Welcome to the new Energy Central — same great community, now with a smoother experience. To login, use your Energy Central email and reset your password.

Home
Energy Central Podcasts
Energy Central Podcasts
 · Posted in Home

Episode #87: 'Protecting The Grid With Municipal-Level Cybersecurity' With Hong Sae Of City Of Roseville [an Energy Central Power Perspectives™ Podcast]

In the increasingly digital world in which we operate, cybersecurity has become a core focus for leaders across the economy. In the utility industry in particular, ensuring systems are secured against potential cyber attack is a top priority, and the state of cybersecurity protections must continue to evolve as new technologies continue to get introduced to the ecosystem. For any utility big or small, the prospect of a cyber vulnerability can put customer data at risk, cause financial damages, and can even bring the operation of the grid down.

No matter the size or makeup of the utility, these truths remain consistent, though for smaller municipal utilities the challenge can be greater as they have fewer resources than large investor-owned utilities. That said, municipal utilities are stepping up to the challenge, and the guest on this week's episode is one of those great leaders in utility cybersecurity at the city level. Hong Sae is the CIO at the City of Roseville, and he joins host Jason Price and producer Matt Chester to weigh in on the unique municipal challenges and offer tips and tricks from his over a decade in this role.

Prefer to Read vs. Listening? Scroll Down to Read Transcript.

Thanks to the sponsor of this episode of the Energy Central Power Perspectives Podcast: West Monroe

Key Links

  • Did you know? The Energy Central Power Perspectives Podcast has been identified as one of the industry's 'Top 25 Energy Podcasts': blog.feedspot.com/energy_podcasts

 

TRANSCRIPT

Jason Price: 

Hello, and welcome to another episode of the Energy Central Power Perspectives podcast. This is the show that brings together leading minds in energy to discuss the latest challenges and trends, transforming and modernizing the utility industry of the future. And a quick thank you to West Monroe, our sponsor of today's show. Now, let's talk energy.

Jason Price:
My name is Jason Price, Energy Central podcast host and director with West Monroe coming to you from New York City. Once again, I'm joined with Matt Chester, Energy Central podcast Producer and Community Manager, dialed in from Orlando, Florida.

Jason Price:
Matt, we're stepping into the world of cybersecurity this week, a topic of paramount importance to the utility sector. Can you set the stage for why cybersecurity tends to be top of mind for all decision makers at utility companies?

Matt Chester:
Yeah, I can do that, Jason. While every business out there these days has an eye on cybersecurity, staying secure is particularly important for the power industry. Outages caused by cyber attacks, they're not just inconvenient in the utility space, they can be dangerous. Places like hospitals, elderly care, they can't afford to be without power, and extended outages cause measurable disturbance to a region's entire economy, while unexpected downtime can cause health and safety concerns, such as during extreme heat when air conditioning is so necessary. So the utility industry needs, more than anyone else, really, to stay several steps ahead of any potential threats or bad actors and doing so is indeed a full-time job.

Jason Price:
That's right, Matt. And we actually have a guest today, one of those people whose job is to stay on top of these critical issues. We have the privilege of welcoming to the podcast booth, Hong Sae, the Chief Information Officer at the city of Roseville in California. Hong has served as CIO for Roseville for over 12 years, meaning he's been at the helm during some particularly exciting advances in the digital world for utilities, but also some high risk developments on the side of bad actors seeking out cyber attacks.

Jason Price:
As utilities are always looking for the edge to keep customers secure, assets protected, and the grid humming, we're excited to hear some tips, experiences, and best practices based on his extensive experience. So with that, let's bring him on. Hong Sae, welcome to today's episode of Energy Central's Power Perspectives podcast.

Hong Sae:
Hello, Jason and Matt, and thank you everyone else for listening to this podcast. And thank you for the invites and the quick intro today.

Jason Price:
Hong, being an East Coast guy, I have to admit I wasn't too familiar with Roseville. So to level set, can you give us an overview of how big Roseville is, how many customers you're serving, and the role you play as CIO at Roseville?

Hong Sae:
Absolutely. I have short stories out here for you. The city of Roseville was incorporated in 1909, we have a population of about 150,000. Roseville is about 16 miles Northeast Corner of Sacramento, which is a state capital of California, and the greater Sacramento area is home to about 2.6 million people in this region, and we're right in the middle of San Francisco and Lake Tahoe.

Hong Sae:
Roseville is actually not a stranger to anyone. We have been ranked the best city to live in California by the Money magazines in 2020. We're also ranked the fifth best place to live in US if you work from home in 2021. We also ranked recently by the eight fastest growth city in a nation by U-Haul. And we also ranked as the 15 best places to work in technologies and especially from the SmartAssets magazines. Most importantly, the last 10 years total, we have been ranked the top 10 digital cities by the Government Technology magazines.

Hong Sae:
The list goes on, including the safest and wealthier cities for Roseville. Roseville is a full service city, just in case if anyone wasn't aware. Our program consists of public works, which is transportation and transit buses, we also serve the public with emergency, police, fire, and paramedic. Parks and recs library is known to all out there as the nation's number one parks department. And our planning and development services, and most importantly, government affair, and 24/7 utility services, which is electric, water, wastewater, solid waste, and all of our internal service department.

Hong Sae:
I have been serving as the Chief Information Officer for the city of Roseville for the last 12+ years. In my past 33 years of working experience, I was CIO in several Texas state agency and also at private entities. In my free times, this is one of the things I love to tell people, is I serve on the Sacramento CIO and CTO forum. And I also enjoy my time serving as the MISAC president, which stands for Municipal Information System Association of California.

Hong Sae:
MISAC has a passion of about 330 California agency, which consists about 1500 CIO, IT director, manager, management specialist responsible for local government, utilities and special district technology services. That's a long story. Cut it shorts in two minutes out there for you, Jason and Matt.

Jason Price:
Appreciate that, but that's an impressive introduction, no doubt. It's interesting that you're a somewhat smaller city, which perhaps would reduce the amount of cyber threats you'd potentially face compared to, I don't know, an IOU. In your region, you have PG&E, but as you noted, you're also a full-service utility. So not just power, but also water transit and other services. So, when you speak to your peers and your counterparts at other utilities, do you find the challenges you face are unique or in many respects, same regardless of the make-up of the utility?

Hong Sae:
In fact, that's a interesting question that you ask, Jason. All cybersecurity challenges are the same across all 16 critical infrastructure sector today identified by the US government. Whether you in communications, healthcare, transportation, water, food, agricultural, financial manufacturing, chemicals, we're all facing the same risks and compliance standards. Maybe perhaps different reporting agency for electric would be known it can differ, and for water agency will be the Homeland Security.

Jason Price:
How about, as a follow-up, do you approach cyber security the same for all the municipal functions that you operate or must the strategy and the skill set for protecting the electric grid call for different skill sets for water, for the transit, or other services that Roseville operates?

Hong Sae:
As a full service city, we do treat all our department the same. Our agency has the same multi-pronged approach, not one silver bullets that we'll be able to tackle all, but our primary focus is on three P, right? People and process and performance.

Hong Sae:
So we have defensive technologies, layers of defense and general governments in our public safety, and also more importantly in public utilities area. We also continuously monitor ransomware denial services attack. We also, on a regular basis, we collaborate with Homeland Security, State of California Office of Emergency Services. We're all part of the multi-state power and also WaterISAC group.

Hong Sae:
Most of the things that we do every day as today is to make sure that we're continuously scanning our network, making sure that's no vulnerability in place. On a year to year basis, all of our groups, general governments, utilities, we perform penetration testing, and most importantly, we're very, very actively involved in legislative influences, both at the state level and also at the federal level. And last and final, the most important thing, all three groups in our city Roseville has cyber insurance coverages. So at the end of the day, even though we have multi-pronged approaches, we treat all of our entire organization the same way.

Jason Price:
When we were planning for this podcast, you had mentioned your philosophy and strategy around cybersecurity and the principles of the three P's. Why don't you take a moment and share with our audience what you mean by that?

Hong Sae:
Absolutely. So the three P stand for people, process and performance, like I mentioned just a little bit ago. On the people side is to make sure that we are all involved in security practices, continue to raise the level of awareness and training, making sure that your executive responding the right way and embrace the simple mindsets is called security, is everyone businesses. That's the approach that understanding that all technologies, even though they're connected, but it needs human being to in advance the technologies out there. So that's the people site.

Hong Sae:
The second P is about the process. So we align all of our security practices to match standards such as the National Institute of Standards and Technology, which is NIST, but we also have Europeans customers and businesses that is in Roseville. So to some extent, we also have to live with the ISO, which is International Organization for Standardizations out there. And the goal of the process is to address the security gap by continuously looking at our assessments on a year to year basis, and also compare against our peers, right? So that's the process levels out there.

Hong Sae:
On the last P, which is performance, most of the people always thinks that it's about technologies. At the end of the day your organization has to deliver, but many organizations struggle with trying to secure too much data or containing too much data, and doesn't realize that if you don't need those data, you don't really need to have those in your organization. At the end of the day, we focus on our technologies on security analytic, and next generation firewalls and artificial intelligence to help us to protect and control our cybersecurity incidents more efficiently. So again, it's about people, process and performance, and the all three line up get us.

Jason Price:
That's great. Dig a bit further about cybersecurity. So you certainly have a heightened awareness around the importance of cybersecurity at utilities, and you're practicing that at Roseville, but we still see a lot of organizations fall short, in terms of preparation. Why do you think that is? And what advice would you give to those who are falling behind the curve?

Hong Sae:
So this is actually an interesting question. The way that I look at it is, there are two types of companies in the world, right? One is those that have been breached and know about it, and is actively trying to protect against it and put out some remediation process into it. The second type of companies in the world is that does have been breached and is not knowing anything about it out there. So the advice that I would give to people is that cybersecurity is everyone business. It is a team sports out here. If you see something, say something out there, it takes a whole nations, a whole country to act together as a whole to defense our organizations and the community.

Jason Price:
You certainly have an impressive record at Roseville and you have not succumbed to any cyber incidents, and a lot of it has to do with your diligence, but you know, not every utility has been as fortunate as you. So from a wider standpoint, Colonial Pipeline with the ransomware attack, the Log4jam vuln, Log4J vulnerability and others. When you see incidents at other organizations, what are you able to learn from that?

Hong Sae:
This is a good question. At the end of the day, we all have to keep in mind that there is no such thing as perfect protections, right? The business model that we embrace here in Roseville, and also a lot of organization as well too, is to make sure that utility, public safety and any services that we deliver, continue its delivery services.

Hong Sae:
And to accept the spectrum that, what is appropriate risk. If you have too much of a security, your businesses may not be able to perform well. If you have too little of a security, you may get infiltrated and brings down your network and therefore no business can be running out there. The goal is to build a sustainable cybersecurity program that balance the need for all of us in our organization to protect against, to continue running our business.

Jason Price:
Yeah. And no doubt that the goalpost in your case is constantly moving, so it's always a challenge to stay ahead. So there's always new technologies, new threats, new mitigation processes to build in and a lot more. As a leader of your organization, how do you make sure that your people stay on top of it and not get complacent and treat the new threats as seriously as they need to be?

Hong Sae:
As cybersecurity leaders, we have to create our message of influence, because security is a new culture, right? Since pandemics, remote, working from home. And we need to make sure that the business continue to take place, because of that part of the security culture. Continue building resiliency, diversity, and preparing our organization to continue to be smarter and future-ready.

Jason Price:
Thank you for that, Hong. We're going to give you the last word, but before we get to that, we want to shift gears for a moment to what we call the lightning round, which gives us an opportunity to meet you, Hong Faye, the individual, not Hong Sae, the leader of Roseville and its cybersecurity. So we're going to give you five questions, and you respond with either one word or phrase. Are you ready?

Hong Sae:
I am ready.

Jason Price:
Fantastic. Do you prefer a dinner out or a home-cooked meal?

Hong Sae:
It depends.

Jason Price:
What superpower would you choose to have?

Hong Sae:
In this case, the power to remove and block cyber attack instantaneously.

Jason Price:
What's your favorite way to unwind after a long day?

Hong Sae:
Relax, enjoying, sitting next to my better half, listening to her, how she played her tennis and how the kids are doing for the day.

Jason Price:
What career path did you envision for yourself when you were growing up?

Hong Sae:
You would never imagine this one, chemical engineering.

Jason Price:
And what are you most passionate about?

Hong Sae:
In this world, it is all about people today. Connecting the dots for our team and helping them to understand what we do, that impact our community and our organizations.

Jason Price:
Nicely done. You've made it through the lightning round. Now, you are speaking to your peers in the industry, we want to give you the last word. So what piece of advice would you hope that they take away from today's conversation?

Hong Sae:
I would sum it up in three little statements out here. One, cyber security is more than a matter of information technology or operational technologies or business technology.

Hong Sae:
As the cybersecurity leaders, two, we are passionate about creating a message of influence, because security is a culture that we need the business to take place and become part of the security culture itself.

Hong Sae:
And third, none of the technologies out there in the world, especially one connected to the Internet, is unhackable. Security is a moving target itself, making sure that we're able to deal with it and work through with frequent changes, and leader has to be flexible and adaptable to our team, understanding that things are going to happen.

Jason Price:
Thanks for sharing those words of wisdom. I know that there's a lot more we can learn from you, so perhaps we'll just need to get you back on for a future podcast. But in the meantime, hopefully we'll see you in the comments section on energycentral.com to follow up with our listeners, who will want to learn more. But for now, thanks so much for your time joining us today and all the fascinating insights.

Hong Sae:
Thank you, Jason and thank you Matt for having me today. I just want to take this opportunity to give a huge shout out to the entire Roseville team for making the city as one of the best cyber-safe city to work, live, and play within.

Jason Price:
You can always reach Hong through the Energy Central platform, where he welcomes your questions and comments. We also want to give a shout out of thanks to the podcast sponsor that made today's episode possible, thanks to West Monroe.

Jason Price:
West Monroe works for the nation's largest electric gas and water utilities in the telecommunication, grid modernization and digital and workforce transformations. West Monroe brings a multidisciplinary team that blends utility, operations and technology expertise to address modernizing, aging infrastructure, advisory on transportation electrification, ADMS deployments, data and analytics, and cybersecurity.

Jason Price:
Once again, I'm your host Jason Price. Plug in and stay fully charged in the discussion by hopping into the community at energycentral.com. And we'll see you next time at the Energy Central Power Perspectives Podcast.

 

About Energy Central Podcasts

The ‘Energy Central Power Perspectives™ Podcast’ features conversations with thought leaders in the utility sector. At least twice monthly, we connect with an Energy Central Power Industry Network community member to discuss compelling topics that impact professionals who work in the power industry. Some podcasts may be a continuation of thought-provoking posts or discussions started in the community or with an industry leader that is interested in sharing their expertise and doing a deeper dive into hot topics or issues relevant to the industry.

The ‘Energy Central Power Perspectives™ Podcast’ is the premiere podcast series from Energy Central, a Power Industry Network of Communities built specifically for professionals in the electric power industry and a place where professionals can share, learn, and connect in a collaborative environment. Supported by leading industry organizations, our mission is to help global power industry professionals work better. Since 1995, we’ve been a trusted news and information source for professionals working in the power industry, and today our managed communities are a place for lively discussions, debates, and analysis to take place. If you’re not yet a member, visit www.EnergyCentral.com to register for free and join over 200,000 of your peers working in the power industry.

The Energy Central Power Perspectives™ Podcast is hosted by Jason PriceCommunity Ambassador of Energy Central. Jason is a Business Development Executive at West Monroe, working in the East Coast Energy and Utilities Group. Jason is joined in the podcast booth by the producer of the podcast, Matt Chester, who is also the Community Manager of Energy Central and energy analyst/independent consultant in energy policy, markets, and technology.  

If you want to be a guest on a future episode of the Energy Central Power Perspectives™ Podcast, let us know! We’ll be pulling guests from our community members who submit engaging content that gets our community talking, and perhaps that next guest will be you! Likewise, if you see an article submitted by a fellow Energy Central community member that you’d like to see broken down in more detail in a conversation, feel free to send us a note to nominate them.  For more information, contact us at [email protected]. Podcast interviews are free for Expert Members and professionals who work for a utility.  We have package offers available for solution providers and vendors. 

Happy listening, and stay tuned for our next episode! Like what you hear, have a suggestion for future episodes, or a question for our guest? Leave a note in the comments below.

All new episodes of the Energy Central Power Perspectives™ Podcast will be posted to the relevant Energy Central community group, but you can also subscribe to the podcast at all the major podcast outlets, including: