A Tale of Two Cyber Exercises: Exclusive Interview with Zach Tudor of Idaho National Lab

In the annals of 1980s cinematic history, WarGames was a film that tapped into a lot of futuristic tropes of the time. It was the first introduction many in the public had to the idea of hacking, and certainly popularized the idea that military war games exercises were used to hone defenses against potential digital attacks.

While it’s been over 30 years since Matthew Broderick’s character brought to life the idea of cybersecurity exercises in a competition-like format, the concept might be more relevant now than ever and for applications beyond just military. Case in point, the cybersecurity of the electric grid is one of the most important topics of discussion across the utility industry, and for good reason given the advancing abilities of potential bad actors to attack the grid digitally and the successful attacks on Ukranian utility systems at the end of 2015. 

This focus on grid cybersecurity is why this November’s CyberCon: Power & Utilities Cybersecurity Conference is so anticipated this year, and a presentation from Zach Tudor, Association Laboratory Director – National and Homeland Security at Idaho National Lab, will bring the WarGames idea to the annual grid cybersecurity conference. Zach will be presenting on the panel entitled “Case Study: A Tale of Two Cyber Exercises,” and ahead of this eagerly awaited presentation he graciously agreed to speak with Energy Central (and keep reading to the end for a special offer exclusive to Energy Central readers for CyberCon!): 

Matt Chester: Before diving in, I’d love to first hear more about your background in the utility field and cybersecurity for the grid specifically. What’s your history in this area and what do you do in that respect today? 

Zach Tudor: I have been working in the cybersecurity arena for over 30 years, first in the Navy and later in industry. I have been focused on critical infrastructure security since the early 2000s, primarily through work with Department of Homeland Security and other government agencies in partnership with industry.

MC: As someone who works on these cybersecurity issues for a Department of Energy National Laboratory, can you comment on what the role of the government is in these types of grid security issues and how collaboration arises between the public sector and private companies in this sector?

ZT: Many of our critical infrastructure systems in the United States are owned by the private sector, so collaboration between utilities and the government is essential. From a pragmatic standpoint, the government – like citizens - depends on essential services including reliable electricity and clean water. At the same time, utilities depend on the government to provide relevant information on threats to these systems whether man-made or natural disasters. It’s truly a symbiotic relationship. 

MC: At CyberCon, you’ll be specifically discussing cyberattack training and simulation exercises. How do these types of endeavors end up strengthening overall grid security? How critical are the exercises to deployment of effective strategies? Are these exercises being done frequently enough, in your opinion? ration?

ZT: A lot of organizations outside the government provide good, quality cybersecurity training. At Idaho National Laboratory, we try to provide training that addresses gaps that are not filled by other providers. Our unique training facilities along with our utility-scale experimental ranges allow students to apply their knowledge against real, working systems. Beyond developing workforces in Idaho, our researchers provide technical expertise and support to large-scale exercises like DARPA’s RADICS program and NERC’s GridEx, among many others. The end goal is and always has been to improve the resiliency of our nation’s critical infrastructures. It’s a noble mission and we’re proud to do our part. 

MC: Cybersecurity for the grid is often a moving target, because not only are those working in security constantly improving but so are the bad actors that you’re trying to fight against. How can professionals in the utility industry continue to try to stay ahead of the curve and prepare for the next wave of potential attacks? What sort of operational mentality must these key utility decision-makers take?

ZT: Several years ago, we began approaching cybersecurity research, vulnerability assessments, and training from the standpoint that the bad guys are already in your system. When you approach security as if a breach has already occurred, it changes how you view both the threat and the solution. We’ve come to realize there is no security silver bullet. 

To cope with this state of affairs, utilities should preach and practice cyber hygiene, they should employ defense-in-depth strategies, they should invest in advanced security training for their workforce. But they should also understand that a well-resourced, patient adversary will get into any system if they really want to. That can be an intimidating thought, but it’s reality. Utilities, the government, even users must treat cybersecurity as a moral responsibility. Utilities know their unique systems and the government understands the threats. Working together we can focus on identifying the most critical components of any system, the ones that must not fail, and then develop individual, custom mitigations.   

 

MC: While at the conference, you’ll not only be presenting but you’ll also be in attendance and learning yourself. Are there any areas you hope to see covered that you want to learn more about outside of what you’re personally working on day-to-day? Are there any presentation topics of individual speakers you are excited to see in particular?

ZT: I’m always interested in what challenges practitioners, utilities and otherwise, are facing and how they are responding to current threats and opportunities.

If you're interested in learning more about these types of cyber exercises, then don’t miss Zach’s presentation on the topic at the CyberCon Power & Utilities Cybersecurity Conference in November. You can learn more about the agenda and register for the conference hereSpecial offer for Energy Central readers: You can get $500 off the conference registration fees by using the code 'ENC500' at check out!