Our daily lives are more and more connected online. This includes our utility grids. Jojo Maalouf, Hydro Ottawa’s Director of Cybersecurity and IT Infrastructure, joins thinkenergy to discuss the role of cybersecurity in the energy sector. From cybersecurity threats, like cyber warfare and ransom-seeking hacktivists, to the measures required to defend our energy systems. Plus, how AI both helps and complicates matters. Listen in to learn what’s driving change and the collaboration needed to protect the grid.
Related links
-
Ontario Cybersecurity Framework: https://www.oeb.ca/regulatory-rules-and-documents/rules-codes-and-requirements/ontario-cyber-security
-
Get Cyber Safe resources: https://www.getcybersafe.gc.ca/en
-
Jojo Maalouf on LinkedIn: https://www.linkedin.com/in/jojo-maalouf-cism-cissp-0546b03/
-
Trevor Freeman on LinkedIn: https://www.linkedin.com/in/trevor-freeman-p-eng-cem-leed-ap-8b612114/
Hydro Ottawa: https://hydroottawa.com/en
To subscribe using Apple Podcasts:
https://podcasts.apple.com/us/podcast/thinkenergy/id1465129405
To subscribe using Spotify:
https://open.spotify.com/show/7wFz7rdR8Gq3f2WOafjxpl
To subscribe on Libsyn:
http://thinkenergy.libsyn.com/
Subscribe so you don't miss a video: https://www.youtube.com/user/hydroottawalimited
Follow along on Instagram: https://www.instagram.com/hydroottawa
Stay in the know on Facebook: https://www.facebook.com/HydroOttawa
Keep up with the posts on X: https://twitter.com/thinkenergypod
Transcript:
Trevor Freeman 00:07
Welcome to think energy, a podcast that dives into the fast, changing world of energy through conversations with industry leaders, innovators and people on the front lines of the energy transition. Join me, Trevor Freeman, as I explore the traditional, unconventional and up and coming facets of the energy industry. If you have any thoughts, feedback or ideas for topics we should cover, please reach out to us at [email protected] Hi everyone, welcome back. It won't be a surprise to anyone listening that our energy systems, like much of the rest of our lives, are becoming more and more connected and more online than ever before. Let's just take a look at our own personal lives. We've got apps that can control multiple aspects of our homes. For example, for my phone, I can adjust temperature, set points and fan speed heating and cooling in my house, I can turn on or off lights, both inside and outside. I can look and see who just rang my doorbell, even if I'm in another city, and I can check and see where my vehicle is, whether it's charging or not. And I can even turn it on all from my phone. And I would consider myself like middle of the road in terms of how connected and online I am. There are even further examples of this in some of those ultra-connected homes. This is part of our fast paced and constant evolution towards invenience and using technology to find solutions to problems that we didn't always know existed, and maybe they didn't actually exist. We've all heard that term, the Internet of Things, referring to this ultra-connected world where it's not just people talking over the internet, but our devices and systems are talking as well. I was absolutely floored when I was doing some research on this podcast to find out that this term, the Internet of Things, was first used 25 years ago, in 1999 when I first wrote the text for this. I put a placeholder in to say, oh, it's been around for over 10 years. And then when I actually did my research, it's over 25 years. Think about how far we've come since that idea was thought of in 1999 how different life is today than 1999 our energy systems and our utility grids are undergoing a similar transition. I talked about this a little bit with Hydro Ottawa's Jenna Gillis in a previous episode about grid modernization. So go back and have a listen to that. If you haven't already, we are adding more and more data points to our grids, and that includes sensors, smart switches, fault detectors, smarter meters, etc., etc. Even for hydro Ottawa, a local distribution company with around 350,000 customers, we are talking about many times that number of smart devices in the coming years, all connected, all trading data between themselves and our central systems and the smart folks who run them now, there is a ton of upside to this transition, and that's why we're doing it. More data leads to better decision making, a better view of what's happening, whether that's during an outage or at times when the grid is heavily utilized. It lets us get more out of the equipment we have, react and adjust to the needs of our customers, and react and adjust to the needs of the grid. It will lead to faster restoration during outages, and sometimes that restoration will be automatic without having to roll a truck. It will allow us to better integrate distributed energy resources like small scale solar and storage and other things into our grid for the benefit of our customers and the grid. There is no question that this is a move in the right direction, and hydro Ottawa is leaning into this aspect of the energy transition to build a smarter grid for our customers. However, it does highlight something that has long been a priority for us, cyber security. With so many connected devices, with so much data out there, we need to be extremely vigilant and rigorous with our digital security. Cyber-attacks on utility infrastructure are not theoretical. In 2015 and 2016 attacks on the Ukrainian power grid resulted in large scale power outages in that country, as we increasingly rely on electricity for so many aspects of our lives, attacks like this, whether by nation states or bad actors seeking financial gain, can have devastating consequences. Luckily, this is something that has been a priority for us for many years, and as the threats become more sophisticated, so too do our strategies to protect our systems and our grid from those attacks. Joining me today to talk about this is Hydro Ottawa's director of cybersecurity and IT infrastructure. Jojo Maalouf, JoJo, welcome to the show.
Jojo Maalouf 04:46
Thanks for having me.
Trevor Freeman 04:47
All right, so Jojo, cyber security is a little bit of a buzzword that a lot of folks have probably heard in a bunch of different contexts. Help us unpack it a little bit. What do we actually mean when we talk about cybersecurity threats and cybersecurity prevention, I guess?
Jojo Maalouf 05:05
Very good question, right? So, I mean, let's kind of simplify things, so we obviously have these adversaries, right? And these adversaries are trying to get into organizations networks. We hear a lot of the sensitivity or the criticality of information, so they're trying to obtain that information. And, you know, can they look at potentially monetizing that? Really what we're kind of trying to do, or what cyber security is, is, if you think about it, we have these bad guys, these adversaries. They're trying to get into organizations they possess or introduce some sort of level of risk. What we are trying to do as people in cyber security is defend those organizations from those risks and those adversaries. So, in order for us to do that, we need to put together a program. We need to make sure we have the relevant controls in place, because, at the end of the day, what we're trying to do is mitigate that risk to an acceptable level where the business can run.
Trevor Freeman 06:07
Yeah, totally. And who are these threats coming from? Like, we hear a lot about state sponsored groups for profit, hackers. There's sort of that hacktivists, kind of ideologically driven group. Who are we worried about in the in the energy industry?
Jojo Maalouf 06:20
You know, it's very good question. I think, to be honest, you, I think we worry about all of them. I think from from our perspective, threats are threats. And obviously, depending on the magnitude of those threats and where they're coming from, they could potentially possess or introduce a different type of risk. But the reality is, they all introduce a level of risk. Yes, we are worried about state sponsored entities. You know, we've seen what's happened throughout the years. It started out in Stuxnet with Iran in 2010 we've seen what's happened with Ukraine in 2015 the end of day, what are we trying to protect? We're trying to ensure that a cyber-attack doesn't actually impact our ability to deliver power to our customers. What we are seeing now in the industry, obviously, is that adversaries are understanding that they can really monetize this, right? So, we're seeing the exponential growth of ransomware throughout the years. I remember back in 2016 when a major Canadian university was asked to pay a think approximately a $35,000 ransomware. Where we looked at that in comparison in 2024 where the average cost of a ransomware attack is just under $5 million. So, it's a billion dollar industry, right? And it's only growing. You know, I'd say the threats are coming everywhere, but you're definitely seeing the monetization aspect of it growing exponentially.
Trevor Freeman 07:51
Yeah. So, I guess from our perspective, it really doesn't matter what the motivation is. If someone's getting into our systems and sort of impacting our ability to do what we do doesn't matter what the motivation is. It's a problem for us, and we try and guard against it.
Jojo Maalouf 08:05
Correct. I think, I think people are very highly motivated now, whether it's for it's ransomware, whether it's state sponsored, I think entities, or I would say adversary, sorry, are definitely highly motivated. And it doesn't really change our approach. So, you know, the energy sector needs to make sure that they do what they can to protect the systems.
Trevor Freeman 08:23
Yeah, fair enough. So, we've talked in the past on the show, and in my intro, I talked about grid modernization, and this sort of evolution of our grid, and the technology on our grid to have more and more connected devices out in the field, and the amount of data that's flowing on our grid is increasing. Obviously, there are many benefits to this, but inherently that brings a degree of risk as well. Can you talk to us about the risk that their grid modernization brings, and sort of how we're thinking about that?
Jojo Maalouf 08:58
So, Trevor, I think you said it well when you said more and more devices are connected now. So really, what ends up happening every time we add a device that's connected, it increases the organization's risk profile. So ideally, what we want to be able to do is we want to manage exactly what that those entry points into potential organizations are. So, every time I add a device, I have to think that it increases that attack surface to a degree. So, I mean, you've talked about what grid modernization can do. There are many capabilities I think that's going to benefit organizations. But I think as this happens, we need to ensure that cybersecurity risks are managed to ensure that that risk profile is managed to an appropriate level.
Trevor Freeman 09:48
How prepared is the energy industry to respond to and to recover from a major cyber-attack, if one were to happen on the power grid?
Jojo Maalouf 09:57
Honestly, I think that the energy sector as well. Prepared as a critical infrastructure entity, the energy sector has the benefit of dealing a lot with government partners. So, I think what you want to do as an organization is you want to build that trust, that ecosystem of partners, whether it is through public and private relationships. But I'd say from a critical infrastructure perspective, there are very good relationships with the industry, very good relationships with government partners. I think testing organizations resiliency has been in play now for many, many years. But I think from a cyber perspective, I think it's something where organizations continue to be prepared, continue to do some of the appropriate testing, you know? And I'll be honest, I say it's, it's, you never want to be complacent, right? And I think what we've learned over the years is threats are evolving. Threats are changing. The industry is always going to be susceptible to attacks.
Trevor Freeman 11:00
Are we collaborating and working with other stakeholders? I mean, both at the sort of other utility level, you mentioned, governments and regulatory bodies, are we collaborating with those other entities? And sort of in line when it comes to cybersecurity?
Jojo Maalouf 11:15
There is a lot of collaboration that occurs within the industry, whether it's in Ontario, you'll see now that the regulator, the Ontario Energy Board, you know, there is the Ontario cybersecurity framework that has been in play now since around 2018 even at the national level there. Here are many different bodies where, you know cybersecurity, like critical infrastructure protection is paramount, as discussed regularly, and then obviously there's the government agency. So, there's a lot of collaboration that goes whether it's from the provincial, the National, and then the government side as well. And I mean, I think you need those relationships, right? You need those partnerships to help.
Trevor Freeman 12:02
Yeah, we're not we're not a lone utility kind of figuring out on our own. We're working with our partners and our peers to figure that out. The other kind of area of emerging technology that I want to talk about is, AI, artificial intelligence and sort of machine learning. Are we using those technologies? Or do you see us using those technologies in the future to sort of enhance the cyber security of our grid and our assets?
Jojo Maalouf 12:29
Yeah, I mean, I think obviously artificial intelligence, machine learning, seems to be the 2024 theme. The reality is, is a lot of technologies have already adopted, whether it's AI or machine learning, into their into their solutions. You know, I think the whole Gen AI aspect is growing, and it's something that I think is going to benefit everybody in the industry as well. The unfortunate thing is, is that I think adversaries are going to be able to use these technologies as well. You know, whether it's to paint a better picture of an organization, maybe to customize some attack patterns, but I think it's something where we have to embrace the technology. We have to use it in our, I would say, in our toolkit, but we're very much cognizant of the fact is that adversaries are going to be using these, these tool sets as well to potentially target organizations within the energy sector.
Trevor Freeman 13:33
And are there specific things that you know, speaking as the local distribution company, specific things that our customers can do or should be aware of? What's the role of our customer when it comes to cybersecurity?
Jojo Maalouf 13:46
It's a very good question. I mean, from a from a customer's perspective, I think customers need to realize the importance of their information. So, I mean, the reality now is a lot of adversaries are targeting people directly because they want their information. Their information. Their information is valuable. So, I think as a customer, what they want to make sure they do is that they do what they can to protect their information. So, some very simple steps that they can do make sure you have a complex password that only you know, that's not easily guessable. The other thing is, you don't want to use that password across multiple systems. So, what's the best way for you to be able to manage all your passwords? Invest in a password manager. There are free solutions out there. There are other really good solutions that are at a fraction of a cost as well as that password. What you want to make sure you do is you have multi factor authentication attached to it. What that really means is it's a second level of authentication that's going to challenge you to make sure you are who you say you are. It could just be an application that's installed on your phone. Think those are really some really good ways that you know a customer can use to protect themselves. I think even investing in credit monitoring is really good because. Is the last thing you want to do is an adversary to target you, steal your information, then all of a sudden, are starting to open up accounts in your name, right? So credit monitoring is another really important one. So, I mean, I think those are some really basic ones, but I think that they can go a long way to protecting a customer from threats. There are some really good online resources that they can use. Public Safety Canada has their get cyber safe website that provides a lot of information for, you know, everyday residential people or customers, sorry, steps that they can take to protect themselves.
Trevor Freeman 15:33
And for our listeners that kind of are thinking like, Oh, I feel like I've heard that before. I think you're right. You have it is those basic steps that really can protect us. And just so that everybody knows this is a focus of us internally as well, all employees of Hydro Ottawa also have a focus on what can we as employees do in order to make sure we're protecting our systems, we're protecting our data, and all the things that JoJo mentioned when it comes to password integrity, conscious of protecting our data. We're focused on that on a day-to-day basis as well. Jojo, thanks very much for taking the time to talk us through this. It's something that is maybe a bit adjacent to the energy transition, but so important as we increasingly digitize our grid, digitize our systems, as I mentioned, add more data points. We can't sort of leave cybersecurity behind. So, I really appreciate you taking the time to join us today, as our listeners know, and as you know, we always end our interviews with a series of questions to our guests. So I will jump right into those. Jojo, what's a book that you've read that you think everybody should read?
Jojo Maalouf 16:39
Yeah, good question. I'll give you two books, especially within the context of cybersecurity. You know, we did briefly mention Stuxnet. A really good book is by Kim Zetter. It's called Zero Day, and it basically depicts what happened with Stuxnet. Really informative. It's actually really good read. It's not necessarily technical, but just goes to show kind of how cyber warfare was actually built. Another really good one is from Andy Greenberg. It's called sandworm, a new era of cyber war in the hunt for the Kremlin's most dangerous hackers. Another really good read as well. So, I think those are two books, I would say, in the cybersecurity context, that I think are really good reads.
Trevor Freeman 17:29
Nice. Same question. But for a movie or a show, is there a movie or show that you think everyone should have a look at?
Jojo Maalouf 17:36
I'm actually really into Yellowstone these days, right? So, I'm gonna give that props.
Trevor Freeman 17:41
Nice. That's a good one. If someone offered you a free round-trip flight anywhere in the world, where would you go?
Jojo Maalouf 17:48
Good question, I think right now where I am, I'd probably go anywhere, either in the Alps or in the Dolomites, to ski.
Trevor Freeman 17:56
That's awesome. And our last question, what is something about the energy sector or its future that you are particularly excited about?
Jojo Maalouf 18:04
To be honest with you, I What really interests me and what I'm really excited about is, think the evolution in change into we are now a technology company, And I think what we're where the energy sector is grow is, is moving towards, is really exciting. You know, I think over the years, it's been a very siloed approach to the way services are driven or given where I find now, its very technology focused, right? And I think that's very exciting times.
Trevor Freeman 18:39
Very cool. Well, JoJo, I really appreciate your time today, and you sharing your insight with us, and thanks for coming on the show.
Jojo Maalouf 18:46
Thank you, Trevor, it's great being here.
Trevor Freeman 18:50
Thanks for tuning in to another episode of The think energy podcast. Don't forget to subscribe wherever you listen to podcasts, and it would be great if you could leave us a review. It really helps to spread the word. As always, we would love to hear from you, whether it's feedback comments or an idea for a show or a guest. You can always reach us at think [email protected].