Between Two Turbines
The world of energy and the technology shaping it.
Powered by NAES.
Between Two Turbines
Cyber Threats, Human Error, & Grid Reliability - Sean Thompson
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Between Two Turbines — #08 | Sean Thompson
In this episode of Between Two Turbines, Sean Thompson, Supervisor of NERC Services at NAES, joins Josh Tate for a conversation about reliability, cybersecurity, and the evolving risks facing the power industry. Sean explains the role NERC compliance plays in protecting the grid, how operators prepare for both cyber and physical threats, and why risk mitigation has become more important than ever in today’s interconnected energy landscape.
The discussion covers everything from internal vulnerabilities and human error to external cyber threats targeting critical infrastructure. Sean also shares insight into the realities of compliance work behind the scenes, how the industry responds to emerging threats, and why maintaining reliability requires constant adaptation across the entire grid.
Powered by NAES.
I have a a gentleman who was part of the regulatory agency and he worked as an auditor. And you know, that's a real insider. Yeah, it's invalu it's invaluable to have someone who can so he can he can come in and look at my program and uh and then say, well, look, from the template perspective, we can fix this, we can fix that, or this is good.
SPEAKER_00And the average power plant, how could they have that kind of resource?
SPEAKER_02Well, they're gonna only get that when they're doing an audit. Yeah. And that's not the time that you want to get that experience. Right, right.
SPEAKER_00You don't want to get that bad news then.
SPEAKER_02Yeah, that's not when you want that feedback. You want that feedback at the beginning of the process when you're building your policies or your procedures.
SPEAKER_00The world of energy and the technology shaping it. I'm Josh Tate, and this is Between Two Turbines. Powered by NACE. Sean Thompson, welcome to the show. Thanks, Josh. It's good to be here. Yeah, I'm excited. I wanted to start with first, what uh brought you to NACE and just tell me your time in the industry and and you know everything leading up to this point.
SPEAKER_02Oh, sure. Well, I've been with NAIS for almost 20 years. This is my 19th year. Um before I joined NAIS, I was a um nuclear power plant operator uh in the United States Navy. Oh, very good. You know, so I spent six years on an aircraft carrier operating a nuclear power plant. And then um when I got out of the Navy, I went and did that job commercially.
SPEAKER_01Yeah.
SPEAKER_02Um it was on the East Coast. I'm originally from just down the road from here. I live, you know, five minutes from the headquarters here in Issaca.
SPEAKER_01Right.
SPEAKER_02And uh I wanted to move back home. And uh, you know, uh the power jobs were a little bit far and few between, and and NAIS was a very interesting opportunity for me. And so I got I got a job here at NAIS and I started um at that time we were working to capture um information from people who are retiring and and develop procedures for them. And so I started working in NAIS and writing procedures, uh operations procedures. I travel around the country, go to a power plant, talk to the operators, yeah, see how they operate the plant, document it, build out a procedure so that the next person could do it. And that led me to uh in 2007, uh NURC became a an official regulation, federally mandated regulation. We had uh one gentleman that was uh working across the entire NAS fleet, and uh I took a lateral transition to enter into that industry. I thought, well, this looks like it has some legs, and yeah, um I could probably make a career out of this. And you know, 18, 17, 18 years later, here I am doing doing NERC compliance.
SPEAKER_00Yeah. I mean, it's a cool journey, I think, going back to the Navy and nuclear. Does uh the nuclear nuclear thing ever bother you? No, no, no, but but I think uh it's a fun thing to joke about with the once I heard in my mind the nuclear, you know, it's never been the same since and it always sticks out to me. So um, you know, the nuclear story, I I talked with Alan recently kind of about some of the history, and um, I just find it so interesting how we've made these different transitions, and it seems like we kind of stepped away from the nuclear, the new uh technologies that we're moving to in the future, uh, just understanding some of the intricate problems of uh, you know, how the uh transmission system is what over a hundred years old. Yes. You're doing uh the NURC uh side of things now. Sure. And you know, tell me about what that looks like day to day. Uh you go in, you're working with the plant operators, you're writing up the procedures. Um, what does that look like and and what problem does that solve? I imagine running these plants is pretty complicated.
SPEAKER_02Well, you know, um there are two different types of NURC standards. So we uh have a group of standards called our operations and planning standards that specifically deal detail um you know how you maintain equipment at your facility, um, how do you know um the ratings of the equipment that you have, how are you coordinating with other players on the grid, planning coordinators, balancing authorities. Um and then we have another section that's that's cybersecurity, it's called um SIP compliance CIP. And I manage a group of folks that works in that cybersecurity arena. And so really what it looks like is uh you know, we'll go out to one of our facilities or you know uh or or or anybody's facility, honestly, and we'll do an evaluation of your compliance posture.
SPEAKER_00Aaron Powell Do you have any like horror stories? Anything that you've seen that is like, oh man, we gotta jump in here.
SPEAKER_02Aaron Ross Powell Oh, you know, I we see that, you know, I think it's interesting because there's an intent for the standards.
SPEAKER_00Sure. Um and so and uh they're probably kind of complicated too. Trevor Burrus, Jr.
SPEAKER_02Yeah, yeah, they are complicated. And so some of them are very simple or they look very simple, and they might not be quite so simple in the application. And so there's a lot of times where you can kind of put together a paper dragon and meet the language of the requirements, but not really meet the intent of the requirements.
SPEAKER_00And so And it's not nobody's necessarily, you know, a bad guy. They're not it's just something that you might not know unless it's explained clearly to you.
SPEAKER_02Aaron Powell No, that's that's right. You know, uh as far as regulatory agencies go, 20 years isn't a a very long time to actually establish controls and regulations. And so I I would think that you know NERCA's kind of past its baby stage and they're growing into a mature, more mature regulatory structure. Um but there's still a lot of folks, you know, in in our industry at NAS, NASE Corporation, uh we operate a lot of in independent power producers, right? And so um they're the the staff may have um two or three years ago worked for a different company. And they you know, so uh over 20 years you might work for three or four different ownership groups, and those different ownership groups might um have a different take on how important those different regulations are to them inside of their organization. Different take. Yeah, sure. Like so, you know, you can you you can value, you have different values that you associate to to some of these um some of these standards. And so you might have um a uh some uh an owner who they just want to sell that power plant in a year and a half, and they're not gonna put in a lot of money uh to go deal with regulations or deal with issues.
SPEAKER_00Yeah, when they something that ends up biting you in the butt later.
SPEAKER_02Yeah, and when they know that they're gonna go sell it, and so tip, you know, what'll happen is we um an owner will hire NASED, we'll go staff the plant to go operate it, and we'll go uncover those skeletons. And it's you know, usually it's not good enough for us just to sit and say, well, you have skeletons in your closet. We want to go and and look at how we can, you know, pull them out, yeah, put processes in place so that we are meeting meeting the intent of the regulation, yeah. Uh not just the language of the regulation. And then and then, you know, uh that adds value for our clients. They look and then go, okay, well, now no, we're not gonna get a penalty.
SPEAKER_00So we're like inspectors.
SPEAKER_02Yeah, our team is a larger that. So we'll we'll go, we'll do an inspection, we'll step in, we'll go evaluate your your system. Uh-huh. But then, you know, on the back end, we've developed programs and policies for each of these regulations that we can we have in a template format that we can go and implement at your facility. And so I might come to your your facility and and say, okay, well, here's the here's the picture of health uh at your facility. You're missing these three things. You know, one of them we think is a a a bigger concern. And at the same time, um, I would say, well, now I would go and implement this tool or this process that we have to to go close that gap.
SPEAKER_00Yeah. You know, sometimes I see these videos of uh people inspecting homes after they're built. Those are great new builds. I don't know if you ever see that. Sci-fi. Yeah. And I I wonder if it's similar to NACE. Like not all not all inspectors are the same, you know. Sure. Really having the attention, the detail, and the experience. We've been doing this since Nurk began. Yes. And and so I wonder, does that give us an edge? I mean, I don't want to be biased, but does it?
SPEAKER_02Oh, it 100% does. Uh you know, on my team, one you know, just you know, I have a I have a a gentleman who was part of the regulatory agency and he worked as an auditor. And you know, that's a real insider. Yeah, it's invalu it's invaluable to have someone who can so he can he can come in and look at my program and uh and then say, well, look, from the template perspective, we can fix this, we can fix that, or this is good.
SPEAKER_00And the average power plant, how could they have that kind of resource?
SPEAKER_02Well, they're gonna only get that when they're doing an audit.
SPEAKER_00Yeah.
SPEAKER_02And that's not the time that you want to get that experience. Right.
SPEAKER_00You don't want to get that bad news then.
SPEAKER_02Aaron Powell Yeah, that's not when you want that feedback. You want that feedback at the beginning of the process when you're building your policies or your procedures so that you can go put them into place and and then when they get audited, it's a minor thing that you have to change or it's a small shift that you have to make to be compliant, not implementing the entire thing.
SPEAKER_00Aaron Powell I can imagine that conversation can be a little rough, like, hey, uh, we didn't catch this soon enough. Sure. No, you should have brought us in maybe beforehand. Trevor Burrus, Jr.
SPEAKER_02Well, and with these cybersecurity regulations, um, there's a lot of hardware and um infrastructure that needs to be installed. There's a cost there's costs associated with this. And so, you know, if I if I walk in to your, you know, after I've been working with you to set up your power plant for a year and a half, and I I tell you you're gonna owe me $100,000 a year to pay for a you know a software subscription, whereas that's a pretty tough one to take, right? So but if we talk about that at the beginning, it's a lot easier to prepare for those, you know, those costs and those as expenditures as as we're you know becoming mature in our programs.
SPEAKER_00Yeah, definitely. It's surprises are never fun. No. You know, and that's why you gotta be a proactive with this type of thing.
SPEAKER_01Sure.
SPEAKER_00Um, you know, in my mind, and I'm just a marketer, so I you know, I think about these things. Is it just Russia, China that we're trying to defend against, or what what you know, what is the kind of threat that power plants really face?
SPEAKER_02Aaron Ross Powell We don't really think about the critical uh infrastructure, I think, is a thing, right? And so um what we what we expect is when we flip a light switch that the lights come on.
SPEAKER_01Yeah.
SPEAKER_02Right? And um yeah, these twenty years ago, power plants are not just power plants, but our general infrastructure wasn't as interconnected as it is right now. And so you're operating a power plant, you have a um a control system that is connecting your pumps, your compressors, your turbines. Uh and and maybe it's talking um and sharing a little bit of of data to uh someone outside of your power plant, but it was largely you know isolated to your facility, and that's not the world that we live in right now. We live in an interconnected world. And every time we interconnect another device to a network, that creates a security.
SPEAKER_00It's a new pathway. Trevor Burrus, Jr.
SPEAKER_02That's right. It's a new it's a new pathway for us to have to have to deal with. And so um doesn't that make it hard though?
SPEAKER_00It seems like there's you know a thousand different ways you could I mean I've heard of people leaving uh thumb drives in a parking lot and people pick them up, put them, you know, and then they're in.
SPEAKER_02Well, you know, it's when you when you ask is it about is it about Russia, is it about China, is it about North Korea, is it about Iran? Well, yeah, those are those are state-sponsored actors. And you know, their intent is to see if they can get into our infrastructure, um, lay, you know, lay in wait and then uh you know use a a virus, uh some malware to shut your system down so that the critical infrastructure isn't functioning.
SPEAKER_01Yeah.
SPEAKER_02And that that's really their intent is you know, how do we make it so that uh they you can't operate this uh this power plant? How do we turn the lights off for these hospitals?
SPEAKER_00Aaron Ross Powell I would imagine at some of these plants it it would be uh unnerving to be that plant that did get you know breached. Yes. Um and uh you know easy enough for me to say, but I would want to do whatever I could to prevent that.
SPEAKER_02Well, you know, I think it's um it's interesting because when we talk about cybersecurity, we talk about having an IT um and an OT system. And and they're and they're they're typically very separated, and there's a separation between them, but they're both critical to the operation of our power plants. You know, if if we can't um the IT system might have some financial data that's associated with it, it's got the day-to-day operations. And we you know, we've been working to secure IT systems, I think, a little bit longer than we have OT systems. Sure. And you know, it wasn't until the NURC standards came out where we uh uh started to build a framework for cybersecurity at the around the OT systems. Um now we have we have a real uh framework, it's established, we uh they we understand a little bit more what we have to protect. Right and we can uh we can put ourselves in a position where maybe we can we can catch if we're not trying to meet the intent uh if we're trying to meet the intent of the standard, not uh just meet the language, we can put some controls in place that are gonna possibly detect those attacks in the beginning. Um more importantly, if we do get attacked, be able to restore our system to where it was before the attack. Uh and and then you know, we have systems in place also to share that information now so that we can prevent other entities and and and uh and companies from uh having to experience that same attack.
SPEAKER_00Yeah. So I mean on some of the particulars around the security, you know, uh maybe I think of a security guard as being part of it. Is there an aspect of physical and cybersecurity in it?
SPEAKER_02Yeah, the um so the n the you know, NURC makes us the first thing NURC makes us do is identify which cyber assets that we have to protect. Right. And so um you know, I think that was a big thing when it started was okay, well look, you you know, we we need to understand what we need to protect um and what is critical to the operation of our facility. And so we can't do that without having both electronic and physical security. You know, and so you know, I think uh it's does that mean that you have to have a gate on your power plant? No, not necessarily. You know, we we might we we would ideally be able to pull those assets into a building that we'd be able to lock, secure access to. And we we want people to know who's going in there. So, you know, we we want to be able to authorize access to those types of spaces. But we're gonna do the same thing. You know, it's not just physical entry. Um the you know, right now one of our biggest concerns is people having remote access, whether they're vendors or people who work at the facility, and that and then having that access compromised. I think also sometimes people think about cyber attacks, they think it's a big complicated that there's somebody on a computer on the back end that's like trying to trying to get in. That's not the case. It's like you said, someone leaves a thumb drive that's you know, that's out here or um it's some common sense stuff. Well, yeah, it's an email, it's a phishing email where uh someone's trying to steal credentials so that they don't have to do the the hard stuff. They they're gonna get your information, they're just gonna go type in your password. Right.
SPEAKER_00I think we all we envision that uh hacker in a dark room pounding you know on the keyboard interval, but but really it's uh you know an email with it, they have the right uh logos and names and and maybe it's one character off. Yeah. And and maybe you don't realize that it's hyperlinked because they changed the formatting. And uh you know, then it it's really I mean you have to get clever with it. You know, I think about those early emails of uh you know some prince from some country in Europe or Asia or something. And and back then it seemed plausible, but uh we gotta get smarter.
SPEAKER_02Well, and it's and now we at NAISE, I know and a lot of other companies, uh we try to to simulate phishing attacks on our employees.
SPEAKER_00Uh you know, I've failed those before. I unfortunately.
SPEAKER_02Uh the those simulated phishing attacks are very, very convincing.
SPEAKER_00Aaron Powell Yeah, especially when my boss's name is included, because that can I better open this and respond right away, you know?
SPEAKER_02Aaron Ross Powell I just got one. I literally um had just had a DocuSign sent to me by my boss and uh I signed it and I got another email right after that from our our um our fishing our service our service provider. And it was I was like, oh yeah, I just did this. And I clicked on it, and so even IT's person is pumping their fist right now? Yeah, that's a win.
SPEAKER_00Yeah.
SPEAKER_02Well, because part of this, you know, we talk about physical security, we talk about electronic security and the NERC standards, but we also talk about personnel training and having having tools to make sure that you're providing this cybersecurity awareness training so that people know don't click on that link.
SPEAKER_00Yeah.
SPEAKER_02You know, don't share your credentials with anybody.
SPEAKER_00Definitely.
SPEAKER_02Maybe if you're in the airport doing work, get a screen protector so that people can't stand behind you and and and get your information. You know, I think um I think we think a lot of times about the high-tech ways that people can get at us, but it's a lot of it's just being careful with your information.
SPEAKER_00Definitely. Well, I think uh what I want to end with is just tell tell me why you think uh what NACE does and what we offer is of value. You know, why why should a power plant come to us for um you know, SIP for this critical infrastructure protection?
SPEAKER_02Well, I think one of the best things about this company is we have so much exposure with the amount of power plants that we operate. And so um if something happened, we've probably seen it happen. Uh beyond that, we engage frequently with the regional auditors. And so we know what a self-certification looks like. We know what they what the auditors are going to ask for when we're auditing things. And we build out our programs in a way to incorporate that. And so if I go to PowerPlant A and I have an audit, it gets shared across 140 other power plants, those lessons learned. And I think that that's a real value that most most folks at a power plant don't have. They're not working in a bit an environment that has that big of a pool to to gather information from. Um, you know, my my team has we've got 23 people working in our NERC department, 24 people working in our NERC department. They focus solely on regulatory compliance. They have time to, you know, track the the new things that are ha coming along, the um, you know, what changes are are happening. When you're at a power plant and you're um typically this this compliance is not your only job.
SPEAKER_01Sure.
SPEAKER_02Right? You you know the your primary concern is making electricity, having that electricity bring money into the owner, sure, right? And and then this is a a a you know an additional responsibility. Yeah. You're not gonna have time to go track you know what people are learning in audits. Sure. Um and then when that and when that audit does come, it's gonna it's gonna be a second job. You're gonna it's gonna take 80, 100, 200 hours of your time, depending on how complicated it is to go and provide documentation to to the auditor. All of that with the risk of a fine at the back end if you didn't do it right in in the front. You know, nays can give you those assurances that it's been looked at, it it's gonna it's it passes the sniff test um and it's gonna work for your facility. And so I think that's the real value the article. Yeah.
SPEAKER_00And it's people that really do care about the job. All the way. And it's you know, we have the people working at the plants, and we have the people working with the compliance. You know, we we have a spread. It's the amount of knowledge that's held within the company, I think. Um we really understand how it affects, you know, some of these plants on the other side. And I really appreciate you coming in today and love talking with you. Thanks, Josh. Yeah. Appreciate it. It's cool.