Utilities tell lawmakers how they’re preventing cyberattacks

Three of Kentucky’s largest private utility companies testified about steps they are taking to prevent ransomware attacks like the one that shut down the Colonial Pipeline in May. IT security officers from American Electric Power, Duke Energy, and Louisville Gas and Electric, Kentucky Utilities (LG&E-KU) sat before the Interim Joint Committee on Natural Resources and Energy on Thursday.

Chairman Senator Brandon Smith (R-Hazard) insisted that efforts to learn about protections in place for Kentucky’s electric utility infrastructure put the commonwealth ahead of other states at a time when attacks target vital resources. “This has happened to water and some petroleum in the public sector, for people’s utilities, and I am not sure it’s going to go away,” Smith said.

“I do feel like we have a very effective tool to help combat this, and that’s hopefully what the takeaway here is,” Smith added. “We’ve been sort of yelling in a vacuum from this committee that this is very serious and that the people of Kentucky and this nation deserve to have the best people on it and put everything forward to stop this from happening.”

Each company outlined preventative steps, including software safeguards, ransomware prevention, and regularly scheduled exercises in which consultants try to hack the system from both outside and inside the company.

Phishing, where hackers send emails to trick employees out of vital passwords and information, continues to cause concerns. “That is probably the biggest risk today of cyber ransom attacks,” explained Duke Energy’s Vice President and Chief Security Officer Keith Butler. “One of the things we are seeing at Duke Energy is adversaries are breaching our vendors. They are getting into our vendors’ systems who do not have as strong protections and controls. Then they send emails from those vendors to Duke Energy employees that appear to be very legitimate emails, emails that our employees would expect to get. We are adding extra protections and warning our employees that even if it appears to be a good email from a vendor, you have to look for clues in there.”

Smith told committee members to expect future testimony on the topic. Senator Whitney Westerfield (R-Crofton) expressed concern for citizens as well. “I think it’s important not that we just take action to address what sort of conduct is already there, but I wholeheartedly believe that Kentucky’s law is insufficient, particularly with regards to consumer privacy,” he said. “We have taken some steps, done some things to protect critical infrastructure defining it and adding facilities to it in the last several years, but we are not doing nearly enough for consumer privacy and cybersecurity concerns regarding that.”