Challenge: AEP's 5.5 million customers depend on the company's security strategies to protect the grid from cyber attacks.
Why IronNet: Collective Defense provides the high-fidelity threat sharing to make its cyber intelligence truly actionable.
Of note: Steve Swick, AEP’s Chief Security Officer, says, "AEP values the relationship and initiatives being led by General Alexander and IronNet."
As a leader in cybersecurity in the critical infrastructure sector, American Electric Power (AEP) has invested heavily in advanced technologies to secure the grid from cyber attacks. “We realize our place in making sure the U.S. electric grid is stable and secure — in making sure that AEP is a contributor to security across the industry as well as ensuring our own system security is top notch,” says Steve Swick, AEP’s Chief Security Officer.
Public safety depends on a trustworthy, always-on grid. With the nation's largest transmission system consisting of more than 40,000 miles of transmission lines and more extra-high-voltage transmission lines than all other companies combined in North America, AEP embraces its role as a leader in defending the grid and the nation. Like many of its industry peers, the utility company recognizes the need for collaborative cyber defense to combat adversaries as a unified force. AEP’s 5.5 million customers depend on this security, but so does the nation at large.
Swick recommends five ways for the utility sector to come together as partners in the Collective Defense of the U.S. grid.
“There is a lot of passion in the industry around moving security forward to protect the electric grid, but we need high-fidelity threat sharing focused on valuable information that has been enriched to make it actionable,” Swick says. In addition to participating in multiple threat sharing initiatives within the critical infrastructure sector (e.g., the energy ISAC) and with federal and local government entities, AEP is deeply committed to serving municipalities and co-ops to protect the sector as a whole via collaboration.
Although all states understand the value of cybersecurity and the need for seeing the complete threat landscape across the sector, some are further along than others at implementing capabilities for sharing. Collaborating is essential for building the bigger threat picture. As Swick notes, “Some states need help figuring out where to start and where to push forward. Bigger companies such as AEP can help by encouraging collaboration within ISACs and across peer groups.”
He is adamant, though, that threat sharing by email most certainly is not a good practice, “and it will never work if you are compromised.” Swick adds,
“If you're compromised and you’re worried about someone being inside your network, and you’re relying on email for threat sharing, you might as well just call the threat actor and say, ‘Hey! I see you. Here’s what I’m looking at.’” Real-time sharing with situational context, in much the same way that radar works for collective air traffic control, is crucial.
Threat sharing is one thing; high-value threat intelligence that’s useful and relevant is another. “No one wants a fire hose of threat intelligence, and entities that do not have strong security capabilities certainly can’t absorb that kind of intelligence … and it’s not valuable or helpful to them.”
To deliver relevant threat intelligence across the industry, Swick suggests directly interacting with states and smaller sector entities, which “need to lean on the bigger companies as advisors so they can leverage the threat intelligence in an actionable way.” He explains, “It needs to be actionable immediately down to the lowest level where the analyst does not need to have those high level skill sets to analyze the malware in order to take action immediately, for example by applying a filter or a block.
As many companies are beginning to understand on a fundamental level, threat data sharing is critical for protecting the nation, especially the energy sector. Companies like AEP know that threat data does not compromise data privacy or place a company’s competitive edge at risk.
As Swick explains, “If we are sharing the data in the right way, we are not sharing any specific information about the company; instead, that anonymized data provides information only about the threat and what to do about it.”
Educating your company’s legal and executive teams about anonymized data sharing in cyber is critical to ensure these stakeholders understand the important role that data sharing plays in seeing the bigger picture of threats hitting the sector at large — and across other sectors. This approach is essential given that adversaries often target one sector before moving to another. If you face objections to threat sharing, start discussions at the state level and with other companies, and move up from there to “build the bigger threat picture we all need to act on.
The U.S. Solarium Commission has called for threat sharing for stronger defense: “Information sharing is an important part of public-private collaboration, but it is not an end in and of itself. It is a means of building better situational awareness of cyber threats, which can then inform the actions of both the private sector and the government” (Cyberspace Solarium Commission Report, p. 96). Collective Defense “helps at all levels to protect our country,” says Swick. In the case of AEP, he explains, “We are a top target for anyone thinking about taking out the power of the U.S. Having those partnerships and being able to share valuable, actionable data at the government level is the direction we need to keep moving in.”
The right relationships are in place. Collectively, the energy sector, “now needs to get the right package of threat intelligence and threat data so the government can do something with it if need be.”
The cyber talent shortage is a known reality across all sectors. AEP has solved the challenge by building strong teams from within their company. Swick shares that, “We have not had a shortage in cyber capabilities because we are not trying to fight for someone who already has been trained.” What this means is finding a network analyst or a network architect from within, as their next step is to go to cybersecurity. “If they are passionate about security and dedicated to the company, they will grow themselves, and at AEP we are very supportive of that growth because it allows us to build great teams.”
Leading the way
AEP is an integral part of achieving General (Ret.) Keith Alexander’s vision of Collective Defense: sharing in near-real time with sector peers, better protecting the grid, and sharing with the U.S. Government to address attackers head on. AEP has been a key partner in establishing the partnership/vector between IronNet and the U.S. Government for IronDome threat sharing. "AEP values the relationship and initiatives being led by General Alexander and IronNet. American Electric Power continues to transform digitally, and through strong partnerships and use of technology with greater peace of mind that we can stay ahead of cyber adversaries looking to disrupt our nation's critical infrastructure,” adds Swick. By advocating for and applying Collective Defense in its own operations, AEP is leading the way to ensure the resiliency of our nation’s grid.
Hear more from Steve Swick, along with IronNet Co-CEO General (Ret.) Keith Alexander in the on-demand webinar, "How to collaborate for a stronger cyber defense: Leadership advice from the front lines."