Keeping the power supply safe from terrorists

Kenneth Carnes, chief information security officer and vice president of critical secure services at the New York Power Authority, is tasked with protecting one of New York’s major utilities against cyberattacks. NYPA, a public-benefit corporation run by the state, is the only statewide electricity supplier and is the nation’s largest state power organization, providing electricity to businesses, nonprofits, government entities and more across New York. With cyberthreats getting more advanced every day, keeping such an organization safe from attacks is no walk in the park.

Carnes spoke with City & State about how his role touches every aspect of an organization, why hackers are targeting public utilities and how NYPA is preparing for cutting-edge cyberattacks. The following has been edited for length and clarity.

What are the responsibilities of a chief information security officer?

The interesting thing about the role is that it's really changed, or people are realizing (how the role affects the entire) business. It covers the gamut nowadays, because you're going to (be involved in the) business side of doing enterprise risk management policy, to the human side of training and awareness, HR onboarding and offboarding, and then you're going to move into supply chain contracts, vendor contracts, and all of those kinds of things. In a way it's pulling together the two dichotomies of extreme business strategy and risk, all the way down to the very tactical decisions that we make every day to enable the business.

How different is the role of a chief information security officer at a utility compared with a more run-of-the-mill company?

Like any business, I'm protecting the business-side operations against personal information loss and data loss – anything that any business would deal with. But where our environment gets unique is also in protecting the operational technology side, which is our systems and technologies that operate our grid.

What are NYPA’s top cybersecurity concerns?

They would be the same as any business. We're going to be focused on those same risks that they are – personally identifying information data protection, data loss, ransomware, all the normal business-type things. The challenge we have as a critical infrastructure that provides critical services to all New Yorkers, is that we are that target for nation-state attacks and advanced attacks. And so really, our depth of concern is around the zero day, the new thing, the attack that nobody else is even aware of, and staying ahead of that. 

Some reports suggest that utilities are particularly vulnerable to the newest, most advanced cyberthreats.

It's no surprise to security professionals in the industry that we are a target, and we are being as proactive as we can in not only implementing innovative ways to better protect and secure and enable the business, but also trying to make sure that we have strong relationships, and partnerships premade in the event of any event.

When it comes to partnerships with other companies, do you expect all potential vendors and contractors to match NYPA’s security capabilities?

If they're coming with a security solution, then yeah, we're expecting their security capabilities to be ridiculous. But if we partner with somebody and they don't have the level of security we expect, we will help them with that, because we want to protect the systems in which we operate.