5 QUESTIONS WITH ELECTRICAL & COMPUTER ENGINEERING RESEARCHER AND EDUCATOR CHEE-WOOI TEN

We sat down with Chee-Wooi Ten, a professor of electrical and computer engineering at Michigan Technological University. He spends his time researching actuarial science and risk profiling for the power infrastructure industry, linking cyber events with operational risk mitigation. During our discussion, Ten shared his insights about the risks of a cascading cyberattack and the need to train the younger generation on the overlapping knowledge of cybersecurity and power grid operation.

Q1: Why should our readers be looking seriously at the risks of cascading outages caused by cyberattacks on interconnected control areas in power systems?

TEN: Imagine our electricity system as a giant web where everything is connected. If a cyberattack hits one part, it can cause a ripple effect, leading to widespread blackouts, like the massive Northeast blackout in 2003. This is because utilities often manage both the creation and delivery of electricity, so a breach in one area can impact the whole system. During the 2003 blackout, poor communication and coordination made the situation worse. Nowadays, with IP-based communication, the threat is even greater. Cyberattacks can spread malware quickly through the network, and insiders with access to critical systems can do significant damage. It’s like the scenario in the recent Netflix movie “Leave the World Behind,” where a cyberattack causes chaos.

Q2: What is the worst-case scenario for a switching sequence attack that causes cascading outages in the U.S.?

TEN: A worst-case scenario for a cyberattack on our power grid could cause huge problems both immediately and in the long run. In the short term, it might make electricity prices skyrocket and disrupt the market. Over time, it could damage the infrastructure, leading to long power outages that would create chaos in society. This could affect our food supply, health care and overall safety. The economic impact would be severe, hurting businesses and our daily lives. This is why it’s so important to have strong cybersecurity measures and good coordination to protect our power systems and keep everything running smoothly.

Q3: How does cybersecurity actuarial science inform risk hedging between utilities and insurers?

TEN: Actuarial science helps utilities and insurers manage cyber risks by using data to predict the likelihood and impact of cyberattacks. This information helps utilities make smart decisions about investing in better cybersecurity, making it much harder for hackers, insiders or disgruntled employees seeking revenge to access and damage critical parts of the power grid. Insurers use this data to set insurance costs that reflect the level of risk, encouraging utilities to improve their defenses. Actuarial science also helps identify the best ways to reduce risks, plan for incidents, manage account closures during employee absences and comply with regulations.

Q4: What metrics should utility security professionals look to for guidance regarding their technology investments into grid resilience?

TEN: This is a tough one. To make the power grid stronger and safer, utility security professionals should focus on several key areas. They need to measure how quickly they can detect and fix cyber issues, track how often these problems happen, and make sure critical systems stay up and running. Regular checks to find and fix weak spots, following industry security standards, and testing defenses by simulating attacks are also important. They should ensure quick recovery from incidents and keep an eye on costs related to security breaches. Training employees to be aware of cybersecurity is crucial, as is properly managing accounts, especially when employees leave. Monitoring unusual activity that could indicate insider threats or hacker manipulation of key systems like circuit breakers is vital. By working together and using these measures, utilities can protect the grid from both inside and outside threats. The exact recipe of nightmare combinations should also be carefully gathered, with mitigation strategies from different trusted networks, to ensure that if one network is compromised, it can be monitored and mitigated by other, uncompromised networks.

Q5: What do you view as the best path forward for electric utilities to solve these IT/OT interconnectivity vulnerabilities?

TEN: Starting with compliance measures and understanding how specific relaying schemes can result in outages may be the beginning of the conversation. Priorities may not be in consensus, but meeting compliance is the first step, much like how we comply with tax filing each year. As an educator, we have a major role to play in training the younger generation to transition into the utility workforce, where overlapping knowledge about cybersecurity and power grid operation is crucial. The best path forward is to reach out to the stakeholder community, such as transmission and distribution utilities as well as regional transmission operators, to understand their pain points and how we can incorporate their struggles into achievable short-term goals. Ideally, having a risk management metric similar to the health-care provider’s screening of vitals before a medical visit would be super helpful.