Elevate the Edge
Elevate the Edge
Patricia Schouker Discusses Edge Security in Energy
Patricia Schouker is a VP of Strategy & Partnerships at cybersecurity company, PolySwarm. Her tenure is anchored within cyber and energy security with extensive experience in Fortune 500 and Public Sector environments. Her network drove new business, influencers and champions where her focus is on strategic and persistent threats, global energy security, as well as the intersection of technology and geopolitics. Her role at PolySwarm is to integrate and develop malware intelligence driven practices and policies for energy companies on local and global scales. Prior to her role, she worked at the European Commission in Brussels as a Policy Officer for the DG Energy where she contributed to energy analysis and intelligence pertaining to U.S.-EU energy relations, including future challenges. She holds multiple Non-Resident Fellowships and is an advisor for KPMG and strives to improve science and technology expertise in the U.S. legislative branch.
Hello and welcome back to elevate the edge on Maribel, Lopez and I'm joined here today with my fabulous co host Jo Peterson, the woman of many amazing glasses. Hello, Joe.
Jo Peterson:Hello Miss Maribel
Maribel Lopez:.Great to be here as always, and today we're joined by another great leader in technology. Patricia shaker. She is the vice president alliances and strategic partners at Poly storm. Patricia, welcome to the program.
Patricia Schouker:Thank you. Hi, Maribel. Hi, Jo. It's a pleasure to be here.
Maribel Lopez:So Patricia is working in the cyber and energy security space. She has extensive experience with Fortune 500 and public sector environments. Her role at Polly swarm is to integrate and develop malware intelligent driven practices and policies for energy companies on local and global scales. Boy, we are all excited to use that type of service. Prior to her role, she worked at the European Commission in Brussels as a policy officer for the DG energy where she contributed to energy analysis and intelligence pertaining to us EU energy relations, including future challenges. And lots going on here. So excited to have you at the program. I'm just going to jump right in Patricia. So energy and utility CISOs. And risk leaders are seeing a shift in compliance standards, from voluntary to mandatory monitoring both reactive and proactive. We've seen many different breaches and threats that have happened over the course of the past several years. So it's all very near and dear to our hearts on the things that are going on. But we're a compliance and cyber policies headed in this sector. Oh, absolutely.
Patricia Schouker:That's a great question to start our conversation here. And you mentioned breaches breaches. And, you know, I want to stress that security breaches are everyone's responsibility today, it's not just a technology problem, but also a mindset problem. And utilities must adapt to the pace of change in the digital threat landscape so as to prevent exposure to high volume, large scale and more sophisticated attack. So at the same time, you have the challenge from regulators to keep the regulation current, certainly regulations are extremely important to establish a common baseline of cybersecurity practices for essential services. But companies often need such regulation to justify investment, right for the implementation of cybersecurity controls. But the giant the challenge lies in moving beyond the regulatory compliance to an approach focus on cybersecurity risk as a whole. And I think it's the timeliness of our podcast today. It's perfect because the the the new cybersecurity strategy is about to come out from from the White House. And that will be a very, very interesting one. Unfortunately, I didn't get my, my hands on prior it's like the novel that you were you really want to read ahead of its publication. But all I can say is I'm expecting kind of a re architecture of our digital ecosystem. And in the end, higher emphasis on how do we create future resilience? So I think they would almost parallel the this climate strategy that we're seeing of 2030 2040 2050. But in a sense, where we shift the burden slum smaller companies, to big companies. And what do I mean by that? And I want to offer for your audience some perspective, given my my experience on the European side, how the EU Perspective Perspective versus the US perspective. So if you look at NERC how they they plan on, you know, the strategy, the standards, the requirement imposed on power utilities in North America are the most mature, but they still suffer from a level of details and rigidity, that does not always incentivize utilities to go beyond compliance with their cybersecurity programs, to stay ahead of evolving threats and technological innovation. Fines are regular and regular audits are mandated by requirements. And it makes all that adaptation that you mentioned, measurable, extremely complicated. But then on the EU side, which is very interesting as well and completely opposite to what the US is doing. Regulator regulators in Germany or the Czech Republic, Spain, Italy and France, have primarily advocated but not required those standards to be applied to critical infrastructure, essential services providers, so it really limits you know, these utilities to have the ability to select which provision of the standards to implement. So I think that remains, you know, a major a major challenge on that end. But also you have the whole notion of also supply chain, because you mentioned breaches, and I know how much supply chain has been has been extremely A big conversation lately. And I think more cybersecurity standards reference to supply chain security interdependencies within the electricity market are really different and dependent on system operators that may not be able to dictate the behavior of others by by contracts, for instance, but also you have this whole notion of cyber resilience. And it's also extremely difficult to define what resilience means in a way that is measurable. So I'm extremely curious to see where, where that cybersecurity strategy will will come about.
Jo Peterson:Well, it's interesting, you know, it seems like it's a balancing act. And whatever guidance comes out from the government, there's still some things that energy companies should be focusing on as a best practice. What are two or three of those? In your opinion, Patricia?
Patricia Schouker:Yeah, so you mentioned a good point. And I think one is I'm a big proponent of sharing and collaboration, this whole notion of public private partnership, I think sharing analysis, and especially what we call the the Sharing and Analysis Centers, the ice ax for utilities have been increasingly crucial for cross border electricity entities. So you have the electricity ISAC, here in the US, and the European energy ISAC, as well and in Europe, so I think, regulation make it possible to justify investments for the implementation of cybersecurity controls, for instance. But the challenge is going beyond regulatory compliance through an approach focus on resilience as a whole. And I think the lack of preparedness is also extremely interesting to your point, because when you look at there's a very good, there's a very interesting survey done by CSIS here in the think tank in Washington, DC that looked at eight hundreds IT decision makers from several countries around the world, including the US. And they found that 9% of critical infrastructure operators don't even have a cybersecurity strategy in place, despite the fact that 85% of respondents believe they have been targeted by a nation state cyber threat. So you see how you know the you I always say don't approach the financial sector, the same way that you will approach in the energy sector, the maturity level is not the same, because we always focus on the big names, that we don't look at the local aspect, the local companies out there, the small medium sized, that don't necessarily have the capabilities, but also the budget to to be part of that proactive and reliable cybersecurity management and risk perspective.
Maribel Lopez:I think you bring up a really good point, and this is around, there is even regardless of the size of company, there may be lack of knowledge, lack of resources in the security space, that means that not all companies are approaching it in an equal way. You know, one of the things that Joe actually had found a study from PwC, their 25th annual Global CEO survey, and 40% of the energy utility and resource CEOs rank, cyber threats is a top three concern. And Lopez research has done a bunch of research on this as well, for what are the top it concerns and you know, across different industries, usually security is one of the top three. So that makes a lot of sense. But given all that, you know, how are we seeing the scope of what the seaso? How do we see that skill that the C school is working with expanding in terms of how to deal with protecting assets? And in this new landscape?
Patricia Schouker:No, absolutely. And the C suite conversation and sisu conversation is extremely important. And we always, you know, we've all experienced the typical answer of oh, it's your your Cisco priority is not my it priority, right? So it's, we hear we tend to see that a lot and but in the cybersecurity industry, the more things change, the more they stay the same. We pride ourselves so much on innovation. However, I think this this, this seems like a fitting description for our recurring cycle of innovation, where new tools solutions approach come to market with some some new acronyms. We keep searching CISOs keep searching for that silver bullet. There really, there really is no silver bullet and security. Maybe because this is we're looking at the challenge of security through the lens of a tool or solution versus the broader picture of getting the pieces to work together in a single architecture. But we need to remember that bad guys look at the entire playing field defenders need to as well. And I think this is extremely, extremely important, but also that also brings the point of the culture inside a company and the whole notion of cyber hygiene, you know, poor authentification makes up a substantially bigger percentage of attacks. And there's a very good report by Verizon 2021. And they publish those reports on a yearly basis on data breach investigation, and they found that human activity accounts for 85% of data breach. So social engineering techniques like phishing are used in 50% of ransomware attack. But the foundational aspect of any cybersecurity strategy must be security awareness training as a mean, for the entire business behind the security cause, especially as it ot environment are converging even more meaning sometimes more employees that are facing the IT environment, they can be also pipeline conduits to OT attacks. So we tend to really forget that that part. And I think the the the increased discussion of cybersecurity in the C suite, increased awareness of the importance of cybersecurity and inclusion of cybersecurity in IT enterprise is a positive step forward. Many of the attacks conducted by cyber criminals are the results of known but unpatched vulnerabilities. We've hear that a lot of time, but there's an intense motivation from the private sector owners and operators to better secure their networks and the tech these threats as the landscape evolve. So I believe ultimately, the private sector must take ownership over security, CEO, board members, I know it's board members season right now, it's the beginning of the year, but they must make cybersecurity a priority across the companies. There's too many companies that fail to implement even the simple steps like two factor authentication, you know, to leave secure areas of or leave us secure areas of worksite unlocked. But I think with the right education, the right workforce training, education is critical. You know, companies can really upskill workers train employees to ensure they are skilled and diligent about securing energy acids, of every aspect of the work that keeps the light the light on and fuel forward.
Maribel Lopez:I guess just to pick up on that kind of quickly, you know, are you seeing that anything's different in terms of how energy providers are working to secure the grid?
Patricia Schouker:What do you know, I think, anyone in my view, anyone who has the job title of keeping the lights on or securing degreed, the grid have both my admiration and full sympathy, especially in this current environment of energy security has become a very frequently used term, but also seems to be one of the most poorly defined. And for the, for your audience, you know, the way I would define, I think we need to kind of pause on that notion of energy security, and I see it as the low vulnerability of vital energy systems. So in that definition, they're really two main ideas packed in this definition. The first is that it's not energy security of a black box, like we tend to see it, but energy security of a specific system. So electricity security, energy, security of oil using transport. And then the second idea that's packed into the definition is vulnerability. How many times do we hear vulnerability vulnerability patch management, right? So to look at vulnerabilities, we look at how energy security concerns have changed throughout history. And we identify three persistent types of concern. The first one, the big picture, the sovereignty perspective, so answering the question of who controls energy? Are we for instance, on the policy side? are we importing all of our oil from one country from Saudi from Russia? Are we producing it domestically? The second is how long will our energy system last? And that's the robustness perspective. And that's really, are we going to run out of energy? And is the infrastructure ready to hold up to different types of threats? And the third one is the resilience perspective, which is asking the question, okay, when we face a disruption, how fast can the system respond and recover? So future infrastructure? You know, that I wish I had the answer to, you know, the billion dollar question of how to solve the grid, but I think future infrastructures will be built to withstand that ever changing threat environment that we're in scaling cybersecurity with the new wave of the energy transition. We talk a lot about transition, but we need to also secure that transition is making effective and less costly than tackling on cybersecurity measures later. So in the state Same way, you know, we both physical security measures today, you know, like, for instance, for your house, you have perimeter fencing cameras, you have access codes, we should do the same in the in the cybersecurity space, you know, to withstand criminals, rival nations, you know, and the occasional lapse human labs of cyber hygiene. But I think it's good to see today, more public private sector energy organization that view cybersecurity as an as an afterthought. And I think that second, often a second secondary responsibility that is too technically financially politically complex to address. So I think there's there's really a foundational aspect on the business model that needs to be changed in order to really take the the the idea of future infrastructure and security by design in in perspective.
Jo Peterson:That's a great answer, you know, and I was surprised I did a little research and I wanted to see what the top three attack vectors in the energy industry were. And the answers were sniffing attacks across the radio access network ransomware, and attacks against the 5g core network. Are those surprising vectors to you? What would you add? Ah, that's
Patricia Schouker:a very good, very good, very good point that you're making, Joe? Because I think the, you know, we speak a lot about the IoT. And how is How's that supposed to transform the energy grid and support the modernization effort? I think, you know, what we're seeing on the consumer side, for instance, we see is spearfishing that I count to about 38% of the initial access vector in the OT related industries. So you have the use of attachment, the use of links. But I think like I mentioned before, the the, the new grid tech will have this whole security by design approach to guard against potential cyber incident. But I think the the, you know, to kind of expand more on your on your point. When threat actors evaluate a company's attack surface, they're not thinking in terms of organizational silos. I think they're probing for the right combination over on their abilities. misconfigurations identifying privileges, and security should not operate in silos either. I think, today, as defenders, we're playing right into threat x into threat actors threat hands, as organizations struggle with reactive and siloed security programs. We see a lot of conversation on for instance, XDR that is, you know, extended detection and response that takes data from point products in an effort to identify attack as they're happening. But I think organization needs a way to assess the efficacy of their preventive preventive program as well. There's a lot of vendor fatigue as well, because we want to kind of get all the tools out there. But how do you? How do you make sure that those tools fit your processing pipeline. So I think understanding the impact of cyber incidents require business and security leaders to really work in conjunction with each other. Security needs to understand the larger mission of the organization safeguard the tools, the assets, enable the staff to complete this whole mission critical business critical activity that we mentioned before. But also make sure that you you safeguard the data as much as as possible. So I think that organization can really anticipate cyber attacks and communicate those rates, those risk for decision support will be the best position to defend against emerging threats. So I think we need to examine cyber risk based on operational units, departmental units, which will really allow for collaboration among different different areas, it will save time, improve investment, decision support, and drives improvement over time. So really reducing the risk in the in the organization and prevent future attacks.
Jo Peterson:Well, wow, that was a great answer. I think we should probably, you know, go to our fun fact. That's how we normally wrap up the podcast. And so I'm going to ask you, Patricia, what fun fact can you share with us today?
Patricia Schouker:Ah, well, I Have one that I found a couple of weeks ago, which was actually pretty interesting and related to tech. And then I'll give you an interesting definition that I found kind of terminology. So I found that that 10, Google search can power a 60 watt light bulb. Can you imagine that? So Google, I know, right, exactly. So Google processes around 3.5 billion searches per day, if you want 40,000 every seconds. And it takes a matter of seconds, right to type a query, or, you know, press enter. But if you conduct 10, Google search, you could power a 60 watt light bulb? How crazy is that?
Jo Peterson:That there's a joke in there somewhere? That's, that's sort of like how many engineers does it take to fill in the blank right? There, Patricia, but that's great. I love that.
Patricia Schouker:It's like, it's like the typical, you know, an engineer and a sister walks into a bar, right? And try to define, try to define technology. Well, actually, I haven't have an answer to that. But it's not a joke. I was looking, I was, I was looking at the definition of technology, right? Because we talk so much about technology. But when was it coined? Right? Who coined it? So apparently, it was in 330 BC by Aristotle? Yeah, I know. That's great. I know, it dates all the way back. So technology, you know, in the ancient times, and again, I'm taking you way, way back. But Homer and Hesiod had, you know, they, they described it as the manual craft. But then Aristotle coined the Greek term, tecnologia technophobia, right. And they split that definition into three parts, one with their theoretical science, practical science and productive science. And when you look at the word theory, practice and productivity, this is pretty much what we're doing in the cybersecurity space. So there were so ahead
Jo Peterson:of their time, Patricia. Yeah. So ahead of their time. Well, we got two fun facts for the price of one from you today. Thank you. And thank you so much for taking time to be on the podcast with us.
Maribel Lopez:No, thank
Patricia Schouker:you, Joe and Mary, both for everything you're doing. And it was a real pleasure to have that conversation with you. And I hope to see you soon.
Jo Peterson:All right. Thank you. Take care.
