Cyber security is chief among concerns for the CEO of PPL.
As part of NCC’s Executive-in-Residence program, William H. Spence, chairman and CEO of PPL, delivered a presentation outlining his company’s plan to handle the threats of the digital age.
“I think there isn’t a date that goes by that you haven’t probably seen in the newspaper some article about another company that’s been hacked,” Spence said. “It’s a phenomenon that will not stop.”
PPL, one of the Lehigh Valley’s two Fortune 500 companies, may seem like a prime target for hackers, but that’s not always the case.
“We don’t keep a lot of intellectual capital in our system,” Spence said. “What we do is pretty public in nature. So, you can figure out what we do [and] how we deliver power by just going on the internet.”
The customer information PPL keeps is not very tempting to hackers.
“We do have your address, your phone number, in some cases. Although, you could probably get that on the internet for 50 cents a record,” Spence said.
“It’s not that valuable any longer, but we are still very concerned about your information as a customer and we still want to protect that.”
As a utility company, PPL tries to ensure that power flow is never interrupted.
“The largest risk we have is the physical grid itself,” Spence said. “Operating as many thousands of lines as we do, obviously if someone were to get into our operational control system, that would be a problem.”
PPL has also been investing heavily to grow in size.
“We’re in the midst of a $3 billion a year capital deployment,” Spence said. “We’ve actually been on that train for the last five years and it’s going to continue for the next five years.”
The investment is spread among the seven utilities that are a part of PPL. In addition to their Pennsylvania-based operation, PPL has divisions in Kentucky and the U.K., each with their own president and CEO.
Part of the investment is aimed at outfitting parts of the power grid with smart technologies.
“More and more smart technologies are being placed out on the grid to make it more responsible, more reliable. But, it also is a vulnerability that we are now facing that we didn’t face in the past.”
Smart grid technologies would allow electric companies like PPL to better determine the cause of outages. Also, allowing greater consumer involvement in day-to-day electric needs by introducing a two-way stream of information to run parallel with electricity.
Even with ever-growing complexities in the methods of power delivery, phishing remains a popular way to hack into the systems.
“Phishing, which is increasingly the weapon of choice of the bad actors, is getting ever more sophisticated,” he said.
Phishing is the act of sending fraudulent emails or links to fake websites to gain sensitive information such as passwords or credit card numbers.
“I think 30 percent of the people attempted to be phished actually get phished. It’s very easy to click on a link.”
The nature of the digital age can be a challenge for companies to overcome.
“There are many ways to get into a company. Fortunately, we know most of those ways and can defend against them,” Spence said. “There’s a power imbalance, the hacktivists or activists need just one point of entry.”
“There are millions of points of entry and they only need to exploit one. They can be laser-focused on getting to that point of entry, and then exploiting that entry point.”
The types of hackers operate for myriad reasons.
“These can be state-sponsored actors so you think about rogue nations,” he said. “You think about North Korea, you think about Iraq, Iran potentially. Of course, Russia always comes up as a potential state-sponsor. Interestingly, they’re the most sophisticated and oftentimes have the means, but they don’t have the motivation.”
There are times when Russia deems it within their interests to hack a utility company. “[In] 2015 there was an attack in the Ukraine and it’s believed it was Russian-oriented. It took down the Ukrainian power system, about 250,000 customers, for several hours.”
“Not a huge deal necessarily, the grid was back up, not a lot of customers in the grand scheme of things. It still was kind of a wake-up call, not to our industry necessarily, but to people that own critical infrastructure that we need to protect ourselves even more fully than we had been previously.”
Another archetype of the hacker’s PPL watches for are those who want to extort money. “They’re trying to put ransomware on a company trying to get you to pay out small amounts of money; $5,000, sometimes $50,000, sometimes half a million dollars,” Spence said. “They’ll take control of your system and give it back to you so long as you put some Bitcoin in their account somewhere. That’s probably the single largest group that’s out there. Fortunately, for that group, we are not a target.”
One of the ways PPL defends itself is through actionable intelligence.
“This is in an industry that’s morphing in to a very serious business, where people will sell you actual intelligence. That means, ‘Here’s the latest mechanisms, tools, techniques [that] people are using to get into corporate systems, and here’s how to defend against that.’”
“We deploy companies, we consult with companies, we hire companies to help us defend our system and give us the latest and greatest technology, tools and information that we can use to defend ourselves,” he said.
Training employees is one way PPL counters the looming threat of hackers.
“Most breeches, as I mentioned, start or end with a human involved. So, training our PPL employees is extremely important to make sure that everyone knows what their job is, everyone knows how to respond, what to do, what not to do, etc. We’re very focused on training.”
It’s not just PPL that are taking up defensive strategies for the digital age.
“On the industry side, we’ve got multiple layers and mechanisms that we use to protect the grid. It’s clear that owners of critical assets, like ourselves, are at risk.”
“You have others that have critical infrastructure – think about telecommunications, think about financial services, water systems, any points of entry for terrorist activity, for example, is potentially a threat. In our case, it’s a grid interruption clearly.”
To prevent such an outcome, PPL and its contemporaries are prepared to foot the bill. “As an industry we’re projected to invest $52 billion in protecting the grid. That’s both physical and cyber security,” Spence said. “We’re very serious about this as an industry and as a company.”
“We continue to really step out as a leader among all the critical infrastructures. In fact, in a recent report, the electric industry was highlighted as leading the way for the industries that were most prepared and most equipped to deal with a cyber-attack. And most importantly, most prepared to respond and recover from a cyber-attack.”