Skip to main content

© All rights reserved.


Brian Harrell Interview

Driven to Protect

If you were to Google the term “utility security expert,” a name that appears at the top of the list is Brian Harrell—and for good reason. Harrell has the distinguished honor of having served in key security leadership roles in both the public and private sectors.

Currently, Harrell oversees physical security, cybersecurity, privacy, intelligence and business continuity units for Avangrid, an energy company with operations across 25 states. Prior to that, Harrell was appointed by the President of the United States in 2018 to serve as the sixth assistant secretary for infrastructure protection for the Department of Homeland Security.

Harrell has also served as the first assistant director for infrastructure security at the Cybersecurity and Infrastructure Security Agency. Add to that a resume that includes leading enterprise security for Duke Energy as well as experience in law enforcement and an anti-terrorism role for the United States Marine Corps, and it all adds up to somebody who clearly has a passion for protecting critical infrastructure.

That passion was fully apparent during my time talking with Harrell about a number of utility security topics, including what security lessons we can learn from foreign wars, how the private sector and public sector can best work together, and what the future holds for securing the nation’s critical utility systems.

Utility Security Magazine:
Can you tell our readers about the work you do at Avangrid?

I oversee cybersecurity, physical security, business continuity, resilience and our intelligence units. From a cyber perspective, we have nation-state adversaries such as Russia, China, North Korea and Iran that are actively looking at the power grid. I have a dedicated staff of about 55 people that come to work every single day knowing that they’re on the frontline of keeping our critical systems and infrastructure secure. We continue to also have domestic groups that want to destroy or degrade our physical sites—sites that produce electricity, important substations, gas infrastructure and our renewables fleet.

We also have to manage security threats that come from the inside of an organization, such as workplace violence, high-risk terminations, and important data leaving our proprietary digital systems. I’m convinced that the next major attack that happens in our sector doesn’t necessarily happen from outside the firewall or even outside the perimeter fence. It will happen from within by a person or people who understand what the crown jewels are and have keys to the kingdom. So, we need to have plans and policies in place to battle back against the insider threat.

Utility Security Magazine:
What are some strategies that you recommend to help combat those internal security threats and risks?

I think it’s a couple of things. One, we have truly embraced convergence by bringing IT/OT and physical security together. This is important because it removes and knocks down some of those legacy silos. The threat landscape today is very blended. Rarely do you have a cyber-only attack or a physical-only attack. Cyber impacts physical and vice versa. And so knowing that, we have created an organization that addresses security threats more holistically. This creates more efficiency, accountability and a quicker response.

Second, governance is a big part of combating internal security threats and risks.
You only get one opportunity to get governance wrong. Because the moment you violate someone’s privacy, get sideways with our own corporate policies, or lose the board’s confidence, this program will quickly go away.

In response, we stood up an insider risk governance committee, and we have staff from all areas of the business that have prominent seats around the security table so that everyone knows what’s going on. This ensures that security isn’t operating in a vacuum. That’s important to us. Governance drives much of what it is that we do, in conjunction with intelligence.

Utility Security Magazine:
That leads into my next question: Let’s talk about your intelligence program. What do you do to stay informed?

This is very important to us. So much so that I will put the Avangrid intelligence program up against any intelligence program in the country. We have relationships with local law enforcement, national security partners, the Electricity Information Sharing and Analysis Center (ISAC), state fusion centers, the FBI—this list goes on. We work diligently to get ahead of the “CNN moment” and to get crucial information before the media or the public does so that we can quickly mitigate the threat and reduce risk.

We have been able to get ahead of many issues, patch our critical systems and focus on threats before they materialize. The bottom line is, intelligence drives everything that we do. It drives governance, it drives investment, and it helps keep our customers, employees, infrastructure, and information secure.

Utility Security Magazine:
You have a unique background in that you have worked in infrastructure security in both the public and private sector. What are some insights you can share from having worked on both sides of the fence?

From the government perspective, leaning on industry subject matter expertise makes the government better, and from a private sector perspective, bringing in folks from the government helps expand the rolodex needed to be successful. These relationships help during a crisis and speed up the response and recovery phases of an incident. So, working together makes us all stronger. We call this “collective defense.”

Having worn both hats, the one major misconception that I often see is that the private sector assumes that if a security incident occurs, the government will swoop in to save the day. That’s not really how it works. The cavalry is not coming. In the private sector, we need to be ready on our own to come back to homeostasis as quickly as we can by having subject matter expertise, relationships in place with vendors, law enforcement contacts, and recovery plans that make it possible to react, respond and recover as quickly as possible. We need to build these capabilities under blue-sky conditions, not during a crisis.

Utility Security Magazine:
As military conflicts heighten abroad and we see attacks on utilities as strategic moves by combatants, what lessons do you take from seeing those events, and do they impact how you shape your security strategies moving forward?

Many corporations don’t want to talk about the China issue. They don’t want to talk about nation-state adversaries overseas that might be interested in their systems as they approach merger and acquisition conversations, for example, or as they talk about the vulnerable third-party supply chain. With respect to the supply chain, where are we getting these critical items from? What’s the origin of your software code? And are there comparable solutions with less risky vendors?

Unfortunately, many corporations want to put their head in the sand, and yet most utilities have put these issues front and center. As an industry, we are going to address them. We need to talk about if a war happens overseas, or there’s geo-political conflict, how does it impact our supply chain? We are in this eyes-wide-open, and we recognize that, again, there are adversaries that are not our friends, and they will continue to look for weak points or vulnerabilities. We know that we are on the front lines of securing critical infrastructure. We take that very, very seriously.

That’s an important message that brings me to my next question: With so many security product solutions coming from manufacturing facilities in nations we have adversarial relationships with, what do you do to mitigate the risks of potentially nefarious things that might be hiding in the hardware and software of those products?

I think in the energy sector in particular, China is a significant concern when it comes to the third-party supply chain, whether it’s infrastructure or software. When you go three and four layers down in the supply chain, much of this technology is from China.

We should not necessarily go with the cheapest option but instead the safest and most secure option. For example, DJI drones [have been flagged by the Department of Defense, Department of Homeland Security and the FBI for connections to the Chinese Communist Party]. I’ve seen this with my own eyes in a previous position, proprietary data leaving a system and going overseas to China. In the utility sector, drones are an awesome tool in the toolbox, but we also need to be very mindful of how this tool is being deployed. If you’re going to connect anything to your IT system, including drones, be mindful of your data and who else might be looking at it.

I highly recommend that utilities do not use Chinese-manufactured drones but instead drones that are made in the United States or by countries that are Western friendly.

Utility Security Magazine:
Some reading this might envision themselves having to go to a board of directors or their higher-ups to tell them that the cheapest option isn’t the right option. They may view that as a difficult conversation. What advice or strategies do you recommend security professionals use to effectively communicate with the higher-ups that security may cost more than they were expecting to spend?

Well, usually “CSO” stands for chief security officer, but oftentimes it also means chief storytelling officer as well. When presenting to the board, you need to tell a story that explains the known risk, the value of engagement and how your efforts will mitigate the risk. The best way to tell a receptive story is through benchmarking.

The utility industry is famous for benchmarking. What are other utilities doing? How are they doing it? Not one entity owns all of the good ideas for security. We’re always borrowing ideas from others. I will also provide the board a current “state of security” across the industry and detail the uptick in attacks that we’re seeing. And there are plenty, unfortunately. We’re seeing an uptick in interest from China. We’re seeing chatter from domestic violent extremists. And the private discussions on the dark web tend to focus on destroying substations.

I am happy to say that I enjoy regular board access. They’re always very interested in what it is that security is doing to protect the business, our customers, and our information. It’s a regular dialogue, and I feel very fortunate to have that.

Utility Security Magazine:
Duke Energy had an attack on a substation last year that made headlines. For electric utilities, protecting substations from these types of attacks is no easy task. What is the path forward to better protecting against this?

I think as we rack and stack substations based on risk, not all security will look the same. We need to take into account local crime statistics, remote versus urban, access to law enforcement, vegetation and so on. One big thing Avangrid did after the Duke attacks was have a very frank and timely conversation with law enforcement. We viewed this from a “team” perspective.

We have great technologies like fencing, cameras, alarms, access control and gunshot detection in, or around our substations. But at the end of the day, one of the biggest feathers in our cap was engaging local law enforcement and having them, in addition to us, go out and do random patrols around our substations. If potential attackers see our cars and a marked police car out front, it’s positioning us to be a harder target.

Utility Security Magazine:
In a world that can feel like it is rapidly changing, threats can change quickly as well. And with change comes the potential for new security blind spots. You mentioned earlier how internal threats and Chinese spyware are some areas of concern. Are there other areas you view as a potential security blind spot for utilities?

Having done this for nearly 25 years now, I can say I have never seen the chatter and
conversations on the dark web be as concerning as they are right now. Much of the talk is aspirational, but a lot of it involves detailed plans on how to attack critical infrastructure.

Simply, we should be embracing convergence, focusing on insider threats, using intelligence to drive initiatives, and looking at third-party risk management in the supply chain. I will also add another key element: exercises. You can have great plans in place, but when things go bump in the night and there is an attack on your system, exercises can prepare you for what the appropriate response looks like. How do you communicate to law enforcement, to your staff, to local regulators? All of this takes muscle memory.

At the end of the day, from a leadership perspective, we need to ensure that all areas of the business are being heard and providing input— because what we don’t want to do is, in the midst of a crisis, start building out a response plan.

Utility Security Magazine:
I want to wrap up this interview by asking you to pull out your crystal ball. Gaze into it and tell me what you envision the future of utility security will be in five or 10 years from now–or beyond.

I think the utility industry has done a great job of removing a lot of the low-hanging cyber fruit in that we’re very good now at patching for vulnerabilities and threat hunting. We’re good at beta testing everything before it goes into the live environment. We’re good at applying sensors to our firewalls and in our critical cyber systems. The enemy knows this. Nation-state adversaries know this. So, I think the enemy is going to look for weaknesses in the vendor community. They will look for ways into your system(s) through consultants, vendors and third parties. So, it’s important that we ensure our vendors are just as secure as we are.

I also think the domestic violent extremist threat is going to continue to grow, particularly as we see the lead-up to the election at the end of this year. Based on what we are seeing in dark web chats, they’re very focused on destroying or degrading critical infrastructure—and substations and generation facilities are at the top of the list.

Lastly, China and Russia view the power grid as a likely path for a future attack on the United States; they’re paying close attention to all the different infrastructure that’s being built. If you’re building new infrastructure or trying to remove single points of failure in your transmission system, there are groups in China that are very interested in the infrastructure upgrades that you’re doing. We can’t hide this work, so we just need to recognize this threat and mitigate the risk as much as we can.