Skip to main content

2017 Cybersecurity Workshop: Cross Cutting Panel - Video Text Version

Below is the text version for the video 2017 Cybersecurity Workshop: Cross Cutting Panel.

Bret Sandberg: Well, FERC should regulate what is important on keeping the grid up. If you have a distributed energy resource, such as a battery, a lithium ion battery, these things are sitting out there, and they can – essentially they're a bomb waiting there, so you have to have security on it. So you have to regulate the security of it and the reliability of it. But you don't have to regulate the – whether it's available or not I don't think. So there's certain things that the grid wants, and there's certain things the grid needs and the customers want. But some are higher than others on the chain of what's important.

Erfan Ibrahim: Very good. Okay, Mitch, since you are on this side. So Mitch, let's say that you were invited to 1,000 independence in Washington, DC, the Forestall building, and you were sitting with program managers of the Energy Efficiency and Renewable Energy Program within DOE. And traditionally, they haven't done much with cyber security. That has been usually in the area of OE, the Office of Energy, Electricity, Reliability, and Delivery. So educate them a little bit on the importance of cyber security such that when they fund projects in ERE that they are informed with cyber security, that there's some scope in there. What would you say to that?

Mitch McCrory: I think Mark is still in the crowd. Right? I think we should have Mark actually come out and do that discussion. When we talk about cyber security to enable the grid as we move forward, one of the things we've looked at it is what are the potential impacts of not doing cyber security into the systems, and we've explored opportunities to look at both the distributed energy sources, oil and gas systems, the distribution system, as well as generating systems, and what could be done in cyber security. One of the things you can do with cyber security is you can take down a significant part of the infrastructure with cyber security.

And some people have mentioned, well, they go down for hurricanes, they go down for other type of natural or manmade causes, but we bring them right back up. Or you know, in case of a hurricane, maybe it's a week or two. What cyber does that a lot of natural disasters don't typically do is they have the ability to have persistence within your network. So not only can I take it down through cyber security, when you think you've got it fixed and you bring it back up, I can take it down again.

While that can become a nuisance and become a problem, if you take cyber security and look at what you can do from a physical standpoint with a cyber action where you can take out a switch or transformer that has huge lead time to replace, if you take it down, it breaks, they have to go and replace it. They bring it back up. My guess would be you have at least one other opportunity as an attacker to take that system down again from cyber before somebody realizes hey, this was probably a cyber event. And the things you can do with cyber as far as hiding the exploit and the actual foothold to get back in, it's very hard once somebody is into your system that knows how to use cyber as a tool to actually find in the first time that you go through the system.

So when we look at critical infrastructure, we look at taking down the WEC, what would it take to take down the WEC. And just talk about the financial consequences to Southern California if they lost the WEC. So the consequences I think are strong area to start looking at. What could happen? And Ukraine is a good example of things that have happened, but Ukraine could have been a lot worse, too.

Erfan Ibrahim: Okay, so Dan, you have been summoned to the White House, and you are sitting with the president as well as his national security advisory group. It's an intimate setting. There's no media. And share with them a little bit of what you're doing internationally, especially with micro grids, and try to explain to them how micro grids could potentially play a role in national security.

Dan Gregory: We are deploying micro grids on a commercial scale all over the world at this point. Our largest example is a four million square foot commercial tech park in Southern India. We're actually doing mechanical, electrical, and plumbing, as well as waste all integrated as infrastructure into a standalone islanded system, self contained because of the lack of infrastructure in India. So when we look at that site, we think of resilience as being critical, and within that site, for example, we're engineering 20 megawatt hours of battery storage to secure the power systems, and we're using direct current extensively.

The reason we're doing that isn't just because it's cool. We're doing it because we can get really excellent efficiencies, end-to-end efficiencies with DC systems because we're avoiding all the AC conversions. So what does this really mean from a standpoint of cyber security and resilience within the United States? We can secure very large grid edge loads with high reliability, five nines plus power, better than the US grid standards, with standalone systems today that still play with the grid. There's a critical thing to say here. We have a beautiful architected infrastructure in this country that gives us a competitive advantage in the world in the form of our grid. Our grids, our nine grids interconnected.

But we also have at the edges critical infrastructure that needs more than the grid can support at this point, both with power quality as well as with resilience. So combining the best of the grid with the best of the micro grid technology that's currently available, we're actually able to improve the overall availability of the system in order of magnitude, and provide a level of resilience that just can't be supported by a centralized grid architecture that we currently have.

Erfan Ibrahim: Great. So Candace, you are part of the cyber security program at the Electric Power Research Institute.

Candace Suh-Lee: Yes.

Erfan Ibrahim: And as you know, those of you who may not know, the Electric Power Research Institute is a private sector membership based organization, and it largely came out of the 1965 blackout as well as the oil embargo, and there was a need by the founder, Chauncey Starr, back in the ‘60s that we need to build an organization that does collaborative research for the utility industry, and that's how EPRI has been around for over 45 years. So the question I have for you is you're primarily a research organization for the utility industry. The utilities are largely beginning to deploy Smart Grid and deploy Cyber Security, so they rely more on integrators like SAIC, Accenture, IBM, Deloitte, and others. Make the case now – it's Spring of 2018. You're sitting in front of your advisors of your utilities in Phoenix or somewhere.

Huntington Beach. Wherever you have your advisory meetings. You have to make the case for a technology innovation project for DER security that has a play in five to seven years. Make the case.

Candace Suh-Lee: So actually, I don't need to make the case because I already got the funding from TI on the writing on the technical innovation.

Erfan Ibrahim: Talk about it.

Candace Suh-Lee: Yeah, I'll briefly talk about that because in every – I'm actually in the fortunate position to be able to work with a lot of talented engineers who is working on deploying this DERs, and then working with the utilities and integrators, vendors, to actually pilot some of these DERs, and then get the data to analyze them, and then try to find out the better strategy and policy, the recommendations for the policy as well.

And then what – then the surprising thing for me was that these engineers, they are working – now they're aware of cyber security risk, and they approach us many times, and that we have to include the cyber security requirements in our deployment, and then how can we do that? Difficult part for us is that – is that their understanding of our cyber securities is just the list of some of the checkboxes. So give me the checkboxes so that I can check it off, and then we'll be okay with cyber security. So to make them understand, it's a little bit more than that, and then a little bit more complicated than that is my currently what I'm working with these engineers a lot.

We have to understand what they are trying to do. Their functional requirement. And then to make sure that functional requirement is still working, and then prevent something that is non-functional. Something that is not supposed to happen should prevent. So that's the things, and on a typical day, we found is that the risk, we don't have a very good risk methodology when there are multi-parties involved.

So the TI funding that I receive was actually writing up white paper on the cyber security for multi-party grid. Multi-party here means that it's not only utility to customer and then regulators. They're regulators of device manufacturers, and then our wholesale, power wholesale people, and then there are people like integrators and people who bring the – sort of consolidated solution and put it into the grid as well. So all these people are involved with it, and then how – where is the risk actually? Who is actually taking the risk? Who is responsible for the risk?

So that's one of the things we're looking at in with it this white paper, doing the proper risk modeling for multiple [inaudible] grid. Next thing is looking at the security model. We need a slight [inaudible] security model, then somebody just telling utilities to you have to do all this, and anybody who is working for you, you also need to do all this. Because the mark and model changes. Utilities don't have too much control over what's happening on the customer side, and then the people who is putting the solar panels on the roof anymore. So that is – we have to have a different security models.

What we're looking at is a little bit looser [inaudible] collaborative security model, trying to develop that so that everybody gets to have to do their share of cyber security. And then if they don't do that, the risk goes to the parties of who failed to do that instead of customers and then utilities all the time. So that's two areas of important part that we are – we got the TI funding. And then we – I successfully convinced them to support me. That's coming next year, 2018. We are shooting for second half of the – of about half of June/July timeframe. So please keep in touch with us.

Erfan Ibrahim: Wonderful. Now let the record show there was no collusion with Candace. I had no idea she had won this TI. I just thought it would be a good idea to have  TI project, and she is two steps ahead. So great. Okay, Rob.

Rob Hubbard: Yes, I'm still here.

Erfan Ibrahim: So Blackridge has played actively in the telecom industry, some in financial services. Then John Tuot, who used to work for you, ran into me, and I infected him with the energy sector virus, and now you guys are like interested in the electric sector. Imagine you are sitting in front of the VCs who have invested in your company. You have to make the business case of why some additional resources should be spent in your company to work in the electric sector. Make the case to the VCs.

Rob Hubbard: Thank you. Well, there's obviously a very large opportunity with the grid. It's as I've heard, there's a lot of transition happening within the infrastructure. There's many protocols that you guys are using. There's many technologies. So what we're really looking to do is try and create some cohesive capability within the infrastructure. So one of the areas we really want to concentrate on is obviously our technology we've built out is around network security and protecting high value – I call them high value networks. So we already work with the financials.

We work with the government, with DOD, to protect the internet based on effectively something we would describe as a caller ID. So in order for us to get further embedded with NREL and really the grid, we should be looking at lower layers around IIOT where we are spending time and looking at our call technology is based on identity. So we need to abstract away the concept of there's an IP and a Mac address, and we really need to think about end systems having unique IDs.

And those IDs associated with identity can be associated anywhere within an infrastructure. And as we build out this infrastructure, we already have segmentation, microsegmentation happening with our product and our portfolio. What we really need to do is we really need to bring more resources to bear around IOT and embed some additional functionality from our product. We already have client software that runs on Linux and Windows today, but we're looking more at the embedded space. So I'm thinking probably ten more resources and $50 million would be great. So if you can throw that my way, that'd be good. Thank you.

Erfan Ibrahim: Okay, so Mitch, you're next. Now Mitch, you have a lot of experience in the nuclear sector with Sandia National Lab. So I want you to tell an audience – let's say you are doing a Ted X talk. You've been invited. And these people are kind of lay people, but they're interested in new ideas. So share with us some of the lessons learned from the nuclear sector as it pertains to cyber security and inertia in the modern context of DER. Share your wisdom.

Mitch McCrory: So trying to take the largest generating systems and make that tied to distributed.

Erfan Ibrahim: That's correct.

Mitch McCrory: That's a challenge in and of itself. What we look at for nuclear power is a base load. You know, their base load capability that allows some stability to the grid, provides a lot of stability to the grid. It also allows some of the DDR to actually come into the system and use nuclear power for the baseline loads, frequency control, and some voltage control. And so baseline loads I think are important in the long run. Large baseline loads as well as the clean energy side of nuclear with DDR in a lot of cases.

When we talk about lessons learned in the nuclear sector from cyber, I don't know how many of you are familiar with the NRC and the rules that they use to govern nuclear power. There's a CFR. If you take a look at the cyber security policy of nuclear facilities, they are way ahead of the industry. All their control systems are protected by diodes that shifts the main attack vectors from somebody sitting in a basement, hacking into the system, to an insider or supply chain type of attack. But what we've learned from the regulatory side of the house is the rules that they put in place, 10CFR71.53, I think that's right, they put a regulator out on how to do that.

So they have to protect everything that has reactor safety significance, anything related to security and anything related to emergency preparedness, so those systems that can affect those. And when the regulator first put those rules out, they thought there would only be what they considered a couple hundred critical digital assets at most at an [inaudible] facility. And then they used the NIS guidelines, 800-53 and 800-82, as the main source of requirements for that. So fast forward to today to the Vogle nuclear power plants. They are fully digital plants that have over 6,000 critical digital assets now defined, way more than the couple hundred NRC thought.

You add all the requirements of the NIS standards to them. They have millions of controls they literally have to look at for their nuclear power plants. And what that has driven the industry to say is we can't afford to do that. It doesn't happen. So what EPRI has done is started a risk based program that's now how can you look at consequences and move back from whatever those consequences would be, whether they're business, financial, environmental, or protection, and create a risk based framework to find out which of those 6,000 critical digital assets really have an impact to the facility.

And so that type of mentality in the risk based approach to looking at cyber, understanding where your critical components are, and then protecting those I think is something that can be applied to the distributed energy sector. And we're looking at how do we regulate that. What really matters?

Erfan Ibrahim: So Dan, your turn. You've been invited to Puerto Rico after the devastation of this hurricane. Only 11 percent of the people in Puerto Rico today are getting electricity, and less than half of the people are getting fresh water. You are deploying micro grids in places all around the world. Share with the people who are running Puerto Rico as well as the electric utility, what can you do as a short gap measure while they bring up their electric infrastructure that may take 18 months or two years?

Dan Gregory: Wow, fantastic question for me. We are engaged in Puerto Rico. We're shipping 24 gen-set based micro grid systems down there this week. So we're very involved in it. But having said that, we proposed a more long-term solution that could be deployed very quickly in the form of what we're calling a module electric generator, MEG, and the idea is it's basically a power system in a shipping container. And it can be lifted by Secorski helicopter and dropped wherever we need it. We have these in production with Schneider Electric out of Ohio. So we proposed that we put these in because what we want to do is put solar batteries, all the power electronics in place, to enable immediate energy at critical sites where there may not be gas right now.

There may not be any kind of fuel available, diesel or natural gas. The island does have a lot of those resources available, but not necessarily deployable throughout the island at this point. It's getting a little better, but it's still not there. So the idea is put the solar in quickly, and when I mean quickly, I mean within two weeks, we can drop 188 kilowatt peak output power plants wherever necessary, and deliver high quality regulated power to whatever load is necessary. By tying it in the mains at a facility, or by distributing DC with some new technologies that actually touch safe.

So this really gives us a whole suite of options to very rapidly deploy energy resources starting with solar, but each of these [inaudible] can take up to five resources, AC or DC, single phase, three phase, pretty much any power system frequency reasonably. And normalize the whole thing onto a regulated 3D volt DC bus. So basically think of a Chevy Volt that you take apart and turn into a stationary power plant. We have designed that. It's in production and available for Puerto Rico. It's interesting though. In the panic, people are just saying, “Just get me the gen-sets, and we'll deal with the rest later.” But the gen sets don't do them any good because there's no fuel.

So it's a very frustrating situation to see, but it's one that we're working hard to resolve.

Erfan Ibrahim: Wonderful. Chet, you're next. So Chet, you have reinvented yourself multiple times over a long professional career. If you have been at Raycam and at this conference in one lifetime. Here is the new generation. You've been invited to a community college, and you're supposed to inspire this new generation. (a) To learn from your mistakes, and (b) guide them a little bit about what they should be doing in the energy sector so they can be impactful.

Bret Sandberg: You guys have a great opportunity. Smalley, the guy who did carbon nanotubes, put together a list of things that were challenges for humanity. And they were force ranked that the ones on top could solve all the ones under. The top one was energy. The second one was water. So you have a great opportunity to participate in these. Now I've – I have reinvented myself a number of times, which is very – been very exciting, and I would suggest that you always want to be open to new things. Just as we were saying that today's standards solve yesterday's problems, you have to think ahead, and what are going to be the problems – the next problems we want to solve. I have one foot in the electrical and the things – I have another foot in the petrochemical end of things.

That's what's happening in the petrochemical business was referred to before. We call it the great crew change because everybody is – all the monkey wrench people are retiring, and all the new people want to look at the computer screens. But I would recommend go into the field as much as you can, play with the hardware, see what it does, and understand it not only the computer systems, but also the hardware that it's connected to.

Erfan Ibrahim: Great. Okay, Candace, you're next. So EPRI has facilities in Palo Alto, in Knoxville, Tennessee, in Charlotte. I believe there's some little operation in New York near Albany. So let's say that you are in front of the folks who advise the governor of Tennessee. Okay? These are the people who advise on technology environment matters. And you want to initiate a movement like Epic in California for Tennessee because you have an office there. You can work with them once they initiate it like you're doing in California. Motivate these people in Tennessee to put together an initiative to revolutionize the electric grid in Tennessee because of all the hurricanes and everything that has impact.

Candace Suh-Lee: Well I think in my 15 year career in utility industry, the changes currently happening is one of the largest that I observed, the current – it is the DER and the distributed energy resources, and the distributed controls. Also all the sort of – rather going away from the central control and putting into the very close – the generation very close to the consumption of course, that seems to be the trend that we're to – probably work correctly that we definitely increase the reliability significantly.

But that means we have to work – it has to work correctly, a lot of study has to be done. Because I'll agree as you are aware know is that it is not designed that way. There's a huge possibility and then huge opportunity to actually turn around these challenges, and into make it into a very good opportunity for the future generations, and then it'll increase the reliability and resiliency of the whole grid. Important part is though we have to find out how to do it properly. How – and then a lot of studies has to occur to strategically where do we actually deploy these DERs. Also how to secure them correctly of course. Also how to regulate them.

How the market has to be changed and designed to be able to actually support all these new challenges and technologies. Not really stifling them, but actually encouraging them into the right direction. So to do all this, we really need to have a lot of our studies done involving all sort of different people who is engaged in this industry, and then something like EPRI in California will be very important in Tennessee as well, and having that ground work of studies for the electrical engineers, ICT people, security people getting together and having great body of work and the studies done will be very important step for the future of Tennessee's grid.

Erfan Ibrahim:So Rob. You know a thing or two about the internet protocol.

Rob Hubbard:Some.

Erfan Ibrahim:For those of you who may not know, there's no such thing as the internet protocol. It's a collective noun, actually. For those of you who are intimately involved in its development. The Internet Engineering Task Force has a series of requests for comments that created the internet protocol, and the version that you see now is Mr. John Chambers' view of the internet protocol. The RFCs through their friends and family, they got them approved, and it's a subset of the larger internet protocol. So we're seeing a particular incarnation of it.

Now because Cisco has a very large market share in this business, Juniper has kind of gone along with it, too, in terms of the protocol. But when you start looking at the routing protocols, then there are some open du jour standards, and there are some de facto standards. Like IGRP and EIGRP that are Sisco emanating are more what we'd call de facto standards because of market share. OSPF, BGP, those types of protocols are more open. So that's just to warm you up so you're ready for my question.

Rob Hubbard: I'm nearly there.

Erfan Ibrahim: I'm going to give you a case study of small to medium size co-op, electric co-op, that has such revenue problems that they can't support a large enough OT/IT staff. Realizing that they have to continue delivering electricity, Siemens was knocking on their door, they kept ignoring it. Siemens kept knocking on the door. Finally, they said, “Okay, who is it?” They said, “Siemens.” What are you offering? Scada in a cloud. They're like, “Huh, Scada in a cloud. What a concept. You mean I don't have to support my IT/OT staff? I can just outsource it and have TLS and MQTT and all the nice DDS and everything else going back and forth?” Tell us. Utility that you went to was faced with this reality, and someone offering Scada in the cloud, what can you do with Blackridge to help allay some of their cyber security concerns.

Rob Hubbard: Sure. That's a really good scenario. It's very real. So Blackridge, in that context, what we can bring to the table is really – we describe high value networks. So some people might talk about financial. You can talk about chemical plants, nuclear plants. How do you actually fine grain protect the network, your infrastructure? So what we bring to the table is the ability to cloak the network as we describe it. So we are like M&Ms candy and you've got the candy on the outside. So we basically are protecting the network from the outside.

So you as a grid macro grid provider, what we'd actually do is be able to infinitely protect every resource from a TCP transport perspective based on identity, and what we'd allow you to do is ensure that any resources that are touched by third parties, internal people, B-to-B type connectivity would ensure that only specific users would be able to touch those devices or those services. So really protecting to a fine grain perspective on a flow basis. So you guys are all familiar with TCP. So fundamentally what we're doing is for every flow, we're making a decision based on your unique identity, where you can go in the infrastructure, when you can go in the infrastructure, how you can go in the infrastructure.

So I talk about talk to the hand, which is the five Ws. Who, what, when, where, why. So I've heard this statement. So we're really bringing a level of intelligence that John Chambers in fact – I worked at Cisco for several years, and I worked at Juniper for several years. So this technology allows effectively a nerd knob in the initial flow and flows to allow you to identify who this person is and what they can do within your infrastructure. It's very important. In fact, it goes – it's very far reaching for think of just the shim within the network.

So where that packet is flowing across switches or routers or in the cloud, you can have intelligence at each point to evaluate should you go past yes or no, past the go point. You can actually terminate the flow real time. So people that – all these bridges you've seen in the industry, it actually makes me cry because I'm kind of saying look, we have what you need. We can prevent data exfiltration. Sub-second. That means I've had a breach. You accept. You're going to be breached. But how do you stop data leaving your infrastructure?

How do you stop leaving say Europe to US around GDRP requirements? You may have some requirements there. So the technology is extremely strong and actually has something called trust level as well, so we can actually give different levels of trust to your users or your third party consumers, and basically we can protect you from the network perspective to a high degree. So if the third party, Siemens, are coming along, we would make a very good complimentary piece to that to control all the resources in the infrastructure you can get to.

Erfan Ibrahim: Wonderful. So we're going to conclude with Mitch. He'll have the final word. So if you remember the movie The Graduate with Dustin Hoffman, there was a scene early on in the movie where Mr. Robinson, who was their like next door neighbor, was at a reception the same day of his graduation. I think it's 1965, it's Berkeley. He comes out, and Mr. Robinson puts his arms around Dustin Hoffman and says, “Son, the future is in plastics.” Mitch, the EIA forecasts for 2030, 2040, 2050 – this is an organization within DOE, shows that in order to achieve our carbon targets, there is definitely play for energy efficiency.

There is play for renewable energy and demand response. But nuclear continues to stay at a 19, 20 percent level well into the century. Now we know that the centralized power plants that were built in the ‘60s and ‘70s are going to reach end of life. And we also know given the price tag of large centralized nuclear power plants that it is very difficult for even a large scale utility like Duke Energy to be able to guarantee the construction of a large power plant. So given this, can you imagine a future where small modular nuclear reactors could be a distributed energy resource in a subterranean facility connected directly at medium voltage to a substation? Talk about the merits of that from a cyber and resilience perspective.

Mitch McCrory: So small modular reactors. I don't know how many of you are familiar with where the technology is going. There's a lot of different technologies. One of the proposals is subterranean. There's other technologies that potentially go with it, such as the braiding cycle, which helps them limit the amount of water they actually consume, so that creates a very attractive opportunity to actually move these type of reactors away from water sources, where they absolutely have to be today, to areas where there's much less water.

Putting these things in multiple areas now become sites of concern. They're underground, so theoretically, security becomes – physical security becomes easier to do, a little bit cheaper, but the cyber security aspects still remain. They still have to communicate. They still have to connect to the grid. From a cyber standpoint, not a whole lot changes.

And so when you take a look at the opportunity, though, to move them to places around the country to actually even move something even if it's not below ground, to move a small modular reactor on a barge to Puerto Rico or the opportunities, there's a lot of things where you can bring a 300 megawatt plant or a 600 megawatt plant. You can create a potentially an economy of scale. I think the – with some of the advanced tolerant and resistant fuels, the actual risk of a reactor incident becomes a lot lower.

And so they become more attractive in some places, especially if you can build more than one or two or ten at a time. The economy of scale becomes much greater, especially if you, again, don't have to design them to exactly the geographical location that they're going to be installed because that basically makes all reactors, even though there's several versions of reactor, basically makes them all custom. And so that's an opportunity in the future for putting some of these alternative power sources with almost zero carbon footprints into the area. What was the other half of the question? The resiliency. Yeah.

And so the resilience of the system is you do get a 300 or 400 or 600 megawatt load. That is not the same thing as putting in 3,000 megawatt plant in place. But they do help a little bit with resiliency. They run very well. They're highly reliable. And so you can expect them once you get them connected and into the system that they are going to be available, and as a maybe small base load to a micro grid or a macro grid, something in that area, they can serve as a stabilizing force to a much larger area than these grids are currently set up to do now. So you might even see a couple of them around say in LA area where they would be the stabilizing force for a lot of these solar and other distributed energy sources, but have a very small impact to the grid or very localized impact to the grid.

Erfan Ibrahim: Wonderful. So I'll entertain two questions for the audience, and then I'll say a concluding remark, and then we'll go to our next presentation. Yes?

Male (audience): Hi, this is a question for Candace.  This is Matt Futch from NREL. I ask a question for you Candace on your risk project. It was very interesting, and I think we all share this kind of framework on risk is a good way to think about this issue. When you think about risk within your project that you're going to be performing with all your clients, is the perceived or outcome about financial and operational risk – what's the penalty or the – what is the locust of control with regards to risk go? What's your view on that, and what would you say to the regulatory community which I come from in the past, who pays and how much and how are you going to deal with that issue in your project? Thank you.

Candace Suh-Lee: So the project is in progress. We are having a lot of discussions around that. A dialogue around that. But so the risk – so risk to what is the question. There are many risks – many things we are trying to protect, and revenue is one of them. Financial risk is one of them, but in the perspective of our traditional critical infrastructure sector idea is that creative liability is one of the top concerns for the utilities, as well as – because the DER involves a lot of customer involvement in the process as well. So they are privacy is always coming as a very important. Not only the people who suggest installing solar over the top of their rooftop, it's more like there are many industrial customers so that utilities you deal with, so their outputs and their consumptions and then a lot of this information becomes very sensitive to their business as well.

So those privacy of data is another risk that we are concerned about. So two top risks is a greater reliability as well as customer data protection, which both – although utilities require as their duty to the public – of course they're concerned about their asset, and then their revenue. And also as you said, when the fact that at the end, a lot of times, the utilities seems to be the one who is holding the responsibility for the cyber security overall, creates this because where other people is thinking – in some sense, taking advantage of the critical infrastructure utilities maintaining constantly, and then also making profits.

But actually not like where the money comes from that when we actually need to really consider about security, and then reliability of the grid as well. So we're considering those aspects of it, regulation is a – comes in handy sometimes when you are thinking about the risk when there is imbalance of the risk, and then actual consequences. Regulation can come, and then actually balance those out just like if one manufacturer didn't do their job, and then went onto bankrupt, and the devices they put in has a lot of vulnerabilities.

And who is going to be taking care of those. And then those things can be – or cannot be actually – cannot be addressed by anything other than regulation. Because a lot of industries, a lot of people are involved, and then we are kind of a – but what we're trying to do is come up with a proper model so that we can advise the regulators correctly, actually the risk – and the cost of the putting the cyber security actually go hand-in-hand.

Erfan Ibrahim: We'll take one more question. Anyone has a question – yes, please identify yourself.

Male (audience): Yeah, once again, Chuck Morris, KBR Wiley Technology Solutions out of Charleston, South Carolina. So I was going to ask the gentleman that you posed a question to about the nuclear power plants. Mitch, South Carolina just went through a situation where South Carolina Energy and Gas and SCANA built – started to build two nuclear power plants and they stopped because of cost. So do you think the traditional power plant model for nuclear is outdated? Because they stated they started with a budget of about $4 billion that they've wasted of the taxpayers' money, and now there's a bunch of lawsuits, and they were nowhere near halfway finished.

Mitch McCrory: Yeah, so that's kind of a tough question. One of the things that we actually just put together for DOE, Office of Nuclear Engineering, was a white paper on the economics of nuclear power. The $4 billion is wasted if they don't build it. If they do find loan guarantees that allow them to restart the project, then in the long run, that utility will likely make some money. But part of the problem is they're not likely to see that until 20 to 30 years after they've built the plant. The plant should go 60 years, maybe 80 years, and so you're looking at something that is very long-term based on current economic modeling, and there's a lot of things driving that, like a regulated or an unregulated market.

So there's a lot of things that might be able to be done from government policy that may make nuclear power more tangible. I also think that 50/80/100 years from now, natural gas, some of the things that have really driven the cost of energy down in the nation aren't going to be as cheap as they are today. So this may be something where the plants are starting to be built too early in the cost of competitive market that we're in today. But they do have a lot of advantages, and so the question we have to come from from a policy is what are the roles of nuclear power plants in today's market for a baseline load.

How important are they really? Because if they're not really that important, then there's not going to be an economic driver because there's so much risk with an operator from a financial standpoint and the public sees so much risk to them from an environmental standpoint that the case really hasn't been made is why are they really important to the system.

When are they going to make money? How are they going to make money? And I think some of the new technologies in the small modular reactors where they don't have to be 3,000 megawatts thermal to get 1,000 megawatts electric out of them can make them more plausible I think in the future. They are the way of China, India, and most of the rest of the world. Nuclear power is going to be a huge component of their systems.