How ‘Global Weirding’ is Creating New Threats for Utility Security Professionals

If you search for “Andrew Bochman” on Amazon’s website, the first listing to appear is a book he co-authored about countering cyber sabotage. If you search his name on YouTube, you’ll find videos of him presenting on topics including managing risk and operational technology cybersecurity. Bochman dedicated much of his career to helping with the security and resiliency of utilities.

But as the years passed, he watched—along with the rest of us—climate event after climate event continuously wreak havoc on utilities. In bearing witness to those events, Bochman saw a threat so alarming that it inspired in him a new passion to educate and inform the industry about how to start planning today for the challenging days ahead. Some call it climate change. Others refer to it as global warming. To avoid the politically charged nature of those terms, Bochman has come up with the novel term of “global weirding,” which essentially means that even if we disagree about the “why” of the change, we can all agree it is occurring.

We sat down with Bochman to talk about why the systems we use today are simply not engineered to deal with the climate chaos of tomorrow—and how that is going to impact your security and resiliency plans.

Curtis Marquardt: 

Let’s start off by letting you tell our readers about yourself.

Andrew Bochman:
I’m nearing my ten-year anniversary at one of the 17 National Labs, the Idaho National Laboratory. There, I serve as a senior grid strategist in the National and Homeland Security directorate. My interpretation of “strategy” happily aligns with my boss’s expectations. I focus on identifying the most pressing challenges, often future-oriented issues that others might not yet notice. In essence, I operate with a five- to 10-year horizon. By considering mid-to-longer trends, I am able to provide helpful guidance to all manner of colleagues working on grid security and resilience, new energy solutions, and cyber and physical security—all critically important areas in today’s environment.

Curtis Marquardt: 

My next question might seem unusual: Why is the concept of the 500-year flood no longer viable?

Andrew Bochman: 

The terms 500-year flood, 1000-year drought, or similar used to be useful in risk management for physical phenomena. These are as much insurance terms as engineering terms. And when the weather patterns were more stable and more predictable, this concept worked just fine. The problem is that—and I’ll use just one of many examples—the city of Houston had three 500-year floods in three consecutive years. We are consistently seeing things that were once considered these once-in-a-century or once-in-a-millenium events happening all the time, from floods to fires to freezes to heat domes and some incredible storms too.

I know that the terms “climate change” and “global warming” sometimes trigger political responses and cause arguments about why it is occuring. But if we can look past those terms, I think we would all probably agree that there has been some “global weirding” happening all over the world, and it’s happening at a frequency that we haven’t seen before. And if you’re an infrastructure defender like myself and my colleagues in the lab, you are seeing it impacting utilities with more and more frequency.

Curtis Marquardt: 

Our readers are utility security professionals who are worried about copper thieves. They’re worried about cyberattacks from adversary nations. They’re focused on protecting frontline workers from threats out in the field. Can you talk to them about why global weirding should be a focal point as well?

Andrew Bochman:
Well, the good news is that some out there already are. They’re running vulnerability assessments. They are ingesting climate models that not only look back at historical data, but look forward and project what is likely coming and by approximately when. For those who aren’t already putting focus on this, I’d like to use an example to help illustrate why it’s so important.

Let’s just look at increasing temperatures and heat domes. As temperatures rise and high-temperature events occur, we have to look at the equipment we have and realize that the design decisions made in the past for that equipment aren’t going to work the same way in temperatures they weren’t designed to handle. Whether that’s substations, transmission lines, cooling systems, security equipment or wastewater treatment plants, all was designed for a different world than the one we are entering into. So, this creates a big resiliency problem.

And we have to look at the load changes as well. Will more and more people be turning on their air conditioners or keeping them on longer than they used to? Or, look at places where excessive heat is never common, like the heat wave that London and the Pacific Northwest went through recently. They don’t even have air conditioners, and all of a sudden, it’s well over 100 degrees fahrenheit there.

Consider data centers, which are massive users of electricity. They require a lot of cooling to stay online. How many of your organization’s IT systems depend on these data centers? If we can’t cool them enough to operate, we are looking at outages and downtime on critical systems.

I’ll throw one more out there: transmission lines and distribution lines become less efficient with high heat. So, I need to have more lines or I won’t be able to pump as much through to reach those customers on those days when they need it most. And we are just talking about extreme heat. Add in all of the other layers of global weirding and you can see just how impactful this is on your security and resiliency.

Curtis Marquardt: 

I want to ask you about some of the other impacts of these climate-related changes. We see events like floods, freezes and fires happening and have an awareness of those. But there’s also a long-term impact that could lead to things like population displacement, global conflict and more. Can you talk about these deeper layers of the proverbial onion and how they may impact security moving forward?

Andrew Bochman:
We have seen how quickly social disruption and chaos can grow when resources get scarce, both in history and more recent events that are happening around the globe. And things like blackouts and brownouts that are going to become much more frequent and common in the future. Part of the reason for that is that we’ve been really aggressive in shutting down coal plants and limiting the number of gas plants while we build wind and solar energy infrastructure. In certain areas, this has cut into our capacity too much. So now, NERC is now regularly publishing alerts for the winter and fall seasons that warn of possible energy shortages.

Curtis Marquardt: 

It makes me think of the 1977 New York blackout and how chaos quickly erupted from that outage. I imagine this will present a lot of serious security issues if they occur more frequently. So, to shift gears, we know this is a physical issue. How can cybersecurity professionals use their skills and knowledge to combat tomorrow’s “global weirding” threats that impact cyber areas of their organizations?

Andrew Bochman:
What’s great about security professionals in general is that they have this “defender DNA” in them that gives them the instincts to defend something that’s valuable—whether it’s one’s self, one’s family, the community or the assets that one’s company uses. I am a part of the cybersecurity community, so I possess that instinct as well.

When we talk about cybersecurity pro’s, those folks are very focused on their particular niche. One thing I’ll ask them is to open up the aperture a bit more. Although climate risks are physical risks, they are pounding on your assets in many ways, and we don’t want to be flatfooted about responding to that.

I also want to go back to the topic of our rapid deployment of wind, solar, storage, EVs and other renewables. We are deploying them so fast, and some of those components are inverter-based resources. These digital controllers in the inverters are all sourced from China, and it’s making a lot of people in US national security organizations very uneasy. So, as renewables continue to grow, so too will be our need for them to be secure and reliable. And if China is the primary supplier of the components for the foreseeable future, that puts us in a very precarious position. We need to get really smart really fast on how we deploy these systems, with inherent security features that account for their country of origin. As in, for critical functions supporting the US grid, don’t trust anything.

Curtis Marquardt:

Thank you for your time, Andrew! How can folks reach you if they’d like to learn more?

Andrew Bochman: 

Thank you for having me. I can be reached by email at andrew.bochman@inl.gov, and I’ll be happy to connect folks with my deep SME colleagues in cyber and physical defense roles at INL.I’m also quite active on LinkedIn and can be reached there as well at www.linkedin.com/in/Andrewbochman/.