by Stephen Lacey
November 28, 2017

Shayle Kann: Let me ask you a question. What is your most irrational fear?

Stephen Lacey: Great first question. I definitely have a bunch of irrational fears. I think my most recent one is that my new wife secretly wants five kids. She's assured me that's not the case, but I secretly think she wants to build up this giant clan.

Shayle Kann: Right. We're going to find out in 20 years that it turns out it was true.

Stephen Lacey: What's your irrational fear?

Shayle Kann: I have an abiding fear of turbulence on flights, but my particular nuance on it ... I fly all the time, but I have no fear at all during takeoff and landing, which are the two times when planes actually crash when they crash. My fear is exclusively midair turbulence when we're coasting, which is never a problem for planes. What is your most rational fear?

Stephen Lacey: My most rational fear is the rise of artificial intelligence, I think. I'm not talking about the sentient kind of AI that decides the human race should be enslaved or completely obliterated.

Shayle Kann: Right. That's the Elon Musk slash Terminator slash Matrix version of the AI dystopian feature.

Stephen Lacey: Yeah. SkyNet, Terminator, Judgment Day. I'm talking about a more sly, insidious kind, the kind that pushes large swaths of humanity out of the economy without us realizing it until it's too late. We're already dealing with the political consequences today of this huge part of the country feeling economically marginalized.

I'm not saying that there won't be these extraordinary benefits and super cool applications of AI, but my fear is just as high as my excitement level. I'll admit something, my wife runs a small team of engineers experimenting with automation and artificial intelligence in the world of finance and insurance. So both my irrational and rational fears are pretty close to home, which I'm now just realizing as I talk out loud.

Shayle Kann: Yeah, you should probably-

Stephen Lacey: I love you Sandy.

Shayle Kann: You should probably check on that. You should talk to somebody I think. My most rational fear, and I feel that this is the most rational fear that everyone should have, is the fear of a widespread cyber attack on the power grid. Every single time that I read anything about it or hear anything about it, basically it's somebody telling me that this is a serious immediate threat that we are not prepared for and that could hit us at any time, so I'm terrified about it.

Stephen Lacey: You know, I am too. That's why we're having this conversation today. It's Halloween and since we'd probably get fired if we sat in front of the TV all day, watching Stranger Things on Netflix, we decided to fire up the microphones and talk about a threat that has executives, politicians and white hat hackers trembling, grid security. From Greentech Media, this is The Interchange weekly conversations on the global energy transformation, the Halloween edition.

Welcome to the show. I'm Stephen Lacey in Boston, back in action with my co-host Shayle Kann, who's been taking up the the helm for me. He's had some great interviews while I've been away. He, of course, is our senior vice president and the head of GTM research. Howdy Shayle.

Shayle Kann: Hey Stephen.

Stephen Lacey: You know, no sense in beating around this one, before we actually start the show you've got a pretty major piece of news that you announced in a spectacular piece at GTM this week. Although the news itself is not so spectacular for us.

Shayle Kann: Yeah. I'm, as of the end of this month, as of the end of November, going to be moving on from GTM. I've been at GTM for height and half years. I started in early 2009, when the solar industry in the US was one thirty-sixth the size that it is today. It's been an absolutely fantastic run. I absolutely love the organization, the company, the people. I'm really proud of the work that we've done, but it is time for me to take on some new challenges, so I'm going to be moving on.

But I'm not going to disappear entirely. I'm going to still retain an association or a relationship with GTM. I'll continue to be a senior advisor to the team at GTM, the team at Wood Mackenzie, our parent company, and their power and renewables practice that they're building. And most importantly for this audience, I will continue to record The Interchange. I would continue to record The Interchange even if I had to pay to do it, so I'm not going anywhere on this podcast.

Stephen Lacey: Fun fact about Shayle, he started of as an enterprise carbon analyst.

Shayle Kann: Well, in theory. In 2009 GTM was like nine people when I joined. In 2009 it was really early in the company's tenure. At that time we were already starting to cover solar. We weren't really covering anything else but it looked like carbon markets were going to be a big thing. I was hired initially to be a carbon market analyst.

I had done a fair bit of work on carbon and renewable energy credit markets before joining GTM, but before my first day the company decided to make a strategic turn, or a pivot in startup world, as happens so often in companies that young, and decided that they wanted to double down on solar instead. I got a note prior to my first day on the job saying, "Hey, actually we want you to write a report on the solar market in the US." Not knowing how to be brief at that point in my life I then spent the next six months writing what ended up being a 376 page report on solar in the United States in 2009.

Stephen Lacey: Shayle's rise at GTM to eventually head up the entire research outlet speaks to his ability. We've been incredibly fortunate to have him leading this company in his capacity. We owe a lot to your ability to see trends before a lot of folks. Finding new creative outlets is important. Of course we're sad to see you go but it's totally understandable. I guess I'm the lucky one in all this because I still get to podcast with you.

Shayle Kann: Yeah. It's mostly I just wanted to still have an excuse to hear your voice once a week. Proud to still have that.

Stephen Lacey: Well onward, we're going to take Shayle all for ourselves here on the podcast and we're going to benefit from his continued analysis. If you get a chance, go read his article, which is calling his swan song.

Shayle Kann: The basic thesis is that, as renewable has grown over the past few years and gotten cheaper and cheaper, the prevailing wisdom that used to exist within this sector, that renewables had to get cost competitive before they could ever be taken seriously. We're sort of passed that now. I think everybody takes the idea that renewables are already cost competitive in many cases, and will continue to be more so, as a given.

But I think that it's a false peak, if you're trying to think about the long game future of decarbonization on the grid. Because there's now another mountain climb, which is a new prevailing wisdom about whether renewable energy and adjacent technologies are going to pose a threat to the stability of the grid.

Basically the case that I'm making in there article is that one of the reason that that is the prevailing wisdom is that the markets really haven't adapted yet to enable all these new technologies, be they renewable energy or energy storage, electric vehicles, demand response. The markets haven't adapted to allow these technologies to provide essential reliability services and resiliency, and basically benefit the stability of the grid. They have the capacity to do that already today from a technological standpoint, but the markets don't reward it.

I'm trying to point out a bunch of ways in which you can unleash the future of these technologies even faster that it's already happening now and avoid some of the barriers that we're going to come upon soon if you just look at the ways in which the market was not designed with this new suite of technologies in mind, and figure out ways to redesign it accordingly.

Stephen Lacey: It's really reflective of the changes that are happening so quickly in real time that we're trying to capture on this show. You talked about the worries about renewables causing threats, which does bring us to the topic at hand. Today's conversation is about a combination disaster flick and cat and mouse political thriller, if we're talking in horror movie terms since it encompasses extreme weather, hacking and political espionage.

Shayle and I sat down with a very smart guy, Dr. Paul Stockton, an international security expert who's based in Washington, DC. Calling Paul a security expert probably doesn't do him justice. He's got a lot of credibility on this issue. Currently he's the managing director of Sonecon, where he advises utilities and other operators of critical infrastructure on a wide range of security threats.

Before that he was assistant secretary of homeland defense and America's security affairs at the department of defense, where he directed the agency's response to Superstorm Sandy and the Deepwater Horizon oil spill. He currently sits on the homeland security advisory council. So he's well aware of the security threats facing utilities and the government.

I first spoke with Paul for an e-book that I wrote a few years back on the response to Sandy, which happened almost exactly five years ago. Since then the threats to the grid have only gotten worse. So Shayle, why did grid security jump out to you as an appropriately grim topic on this Halloween week?

Shayle Kann: It's funny, we were talking last week and we decided to do a Halloween episode. You said, "Alright, let's talk about something scary." Immediately, cyber security popped into my head, because it's one of this things that I don't spend a whole lot of time thinking about, as evidenced by the fact that we haven't done an episode on it on this podcast yet. We've done lots of episodes on lots of different things.

To me it's often sits outside. We talk about all these other transitions that are going on that have a big impact on cyber security, but we don't take it head on a whole lot. Despite that every single time I run across something on cyber security, it terrifies me. My natural reaction is to shove it off to the side and think, "Okay, somebody's going to have to fix that. Thank God there are people out there who are working on it."

I think in the spirit of Halloween and addressing our fears head on, it was important to actually understand what these threats are really about and what we can and should be doing to deal with them.

Stephen Lacey: What stood out in this conversation to you?

Shayle Kann: One thing that stood out is that I need to develop cooler terminology for the things that I talk about, because Dr. Stockton uses all these defense terms that I really like, like threat factors and attack vectors and spear phishing. I don't feel like I have cool enough terminology for the things that I write about.

Stephen Lacey: Should we start a hacking podcast then and pretend like we know what we're talking about?

Shayle Kann: Probably. I mean we'd sound cooler than we do now, I'm pretty sure of that. But I don't know, besides that he reinforced for me that there's a real threat, and in fact in all likelihood there are threats lurking already within the power grid there. We've been compromised, utility systems have been compromised. We don't exactly know where. We don't know the magnitude of them.

It may be the scariest thing about what he talked about, is the idea that the attacks that we've seen in the past, the large scale attacks outside the US in place like the Ukraine, they're not really a model to look after to figure out what's going to happen here. Because he thinks that whoever the adversaries are who are attacking us, they're going to save their best stuff for when they really go after the US. So we just don't know what it's going to look like.

On one hand I'm absolutely terrified, and on the other hand he made some good points about what we should be doing and can be doing. He's made the point that there is active effort going on to deal with this, and that perhaps it is actually pretty well recognized, the magnitude of the threat. And while we don't have it completely under control, we collectively know that we need to be dealing with it.

Stephen Lacey: Without further preamble let's go to our conversation with Dr Stockton. We had about 30 minutes on the phone with him from his office in Washington, DC. We caught with him on Skype.

At what point in your career did you realize there were these enormous security threats to the electric grid? Was there a moment in time specifically where those threats became clear to you?

Dr. Paul Stockton: I got a rude awakening shortly after arriving in the Pentagon to serve as the assistant secretary of defense for homeland defense. A few months prior to my arrival the defense science board had issued a study called, More Fight, Less Fuel. That for the time examined the department of defense's dependence on the energy sector, especially the electric power grid that provides electricity to critical defense installations.

That study found that DOD was at risk in terms of being able to ensure that it could carry out its critical functions if adversaries were to adopt a deeply asymmetric strategy. That is, instead of attacking those installations directly, go after the electric power grid on which they depended.

I made it a point of emphasis in my tenure from that very moment, to try to build the department of defense into a more effective partnership with the electric power industry, and began to take into account the risk of this asymmetric strategy, and build the resilience of DOD energy infrastructure inside defense and reach out to grid owners and operators outside defense line. So in partnership we could strengthen the resilience of the grid as a whole.

Stephen Lacey: I was at a NARUC conference a couple years back. I always cite this quote that I heard from, I believe it was a regulator. I actually don't remember exactly who said this quote but it's so good, I think illustrates the problem. He said, "There are two types of utilities. A utility that's been hacked and a utility that doesn't know it's been hacked." I thought that that summed up the situation quite appropriately. Do you think that's accurate?

Dr. Paul Stockton: Absolutely. We have behavior by potential adversaries to day going forward to map the networks of critical utilities, in place if they can advance persistent threats to provide for continuous access to critical control systems, indeed everything that the adversary would need to do in order to prepare the battlefield and be ready at a time of their choosing to attack the grid via cyber means.

Shayle Kann: To dive into a little bit deeper, you've written a little bit about this black energy campaign, that the Department of Homeland Security underwent in 2014. Which identified some of the ways in which we already have been or could have already been compromised. Can you talk a little bit more about what that campaign was and what it found?

Dr. Paul Stockton: Sure. What the Department of Homeland Security and the Department of Energy, and the industry partners discovered was there was a sustained campaign to, in place, advance persistent threats onto infrastructure networks to enable adversaries to come in when they wanted and attempt to disrupt the grid.

But more recently, in fact just over the last few weeks, the Department of Homeland Security has issued a warning that I hope all of your listeners will be able to take a look at. That is, the advanced persistent threat activity in October, that's been targeting the energy sector as a whole. So we need to understand that although black energy was sophisticated at its time and took many, many months to be detected, even with the most sophisticated techniques available to the US government. That is old history.

The sophistication and potential threat posed by ongoing adversary efforts to in place advance persistent threat, APTs, on critical control systems and other network components of the power grid. That's the really we're living in today. So the question is not when adversaries are going to continue to build on black energy. That is going forward now and we should assume that that activity will continue, including by nations such as North Korea, that I used to think were a lesser threat. They're catching up fast.

Shayle Kann: There's this sense from all these existing reports that we've seen that are terrifying. That the grid has already been compromised in many different ways and many ways that we probably don't even know about. But simultaneously, as far as I know, we haven't yet seen an actual widespread blackout in the United States, or brown out, that was driven by a cyber attack. Is that correct? If so, why haven't we seen that yet?

Dr. Paul Stockton: That's correct. The United States hasn't suffered wide area blackout caused by a cyber attack. That of course has occurred to Ukraine, twice now. But the United States has not experienced an equivalent event. The reason is, adversaries who have the capabilities to attack the grid have decided that the time is not right to do so.

This is a card that they're preparing to be able to play in the future if they need to. None of the potential adversaries of the United States are eager for war. Of course the United States has response capabilities, especially in the non-cyber realm, that if a president were to choose could be overwhelming, could be crushing. The deterrents of cyber attacks on the power grid relies not only on our ability to respond in kind, but to use all tools of US power in order to respond. That's why we haven't suffered an attack yet. Adversaries haven't felt the time is right and there is a threat of overwhelming response by the United States should an attack occur.

Stephen Lacey: You mentioned the Ukraine hacks. These are probably some of the most prominent hacks in recent memory. The most recent one I think was last December, that left a quarter million people in the dark. A lot of people believe that Russian hackers helped by the Russian government used Ukraine as a testing ground for a bigger hack on the US. As you implied, they are sort of waiting for the right moment. What do we know about what leads experts to think that this was Russian sponsored and that in fact they're waiting to use this type of hack for the American grid?

Dr. Paul Stockton: I don't believe that's accurate.

Stephen Lacey: Okay.

Dr. Paul Stockton: I don't think they're going to use Ukraine-style threat vectors to attack the United States. If Russia or some other advanced potential adversary is going to strike the United States, for sure they are going to use tools that we have never seen before. They're keeping the good stuff in their back pockets and are not going to reveal their most capable weapons until the attack occurs. Because otherwise of course we could begin to prepare defenses against those more sophisticated threat vectors.

Ukraine is nothing compared to what might come to attack the United States, but I think there are valuable lessons learned from the Ukrainian event that can help us prepare against these more sophisticated attacks.

Shayle Kann: Can you give an example of a lesson we can learn from the Ukraine attack?

Dr. Paul Stockton: Sure. I'd be pleased. One of the features of the Ukrainian response was the ability of grid operators to use manual controls in order to very quickly restore the power systems. Although the outages were widespread, power was quickly restored because even though the control networks and control systems for automated control had been compromised, and in some cases wiped, that is rendered incapable of functioning, grid operators were able to fall back on communication systems and manual operations mechanisms that enabled them to restore and maintain power.

There are some valuable lessons for grid resilience for the United States. I'm not saying we should go back to the way in which the grid used to operate on manual control. I am saying that having fallback communications and the ability to run the grid in some maybe less than optimal way without having SCADA systems, without having industry control systems, that is absolutely essential. Important progress is under way by the power industry in order to make that possible.

Shayle Kann: Yeah. It's interesting, you're talking about the ways in which the increasing digitization of the grid can serve as a hindrance for cyber security, or at least the need to have some redundancy because these systems that we're building are so powerful in terms of the operation of the grid. I wanted to also ask you about distributed energy, and the growth of things like rooftop solar with smart inverters, demand response.

You've written about those and used a phrase that I liked in a report that you wrote, that they present new attack surfaces for adversaries. I think I've also heard an argument on the opposite side. Which is that with increasingly a distributed grid you have less single points of failure. So how do you think about the increasingly distributed nature of the grid, in terms of its impact on our preparedness for a cyber attack?

Dr. Paul Stockton: Distributed generation properly hardened against attack can be very helpful in terms of strengthening overall grid resilience. My concern of course is that in the rush to deploy smart technologies, smart inverters and everything associated with a distributed generation that is connected to the internet and that has in some cases connectivity to wireless systems that are not well secured.

We're opening up attack vectors, we're creating new attack surfaces that adversaries can use in order to take down those sources of generation, or manipulate load in the case smart meters, greatly increasing or decreasing load at the whim of and adversary could present problems for maintaining grid stability. With the internet of things and everything connected and everything dependent on electricity, you could imagine new attack vectors that go beyond distributed Denial Of Service attacks and actually manipulate the Internet Of Things in order to create grid instabilities.

Shayle Kann: Yeah, I hadn't thought about that example but it's an interesting one, just to draw it out and make it more specific. You're talking about, imagine that there are tens of thousands of people in an area who have Nest thermostats or smart thermostats. If somebody were able to hack into all of those and basically turn up the power or turn up the heat or something like that, turn up the AC, for everybody simultaneously, that could cause a spike in load that would then take down the grid in a local area. Do you feel like-

Dr. Paul Stockton: Or flip side, eliminate load and have problems created from the other direction. This is an example of the way that we need to think, that your listeners need to think about opportunities to both modernize the grid, which is essential and has important benefits, but the imperative to build security into these devices right from the start. Because otherwise adversaries are going to exploit them.

Stephen Lacey: If you talk to different vendors they will all say, "We take security very seriously and we're focused on hardening our products to the greatest degree possible." With that said we have seen some occasional software breaches in building energy management systems. Where buildings that are connected to the internet have holes where you could access the elevator systems, the lighting systems, maybe actual energy systems themselves. We've seen hackers experiment with trying to break into Nest thermostat, so far they haven't been remote hacks, you need actual physical access to the device.

But there have been occasions where Internet Of Things appliances, like smart TVs, have been hacked into and they've been the result of a phishing attack. So these things do exist, they seem kind of scattered and limited, but I want your reaction to what vendors are saying. Many of them claim they're taking very seriously security, but I take it that maybe because you know how bad these threats are, you don't think they're taking it seriously enough, or they could be doing a lot more. What are your opinions on that?

Dr. Paul Stockton: I think vendors are by and large taking these threats seriously. The problem is the threats are accelerating in terms of sophistication so rapidly that more needs to be done in order to stay ahead of the new attack vectors that are being created. It's very, very important that you've mentioned spear phishing, because the degree of sophistication of these spear phishing attacks as describe in a recent DHS report on advanced persistent threats this October, it's incredible how carefully tailored these spear phishing attacks are and the degree to which adversaries are going after vendors as a key opportunity to embed malware on utility frameworks.

They're going after the vendors because that's a terrific opportunity for exploitation. It makes all the more important that vendors continue to strengthen the security of their products because they are being targeted as a prime means of striking the grid. These in the DHS report, they're called staging targets. That is threats and malware installed on tools that will provide the basis for subsequent attacks via vendor supplied equipment, services and software.

Shayle Kann: Okay, so now that we're sufficiently frightened, I want to transition to talking about to do in the wake of a cyber attack. You wrote a really great report a little while back that looked at the response in the northeast of the US to Sandy, the hurricane, that actually by coincidence we're hitting the five year anniversary of Sandy right now.

You talked about the response to Sandy, which you were intimately involved in, and the lessons we can take from that, and also the differences between responding to a superstorm that takes out the grid, like Sandy was, versus what might come out of a cyber attack. Can you tell just a little bit in broad strokes about how the response to Sandy worked, and what we can and can't learn from it if we're thinking about cyber threats?

Dr. Paul Stockton: One of the reasons that electric companies restored power so quickly in Sandy is that the utilities right there in the stricken region didn't have to respond only with their own resources. 70,000 linemen and other utility workers flowed to the stricken region from all across the United States, including the west coast and Canada, in order to bolster the resources available to repair and restore equipment.

That is a model of mutual assistance that served the United States very well in Sandy and other storm events. Progress is going forward very rapidly now to build on that model and create a cyber mutual assistance system, so that a utility hit by a cyber attack would be able to turn to other utilities, partner utilities, and get access to resources for repair over and above their own.

But this case of cyber mutual assistance also exemplifies the key differences between preparing for storms such as Sandy and a cyber attack. Because in Sandy utilities on the west coast knew that they could send their scarce repair assets, people and equipment, to the New York, New Jersey area, because Sandy wasn't going to hit them. You can track a storm path, you know where it's going. If you're out of the impact zone, then it's relatively easy to share resources.

Cyber attacks could occur potentially on a nationwide basis. So if a cyber attacks occurs on a utility in one state, those in other states will have to be concerned that their turn could come next in a way that looks completely different from Sandy or any other storm. Secondly, Sandy wasn't malevolent, although it sure seemed evil at the time, especially with the Nor'easter following so quickly on the heels of Sandy.

Mother nature is not malevolent. In a cyber attack we can assume that adversaries will be doing everything they can to monitor restoration operations and intervene in those operations, do whatever they can to disrupt the restoration of power, behave intelligently and adaptively in a way that Superstorm Sandy never did.

Those are a couple of crucial differences, but there's still another difference. Sandy happened to have the US financial system in its crosshairs. That is, Wall Street, everything associated with the US financial system was at risk in Superstorm Sandy. But that was just bad luck, the luck of the draw. We can assume that adversaries, if they attack the United States, will be attempting to advance political goals, to resolve a crisis, do whatever constitutes a war as the continuation of politics by other means.

They're going to attack targets because doing so gives them political leverage or accomplishes some purpose. We should prepare to defend the grid accordingly. Not everything is going to be equally important. Just as president Obama made restoration of power to lower Manhattan a priority in Superstorm Sandy because of the risk to financial markets in the US and the global economy, we need to continue working to ensure that as we invest in grid resilience and prepare to sustain power if cyber adversaries attack the United States, we can do so in ways that sustain service for especially critical defense installations, financial institutions, everything else that adversaries might want to bring down in order to accomplish their political objectives.

Stephen Lacey: As a reminder to listeners, Dr Stockton was the assistant secretary of homeland defense and America's security affairs. He was basically the chief adviser to defense secretary Panetta on civil issues at that time. I want to take what you learned in the process of responding to Sandy and apply that to cyber attacks, because when you were there interestingly right before Sandy hit you and I actually, afterward we talked for an e-book that I was writing on the response to Superstorm Sandy.

You told me a story about visiting New York shortly before Sandy hit to talk about potential extreme weather threats to the grid, and then Sandy destroyed the east coast grid. You were forced to deal with all these issues that the DOD hadn't dealt with at that scope. Here were are, dealing with a lot of theoreticals. We know what many of the threats are, we've seen them enacted in other countries, but largely you're kind of, it seems like you're in the same situation you were before Sandy. Where you're dealing with a lot of potential threats and modeling them, but we haven't dealt with one on a grand scale like we're talking about. How do you apply your thinking, and then your action from Sandy, to how you prepare for a cyber security threat, and then probably respond to it in real time, you think?

Dr. Paul Stockton: Wonderful question. I'm sure your readers are going to have thoughts about this as well. We suffered a little bit as in 9/11 from a failure of imagination prior to Superstorm Sandy. I'll tell you what my failure was, this was my screw up. I did not believe that there would be a point at which the president of the United States would turn to Secretary Panetta with me sitting behind him, and say, "The number one job of the Department of Defense is to help restore power to lower Manhattan."

That I found shocking. I believed and continue to believe that the number one job of the Department of Defense is to fight and win America's wars. But at that moment, in that cabinet meeting, the president of the United States, who's also of course the commander in chief of the United States' military, decided the top priority for the department was going to be to assist power restoration.

That produced scrambling, as you could imagine. It forced innovation. For example, under the terrific leadership of FEMA and the Department of Energy, we were able to work together with the power industry during Sandy to setup an unprecedented public-private coordinating body, the Energy Task Force, in order to help ensure that the DOD assets, aircraft, transportation, other assets, that I could use to help support the response, were going to the places that power engineers and the utilities themselves knew would be most helpful.

That industry effort was led by David Owens on behalf of the power industry as a whole, with terrific effectiveness. But innovating in the midst of an event, that's no way to run a railroad, right? Far better to anticipate before events occur what's going to be required and how we're going to need to move forward together. That's going to be the subject of a study I'm writing now. That is, let's imagine what the future is going to hold and have the contingency plans in place and the government industry collaborative mechanisms that we're going to need in order to sustain power to critical facilities and rapidly restore electric service to all other customers.

Shayle Kann: If you had a magic wand right now and within the bounds of reality could do whatever you need to do in order to convince that utilities and regulators, policy makers, energy industry participants, of the magnitude of this threat and that something needs to be done about it, what would you ask them all to do right now?

Dr. Paul Stockton: I would say, first of all sustain the progress that electric companies and regulators already have under way, and accelerate that progress. I believe that the power grid owners and operators are doing a good job of building resilience against current levels of threats. But those threats continue to intensify and mother nature is still able to inflict potentially catastrophic damage, as we've seen in Puerto Rico, and as we definitely would see in a New Madrid seismic zone earthquake, or Cascadia, or the other areas, for example in California where catastrophic earthquakes could cause liquefaction of the ground on which critical substations and other equipment stands and would produce devastating effects.

So let's continue to plan for this, let's make sure we have the equivalent of a design basis threat. That is, an understanding of what is a threat that we need to be ready to handle, and build the contingency plans and make the investments necessary to prepare for those kinds of events. That's going to require tough discussions on priorities, on cost recovery, on everything else that's going to be required for progress.

Let me give you a prime example. There are a lot of investor owned utilities out there, right now, who are going to be in the bull's eye of adversary attacks attempting to take down the power grid. But that's not why shareholders bought their stock, that's not why their board of directors are focusing on the issues for day to day profitability. Because of the nature of the modern world now, private companies are being targeted for attack in a way that's unprecedented and needs creative thinking in order to provide for prioritization, cost recovery, everything else to invest against the attacks to come.

Stephen Lacey: Dr. Paul Stockton is managing director at Sonecon, a government economic and security advisory firm. Before that he was assistant secretary of homeland defense and America's security affairs. Paul, I want to thank you for your time, although I don't know if I should thank you fully because you've sufficiently scared me. But we are really appreciative of you taking the time to be on the show. Do you have any final words to help us sleep at night?

Dr. Paul Stockton: Sure. This isn't a time to be scared, it's a time to be aware and to build partnerships between the private sector, government agencies, non-governmental organizations, everybody is a stakeholder in the realm of grid resilience, and make progress.

Stephen Lacey: Okay, that's all for the show folks. Shayle, one last question for you. Are you more or less scared after this interview?

Shayle Kann: I don't know. I was already pretty terrified. I would say I'm right where I was. I'll sleep in fits tonight.

Stephen Lacey: I'd say your rational fear is pretty damn rational.

Shayle Kann: Thank you, thank you. Yeah, I hope your AI fear is not. What about you, how do you feel now about cyber security on the grid?

Stephen Lacey: I'm definitely fearful but my fear is easy to discount because I think I suffer from that lack of imagination problem, because we haven't been hit with this large scale attack. It's hard to wrap my head around how under threat America might be, because we've never faced anything like the stuff that security experts are talking about.

Shayle Kann: As long as you're sleeping well I think that's all that matters, next to your five beautiful children.

Stephen Lacey: Give us five beautiful stars folks. Go on iTunes, that's where we get the majority of our listeners actually, and give us five stars, if you like us of course. Give us a review, we'd love to hear from you. You can always catch us on Twitter, Shayle and I are there. We love to hear from folks, [email protected] is our email address. We try our best to respond to folks through email but email is so difficult, it can be hard. Twitter might be the best place to catch us.

We're everywhere. We're on Google Play. We're on TuneIn. We're on SoundCloud, iTunes, Stitcher, anywhere you get your podcasts you can find us. So make sure to subscribe if you're not a subscriber already, and pass us along to your friends and colleagues.

Shayle, I'm glad we're reconnected. We're sorry to see you go from GTM. It's a sad day here, but our listeners are probably glad that you're still going to be coming into their ears.

Shayle Kann: Yeah. It's truly bittersweet for me. It's been an incredible run at GTM, but I'm really excited to be able to keep doing this podcast every week. I love it. Also, you could have just made up names of podcast players, and it would have worked on me. I feel like there's a new one every week that I've never heard of. SoundFace, EarBud.

Stephen Lacey: Podly, PodFriender.

Shayle Kann: Yeah, Podly. I think you should start making it up at the end of each episode.

Stephen Lacey: Next week we have another edition of "Watt It Takes," a series that we're releasing in collaboration with the clean-tech incubator, Powerhouse. Those are both real names. In this edition Emily Kirsch is going to talk with Andrew Birch, the co-founder and CEO of Sungevity, the once might residential solar installer that recently went bankrupt. Shayle, you were there, what should listeners anticipate for that one?

Shayle Kann: Man, that one's really good. Sungevity rose really high, and then crashed really fast. After situations like that you very rarely get to hear the behind the scene story of what it was like for the leaders of those types of organizations. I found it really illuminating. I appreciated that Andrew Birch was willing to do that on stage and on a podcast. It's really good. You should tune in.

Stephen Lacey: Alright, well tune in for that one next week. With Shayle Kann, I'm Stephen Lacey and this is The Interchange, conversations on the global energy transformation from Greentech Media.