• United States



Director, Critical Infrastructure Protection Programs, North American Electric Reliability Corp. (NERC)

Above the lines: Addressing grid security in the press

Nov 04, 20163 mins
Critical InfrastructureIT LeadershipSecurity

The electricity industry continues to improve its security posture, yet we are drowning in a sea of negative press.

The utility industry is bombarded by negative press about the security nature of the electric grid. It seems we read a new story about “what is going wrong” with utilities weekly and on a regular basis. We have heard the constant drum beat of “hackers are in the grid” or “industry doesn’t take security threats seriously enough”, but rarely does industry receive due credit for the positive steps it has taken to secure electric systems and infrastructure. Today more than ever, industry is acutely aware of the microscope placed on it and the importance of electricity to the American way of life.

Electric power remains a very visible and attractive target to anyone looking to cause damage. A successful attack on the power grid causing a wide-area long-term outage would have significant national security, economic, and public health and safety consequences.

The threat remains and we should not lose sight of this. However, we have seen the media run wild with stories about substation shootings, rumors of hacked control systems, and the targeting of specific infrastructure sites within the grid. While some responsible reporting has taken place, many see the opportunity to “pile on” and make accusations that industry isn’t responsive. Yet, the opposite is true. This industry, more than any other critical infrastructure sector, has moved the proverbial football down the security field.

[ ALSO ON CSO: Defending the grid ]

The North American Electric Reliability Corporation (NERC), Electricity Information Sharing and Analysis Center (E-ISAC), and the Electricity Sector Coordinating Council (ESCC), along with the various trade associations have put security at the top of the list in terms of ensuring continued reliability. The electricity sector is one of the few sectors that has mandatory and enforceable security standards.

A new Design Basis Threat (DBT) was recently released and NERC is now preparing for its next Grid Security Exercise (GridEx IV), to be conducted in November of 2017. Meanwhile, utilities are spending millions of dollars to upgrade their security programs and better protect their substations and generating plants across North America. With the development and acceptance of the newest physical security standard, NERC CIP-014, utilities are conducting assessments, building security plans, and installing mitigation measures to protect their transmission “crown jewels”.

Investments in cybersecurity continues to be monumental. NERC and industry are currently developing a cybersecurity supply chain management standard in response to FERC order 829. While compliance is a driver, utilities understand the impact that poor cyber practices can have on industry perception and company reputation. The point is a lot of progress is happening.

The utility industry needs to be their own advocate, quick-to-draw and highlight success stories that point to action and accomplishments. While industry remains committed to “keeping the lights on”, we should consider how to best articulate activities and initiatives that demonstrate the importance of the topic and the solutions brought to bear.

If you’re proud of your program, let others know about it. A two minute elevator speech that can effectively communicate the progress of your compliance program, reliability investments, and culture of security may be worth its weight in gold.


Brian Harrell is a nationally recognized expert on critical infrastructure protection, continuity of operations, and cybersecurity risk management. Harrell is the President and Chief Security Officer at The Cutlass Security Group, where he provides critical infrastructure companies with consultation on risk mitigation, protective measures, and compliance guidance. In his current role, he has been instrumental in providing strategic counsel and thought leadership for the security and resilience of the power grid and has helped companies identify and understand emerging threats. Advising corporations throughout North America, Harrell has worked to increase physical and cybersecurity mitigation measures designed to deter, detect, and defend critical systems. Harrell is also a Senior Fellow at The George Washington University, Center for Cyber and Homeland Security (CCHS) where he serves as an expert on infrastructure protection and cybersecurity policy initiatives.

Prior to starting his own firm, Harrell was the Director of the North American Electric Reliability Corporation’s (NERC) Electricity Information Sharing and Analysis Center (E-ISAC) and was charged with leading NERC’s efforts to provide timely threat information to over 1900 bulk power system owners, operators, and government stakeholders. During his time at NERC, Harrell was also the Director of Critical Infrastructure Protection Programs, where he led the creation of the Grid Security Exercise, provided leadership to Critical Infrastructure Protection (CIP) staff, and initiated security training and outreach designed to help utilities “harden” their infrastructure from attack.

Prior to coming to the electricity sector, Harrell was a program manager with the Infrastructure Security Compliance Division at the U.S. Department of Homeland Security (DHS) where he specialized in securing high risk chemical facilities and providing compliance guidance for the Chemical Facility Anti-Terrorism Standards (CFATS). For nearly a decade of world-wide service, Harrell served in the US Marine Corps as an Infantryman and Anti-Terrorism and Force Protection Instructor, where he conducted threat and vulnerability assessments for Department of Defense installations.

Harrell has received many accolades for his work in critical infrastructure protection and power grid security, including awards from Security Magazine, CSO, AFCEA and GovSec. Harrell maintains the Certified Protection Professional (CPP) certification and holds a bachelor’s degree from Hawaii Pacific University, a master of education degree from Central Michigan University, and a master of homeland security degree from Pennsylvania State University.

The opinions expressed in this blog are those of Brian Harrell and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.