[Scott] Coming up on "Energy Switch," we'll look at protecting energy systems from dangerous threats.

- When you have increasing automation, when you have increasing connectivity, those all become threat vectors.

And so while you have this advancing technology, can you make it secure at the pace that you need to?

And that's a constant challenge for our operators.

- So we are gonna see the energy sector change fundamentally over the next 10 to 20 years.

There's a lot going on, and there's a tremendous amount of investment going on as well.

But we all need to be part of the conversation, including the average consumer.

[Scott] Next on "Energy Switch," critical risks to our energy system.

[Narrator] Funding for "Energy Switch" was provided in part by, The University of Texas at Austin, leading research in energy and the environment for a better tomorrow.

What starts here changes the world.

[upbeat music] - I'm Scott Tinker, and I'm an energy scientist.

I work in the field, lead research, speak around the world, write articles, and make films about energy.

This show brings together leading experts on vital topics in energy and climate.

They may have different perspectives, but my goal is to learn, and illuminate, and bring diverging views together towards solutions.

Welcome to the "Energy Switch."

The U.S. energy system, particularly the infrastructure that moves energy, electric grids, and pipelines, is constantly at risk from extreme weather events like hurricanes, winter storms, heat waves, and wildfires.

And it's increasingly threatened by cyber attacks from hostile foreign governments, rogue actors and criminal elements.

Enough that the energy industry and the U.S. government are investing billions of dollars to counter these threats.

We'll discuss all this with Puesh Kumar.

He directs the Office of Cybersecurity Emergency Response for the U.S. Department of Energy and performs similar duties for Southern California Edison, an electric utility.

Suzanne Lemieux is the Director of Operation Security and Emergency Response Policy at the American Petroleum Institute.

Next on "Energy Switch," we'll discuss critical risks to our energy systems and how to manage them.

You know, let's dive into cyber.

Well, what is cybersecurity?

I mean, what does that even mean?

- You know, back in the day, we were really worried about stealing our data and our information.

So you might get a phishing email.

I would actually say phishing is still one of the number one ways for even more advanced cyber actors to try getting into your system.

It's a lot easier to just send you an email and hope you'll click on it than try to actually penetrate your system.

It can not only cause some of that data being stolen, but on the more extreme level and the thing that we really worry about, is shutting down a critical pipeline as we saw with the Colonial Pipeline ransomware attack.

- So the Colonial Pipeline actually shut down preemptively.

- Before you go on, just what is the Colonial Pipeline and how much oil does it move?

- So the Colonial Pipeline is a system that starts in Texas, runs over to Louisiana and up the East Coast, supplies 45% of refined product to the East Coast - Forty-five, so?

- A significant amount.

- Yes, almost half.

- Yes.

Yes.

They knew that how critical it was to keep their operational technology safe from this threat that was in their IT system.

And so they preemptively shut the system down in order to protect that operational technology.

Because if your email's disrupted, your HR is disrupted.

That's one thing.

If you have to shut down your operations, that's another, and that's what we're really concerned about today.

- How long was the shutdown?

[Suzanne] Five days.

- Five days.

- And the average for a ransomware attack, the average system downtime is 27 days.

- Wow, I mean, I think the studies are pretty good that in a physical sense, pipelines are much safer than trucks and boats and trains.

- They actually are all at 99.99%.

- All of them?

- Delivery.

- Really?

- Yes.

[Suzanne] The pipelines are the most efficient.

- Yeah.

- You know, They are certainly one of the most efficient ways to move large amounts of product.

But that also may mean that they're more critical and therefore we may need to expect them to be more secure just because of their criticality.

- Interesting.

- Because that one pipeline could just disrupt a lot more than just one truck.

So I applaud API for having their cyber standards well before the Colonial Pipeline incident.

Now the challenge with them is they are voluntary.

And so this is where you saw TSA have to step in and say for critical pipelines or critical infrastructure, broadly, maybe we should require baseline cyber requirements.

- TSA, the same one that looks for my nail clipper at the airport.

- Yes.

- They do pipelines?

- They do surface transportation, which is pipeline rail, commuter rail, and some maritime.

- Interesting.

So, you know, we've talked about from email scams down to big server hacks and big things.

What else?

- One of the things that we've seen over the years from certain actors is the theft of intellectual property.

We are the leader in production of oil and natural gas in the world and that's all done through technological innovation.

And so there are other countries, other entities who wanna take that innovation and recreate it.

- Any other additional things you would add?

- These adversaries are becoming more sophisticated.

So now we're actually seeing things like compromising critical software.

So that's an area where we are really focused because we feel like we have to work with not only the energy companies themselves, so the electricity, oil, and natural gas companies, we have to work with the manufacturers and suppliers of those companies because they could be the entry point.

- Right.

Who are these perpetrators?

Who are these people?

Are they real humans?

Are they AI systems?

What are they?

- Nation states.

Russia, China, Iran, North Korea.

But then criminal actors.

We know that Dark Side was responsible for the Colonial Pipeline ransomware.

[Scott] Dark Side?

- A criminal group out of Russia.

They've since disbanded.

They apparently said that they didn't really intend to take down the pipeline.

They were just trying to make money.

So, um, you know... And the FBI did go after them and were was able to recover majority of the Bitcoin that was paid.

- Interesting.

- So it depends.

It's for different purposes.

It's for intellectual property theft, it's for criminality, it's for disruption, it's for-- and there are domestic actors too doing this, the anarchist or domestic terrorists who are trying to disrupt how we function as a country.

- How common are they?

Are these kinds of attacks increasing?

Are they stabilizing?

- I think generally across the board, not just in the energy sector but writ-large, we're seeing increasing cyber attacks.

And it's a challenge because when you have increasing automation, when you have increasing connectivity for efficiency and for understanding what's happening in your operations, those all become threat vectors.

And a lot of the infrastructure that we have in our industry, you know, is built with a 60-year lifespan.

And so while you have this advancing technology, can you make it secure at the pace that you need to?

And that's a constant challenge for our operators.

- AI and cybersecurity.

I mean, some of the things AI does, incredible, good.

Is it gonna help?

Is it bigger risks?

How does AI play here?

- Absolutely.

We think of AI in two ways.

One, how do we defend against AI-enabled cyber attacks?

Now, the other side is true as well.

How do we use AI to better protect our systems?

One of the great things about AI is that it can take vast amounts of data and be able to compute and actually take actions in many cases faster than a human can to actually protect systems.

I was reading a report by IBM recently that said organizations that actually leveraged AI in security solutions were actually saving hundreds of millions of dollars more than those who are not.

- Yeah, as a tool instead of a weapon.

[Puesh] Yes.

- And I think the challenge of something like AI, and where we're seeing technology going is that the government, and I'm not talking about DOE necessarily, but in terms of regulation and legislation, is really not constructed in a way to keep up.

And so when you have these technologies that are really outpacing the regulation which is needed because we don't know how this is gonna be used and where it's going and what the impacts are.

And so you have something kind of running wild out there, without any controls.

It's something that I think we need to focus on as a country.

- So how do we reduce these attacks if we look out to the future?

Can we keep up, what's the plan?

[chuckles] - My office is squarely focused on the security and resilience of energy systems.

And we do it through a couple of ways.

One is national policies, policies, working with states, and then we work on training and capacity-building.

So how do we actually test some of the systems to make sure that they are secure?

The other way of doing it is how do we design things differently?

And so we have a lot of focus right now on a concept we're calling cyber-informed engineering.

So as we engineer the energy systems of the future, how do we really ensure that cybersecurity is as fundamental to those systems as safety and reliability have been for so long?

And so we're working with the universities to include cyber-informed engineering into their curriculum.

We're working with manufacturers to say, "How do you design things differently from a cyber perspective?"

So I think we have to assume this is only gonna get worse when it comes to cyber.

It's much easier to conduct a cyber attack than it is to have boots on the ground.

And so we have three big buckets that we think we need to be focusing on.

One is, it comes down to the policies.

When it's critical infrastructure, should we be thinking about baseline cyber requirements?

I know regulation is a scary word, but I would actually say that after Colonial, it was some of the pipeline companies that stepped up and said, "We need regulations."

The second area is we do have to ensure that our systems are secure, inherently secure.

And so this is where really pushing that concept of cyber-informed engineering is going to be key.

And then last but not least, we have to continue investing in tools and technologies.

One of the big things that the Department is doing is through the Infrastructure Investment and Jobs Act, IIJA, we're investing $62 billion in the U.S. energy sector.

A portion of that funding, my office is executing specifically focused on cyber.

One of my peer offices is focusing on resiliency of the sector.

- Good to hear some things going on.

Industry getting out in front of some of this as well?

- We're planning right now for our 18th annual cybersecurity conference.

I think some people say, "Oh, you woke up to Colonial" and no, it's been about two decades or more.

Our companies are not just doing everything in-house, they're working with their regulators.

They're working with other government agencies like CISA and DOE for voluntary programs.

- CISA?

- It's part of the Department of Homeland Security.

- Okay.

We have great relationships with the FBI and a lot of our members have come from the government and different security agencies.

So we're in business to be in business, and if you're not taking cybersecurity seriously, then you're not gonna be in business.

[Scott] Right.

So, kind of flipping from the cyber world to the physical world, let's talk about weather.

Let's start with electricity and fuel systems.

I mean, things don't do well in extreme cold.

How do we start to protect against that?

- We've been operating up in North Dakota for decades.

and that's pretty extreme cold.

And those systems are reliable.

And so it's weatherization and how you build out that system.

I think what we've seen in Texas in the last couple years with their extreme cold that you know is somewhat unprecedented, just revealed that there is some additional things that operators can do.

- I mean, weatherization, it sounds easy to say, but don't these costs get passed through to the consumer eventually somehow taxes are-- - Yes, prices are increased.

The more you do, the more things cost.

Whether it's increasing cybersecurity, whether it's increased weatherization, any change is gonna cost money.

And typically with energy prices, the consumer pays.

- Yeah, eventually.

- Eventually.

- Yeah, flipping to extreme heat in the summer of '23, what are some of the challenges we saw?

- Absolutely, so out in California in particular, our utilities had to implement demand response programs.

They had to ask large industrial customers to curtail some of their energy usage.

Now on the federal level, my office also has some emergency authorities that we can also deploy to either let units run beyond certain limits or be able to allow some interconnects during an emergency.

So we're always looking at those tools and what we can offer and help during these scenarios.

But it also is incumbent upon some of the energy companies to be thinking about them as well.

- We've had a lot of fires here and how do you protect from those?

- Yeah, so when we've seen wildfires, they can have devastating impacts.

And so I know with a lot of the utilities, they're really looking at different strategies to mitigate the risk of a wildfire.

For example, there's a program called Public Safety Power Shutoff.

What the program is intended to do is if they do see a wildfire risk, they might proactively shut off power.

Now again, no one wants to do that.

You never want to shut off power to customers.

But it is one of those things as a last resort so that we don't have a wildfire.

Other things they might implement are covered conductor programs.

So actually cover some of the conductors that even if they do hit some vegetation, it may not cause the impact.

That leads us to actual vegetation management.

It's actually, let's go ahead and do some of that management of the vegetation around some of the power lines so it does not come into contact.

- You mean like getting rid of scrub and brush?

- It's a lot of that.

Now, the one challenge that I know some of the utilities have had is a lot this vegetation can be on federal lands and so that's a big conversation we're having right now.

We're bringing the utilities together with the Forest Service and the Bureau of Land Management to ensure that we can do some of that proactive vegetation management, so that it doesn't cause an incident.

- Insulating lines.

I mean, why don't we do that?

Why don't we bury lines?

What's the big deal.

[chuckles] - Cost?

- That's, that's, that's a, you know, um, cost is definitely one of the big reasons.

I've heard costs of three times the cost to just bury a line.

And so somebody ultimately has to pay for that cost.

Now in the case of areas in California, you might not even be able to bury the lines because of where it's located.

It may be on mountainous regions, it may be really hard to dig.

The other thing you think about is if there is a fault or something goes wrong, you have to go find the fault underground as well which could also take longer than just looking at electric line and seeing that it's down.

And so there's a lot of factors that you have to really think about.

- Why do you bury pipelines?

Isn't it more expensive to do that?

- It's more of a fixed cost in a pipeline.

So once you build the pipeline, the pipeline's in service.

- But wouldn't it be cheaper to leave it above ground?

Wouldn't that save some money?

- It would potentially save money at the outset in the construction costs.

But from a safety perspective, it's safer buried because there's less that can disrupt it.

- I mean there may be some lessons for power lines here that we gut it up and where it makes sense bury 'em but it's gonna cost everybody more.

- And a pipeline's fixed cost, I think, are less personal than a utility customer's cost.

There's a big difference there.

- What about this idea of energy corridors where you put pipelines and power lines and transit and other things in just certain dedicated energy sectors.

Has that been talked about much?

- So the challenge there is it's not something that can just take a magic wand and do it at the federal level.

That's just not gonna be possible.

It's gonna take a lot of buy-in.

The area where we are focusing at DOE in this space is really that recognition that we have to partner with states.

When we think of even some of our resilience funding, some of it's going directly to the private sector, some of it's actually going directly to states to implement so that they can make the best investments in terms of energy infrastructure for their communities.

But as we know with some of these weather related events, they don't just usually impact one state, they impact multiple states.

We're bringing some of those states and regions together to prepare for different types of risks.

And then also hopefully it will influence how they make investments to make their infrastructure resiliently in coordination with some other states.

- Right, gotcha.

- And we've been quite forward-leaning on our advocacy for permitting reform.

There were some improvements made earlier this year, but permitting both at the federal and the state level is extremely challenging for any new infrastructure.

[Scott] Yeah.

- Right, it's hard.

[Scott] It's all hard.

Other weather on energy, droughts, long periods of cloudiness, long periods without wind, they happen, storms.

What are some other things where weather affects our energy systems?

- Hurricanes.

We work often with Department of Energy to do drills and exercises for when and if an event occurs.

It doesn't necessarily have to be a hurricane.

We do all hazards.

But certainly with the amount of infrastructure in the gulf, hurricanes are our biggest threat.

[Scott] Yeah.

- I would also say that those areas, because they are constantly hit, they also tend to invest more in some of those resilience measures themselves.

For example, Florida Power and Light actually started to deploy smart meters and other sensor technologies to better segment some of their infrastructure.

And they learned that because of a large hurricane that had hit them and really devastated the community there and the infrastructure.

And so they were proactively engaged and they not only leveraged their own funding, they also used some of the federal funding to say, "Let's make our community more resilient."

- Right, it's not all bad news.

Let's talk about some of the backstops, if you will, for example, the Strategic Petroleum Reserve.

This is where the U.S. keeps oil.

What's its purpose?

What is that for?

- The Strategic Petroleum Reserve was created for World War II to make sure that the U.S. had a reliable supply of crude oil for the military.

It is something that companies, if they have a supply disruption can potentially tap into.

And so it has been utilized a couple of times, but generally the global crude oil market is very liquid.

- Fungible.

- Fungible, and so we're able to move products around and the market usually responds without having to tap into what the government has.

- Right, how big is it like in terms of any metrics?

- There's about 713 million barrels in the reserve.

- We use about 20 million barrel oil a day in the U.S. - Exactly.

- Correct.

- Yep, it doesn't seem like a lot in terms of providing fuel to the entire country, but to an affected region it could be really helpful, and we have tapped into the reserve to provide supply during hurricanes.

- It's not the secretary on the phone to industry saying, "Please ask us to tap into this."

- No, it's the opposite.

So we generally prefer for the market to function.

This is a last resort.

So if there's a big storm that disrupts shipments of crude oil via ship and a refinery might not need to shut down without it, you could potentially make that request but it's pretty rare.

- What's the equivalent in electricity terms?

Do we have a way to help there?

- It's hard to compare molecules to electrons, right?

Molecules you can store, electrons work a little bit differently.

You're not gonna be able to store just electrons outside of battery storage.

We're all hoping batteries will start to get better and bigger where you could potentially store some of those electrons and be able to use them in an emergency scenario.

- If I do simple math, I think if we only depended on the SPR, it lasts 35 days.

It doesn't sound like much, we'll use it at the margins, but the latest I've heard is our batteries will last about four hours.

- Yeah.

- I think we need to be thinking about those things if we want to continue to press forward with electrifying more and more.

Otherwise, it seems like our risks are higher and higher.

Am I thinking wrong there?

- My office is in some way generation source agnostic.

There's never gonna be a silver bullet and as we start to see different sources of generation being incorporated into the grid, we should be thinking about them from a risk-based perspective.

We should be thinking of the resiliency aspects that they can bring to the grid, but also the security challenges that they could bring as well.

[Scott] Right, right.

On the electric utility side, talk a little bit about demand management.

How does that help safeguard some of these things?

- So an examples of demand management might be during a heat wave, working with some of the industrial commercial customers to say, "Hey, we need you to reduce your usage and in return we might offer you lower electricity prices."

You might also ask for some of that conservation by some of the residential customers as well.

- I think that's a nice, actually reward system.

- Yeah, the time-of-use rates.

Now, with the residential customers, it's a little bit harder to implement.

A lot of customers don't want to have to adjust their behavior, but how do you incentivize them to do so?

And so this is where potentially some of the smart technologies could potentially give you a notification either on your thermostat or on your phone saying, "Hey, if you reduce by this much, you might see some cost savings."

- I always found carrots to be a lot more impactful than sticks.

So look, this has been a great conversation we've had.

Final thoughts.

Anything we've missed or that you'd like to say?

- Our members understand how important they are to the U.S. economy, to national security and to our national defense as well.

Technological innovation has gotten us here and it's gonna keep pushing us forward.

- Things to add to that?

- I will say, there are 16 critical infrastructure sectors across the United States.

Energy is thought to be one of the most collaborative when it comes between industry and government.

And they're actually considered a model for all of the other sectors, for the water sector, for the financial sector.

So there might be times when we don't agree on policy, but that's okay because we can actually develop better policy by having some of those debates and disagreements.

We are gonna see the energy sector change fundamentally over the next 10 to 20 years in the United States.

There's a lot going on and there's a tremendous amount of investment going on as well, through the Infrastructure Bill, through the Inflation Reduction Act, through private investments.

But we all need to be part of the conversation, including the average consumer.

- Well, look, I've learned a lot, and again, I appreciate both of you being here to discuss the critical risks, and some of the neat things being done for our energy security systems around the country.

I'm Scott Tinker, this is "Energy Switch."

Cyber attacks on energy systems are increasingly common.

The most effective attacks are email phishing campaigns, which are now more sophisticated, but also ransomware and other malware embedded in software systems.

These IT attacks can ultimately affect operations, which could leave millions of people without energy.

So the DOE is placed a task force in charge of cyber attacks, spending billions of dollars in response preparation and promoting cyber-informed engineering.

Hardening energy infrastructure against winter storms, hurricanes and coastal flooding is becoming increasingly important.

Building power lines that are less likely to cause wildfires and less likely to be damaged by them is a key concern, particularly in western states.

All these remedies are expensive and there will be trade-offs between affordability and reliability.

The good news is industry and government are working together to combat these risks to energy systems.

♪ ♪ ♪ ♪ ♪ ♪ [Narrator] Funding for "Energy Switch" was provided in part by The University of Texas at Austin, leading research in energy and the environment for a better tomorrow.

What starts here changes the world.