge, right? There's a lot to ensure there when you're using hydrogen as a fuel source.
But to the point—if we want to get where we believe the nation wants to go of having a clean energy, decarbonized footprint here in the State of New York, and frankly in the nation, we believe these are some of the leaning-forward tests that we need to do to ensure we're going to get there. Ensuring sound risk management principles along the way is crucial because we don't want to—we, of course, always have safety first, and we want to make sure that things like, as Juan just said—I mean, what he was fundamentally describing there is a control, right? So, we have a risk management that identifies all these risks. He's talking about AI, which is—so you have an inherent risk. You have a control. If we could get that human out of the loop in that control, that's as good as we're possibly going to get. And then all that's left is a potential inherent risk—excuse me, a residual risk. So, bringing all of these concepts together to ensure that Vision 2030 is no longer a vision but can actually be effectuated in the next ten years is what I'm excited about working with all the partners that—two of which are here today on the call.
>>Pete Tseronis: Well, I think it's— >>Adrienne Lotto: Thanks, Pete. >>Pete Tseronis: Oh, thank you. Appreciate that. But I agree 100 percent. I think it's a beacon. I think anybody who's watching, look at the documents publicly available. I looked at it last night. There's a cheat sheet, and then there's just the lengthy, here's our plan. So, I think it's awesome, and thank you.
And, Jim, before we hit parting shots, you mentioned BitSight. You mentioned what Moody's doing. It has its own plan to keep this conversation going and to help utilities maybe understand that there's innovation happening in a lab, and there's things off the shelf that you can buy. What are you hoping to accomplish in the next year maybe as part of this collaboration with BitSight? >>Jim Hempstead: Okay, so one of the things that we're going to be doing is in 2019 we published a cyber risk heat map, where we looked at vulnerability and impact across, I don't know, 30-some odd sectors. I think it was $80 trillion of global rated debt. Now that includes sub-sovereigns and governments and things of that nature. And we're going to update that, and so a lot's changed since 2019. And we think that
incorporating a curated data set from BitSight that kind of zeroes in on the things that we're thinking about the most from a credit perspective, as opposed to a cybersecurity posture perspective in terms of how you look at it, that can inform the way we look at this. And heat maps are relatively simple tools, but they're very useful for the capital markets because you very quickly can rank order different sectors, different regions, and things of that nature, to see at least how one organization is talking about cyber risks. So, we'll define it, and then we'll apply it to this global portfolio and put that out next year.
And I hope to see all of our credit research next year use more and more consistent data, like from BitSight and other organizations. We have our issuer survey results that we're always incorporating. So, every time T-Mobile or somebody else has a cyber event, we can enrich the discussion by showing how that particular industry compares to other industries in terms of various different measures, whether it's cloud adoption, or patching, or how many levels does it take to get to the CEO, and things of that nature.
So, I think there's going to be a very significant shift in how much you see coming out of the rating agency next year with respect to cybersecurity. >>Pete Tseronis: Yeah, 100 percent. Love it. And, again, I’m excited. Keep writing those reports. Folks, again, the Moody’s reports are easy to digest and distill.
All right, 30 seconds or less because I got to do the parting shots. It’s my favorite part. Juan, we’ll go with you to start. What do you want to leave with the audience from today’s discussion? >>Juan Torres: Yeah. Continue to engage. This is huge. We need to get people talking about these issues, the challenges, where are things coming. What’s on the forefront? What’s the next big thing? So, stay tuned. The accelerator
is going to continue to advance. But there are other things that we’re doing in this space, especially around clean energy. And I didn’t get into all of that, but stay tuned. >>Pete Tseronis: Thank you, JT. Adrienne? >>Adrienne Lotto: Took my words. I was going to say engage. I mean, and I would say particularly for any female leaders out there who are curious about the area, here's only one set. There's a lot of stuff. This is an area that's continuing to evolve.
It's continuing to grow. If you have a teenager at home, maybe about to go into college, encouraging him— or he or she—to take a look at cyber as an area of interest. Please do so. And I think that there's—it's not an area—I think sometimes utilities in the past got looked at as, like, oh, humdrum, not particularly innovative, not really forward leaning, like Silicon Valley. But the truth is it's changing drastically. So, it's an exciting field. Lean in, and you can really make a difference. >>Pete Tseronis: Thank you. Wonderful. Jimmy, bring us home. >>Jim Hempstead: Three for three, Pete. Cyber risk is part of the risk management process,
and it requires engagement with a lot of stakeholders, and not just the people around you. And I encourage that engagement. >>Pete Tseronis: Well, my parting shot is we hit on trusted partnerships, technical translation, credit risk, clean energy. Folks, this was the sampling, stealing, again,
from Emily. Shoutout to John White and the entire team that helped pull this together. We will do this again. I'm meeting with Ann Dunkin later today, the CIO of Energy FYI on cybersecurity for smart cities. So, again, this conversation is active, and we appreciate all of those who attended and registered. And thank you, again, to everyone.
2021-12-12 04:44
