“Compliance and enforcement are necessary tools in our toolkit, but we have a much broader vision and mission that's really focused on a highly reliable and secure North American bulk power system. And those standards are the floor, but there's so much more we can do. And the biggest tool in our toolkit is outreach and education.” - Sara Patrick Bryson interviews Sara on her work leading the Midwest Reliability Organization to identify, prioritize and assure effective and efficient mitigation of risks to the security of the North American bulk power system.
Bryson is joined by Sara Patrick, President and CEO at the Midwest Reliability Organization (MRO) to discuss cyber threats, mitigation strategies, and the United States energy infrastructure system. A lawyer by training, Sara led MRO’s enforcement group and compliance monitoring team for 16 years before stepping into her position as CEO.
What risks does AI pose to maintaining a reliable grid? How does MRO build resilience into the Northeast bulk power grid? What do smaller organizations need to be able to mitigate threats?
“When we think about operations, we're a lot of times focused on the bigger organizations. But from a cyber perspective, it really doesn't matter the size of your organization. You're all susceptible,” Sara explained.
Join us for this and more on this episode of Hack the Plan[e]t.
Hack the Plant is brought to you by ICS Village and the Institute for Security and Technology.
Bryson: I’m Bryson Bort and this is Hack the Plant.
For today’s episode, I’m joined by Sara Patrick, President and CEO at MRO, the Midwest Reliability Organization. Sara leads MRO in carrying out its critical mission to identify, prioritize and assure effective and efficient mitigation of risks to the reliability and security of the North American bulk power system.
Sara Patrick: “... Compliance and enforcement are necessary tools in our toolkit, but we have a much broader vision and mission that's really focused on a highly reliable and secure North American bulk power system. And those standards are the floor, but there's so much more we can do. And the biggest tool in our toolkit is outreach and education.
And we're constantly looking at emerging risks, new risks, mitigation strategies, and working with our industry folks to get the word out and share those lessons learned because we have a shared mission.”
Bryson: We discuss how cyber threats affect organizations of all sizes.
Sara Patrick: “And you know what? Especially in the cyber realm, you know, the little guys–when we think about operations, we're a lot of times focused on the bigger organizations. But from a cyber perspective, it really doesn't matter the size of your organization. You're all susceptible. And in some instances, the smaller organizations are more susceptible because they don't have the same types of resources.
So having a forum to bring folks together regularly, where organizations of all different sizes, and different operational challenges can share what they're seeing is really, really valuable. It's one of the areas where I think MRO shines.”
Bryson: And break down how MRO is assessing the top risks of 2024.
Sara Patrick: … So it's interesting we have this process where you go through every year, putting together a regional risk assessment and our regional risk assessment includes operations planning, as well as cyber and physical threats. And we actually survey the industry members within MRO and look at what are the risks that others are seeing.
And in 2024, physical attacks is on the list of our top eight. Hot risks that we focus a lot of the work on both internally and with our industry partners. We also had insider threat and supply chain compromise. So it's not just the whole supply chain issue. It's the supply chain compromise that's much more specific.
Bryson: What risks do AI pose to maintaining a reliable grid? How is MRO helping smaller organizations mitigate risk? How has Sara’s legal background helped her navigate the changing regulatory landscape? And if she could wave a magic, non-internet-connected wand, what is one thing she would change? Join us for our first episode of Hack the Plant that ends in anarchy.
Bryson Bort: Let's just start with a biography, if you would like to tell us about what mistakes in life led you to this point.
Sara Patrick: Well, I've been at MRO (Midwest Reliability Organization) for 16 years, so I'm almost an original. When we began operation in June of 2008, when the NERC (North American Energy Reliability Corporation) Reliability Standards first became mandatory and enforceable. And I was hired to set up our enforcement group, and I led the enforcement group for about eight years, then transitioned to leading the compliance monitoring team.
And I was in that role for about a year and a half when the board asked me to step in as interim president and CEO in February of 2018. And I've been officially president and CEO since June of 2018. Prior to that, I worked for a data broker. So I was–I'm a lawyer by trade, so I was very much into data privacy, working for a data broker.
So that was sort of my first introduction to information security, which sort of translates to, well, has some corollaries anyways to what we do here at MRO and how we operate and think about information security, but really a broader sense of cybersecurity.
Bryson: Okay. I got to say, I feel like I should have been given some small print that you were a lawyer before we embarked on this endeavor. Now I'm the one who's on the back foot. So how did you make that jump from data broker into the Midwest Reliability Organization?
Sara: So it really was about, a who-you-know instance. And I think that that is actually been, perhaps, a theme of my career throughout the years. So our former CFO had been the controller at the data broker that I worked at. And she called me and said, we need a lawyer. And I said, I'm not looking for a job, but that's really the best time to find one.
And so finally the third time she called me, I sent in a–I sent her over my resume, but this was back in 2008. And there was very little on the internet about what Midwest Reliability Organization was. And I went into that interview having no idea what the company did, and it was a very interesting interview.
I was there for six hours, but I felt like I was only asked three questions. But I was really intrigued because it was sort of a new body of law. So we exist as a result of the, essentially, as a result of the 2003 blackout in the Northeast, and then Congress enacted legislation in 2005, mandating compliance with the NERC reliability standards, and they became effective in 2007. So we began operation in 2007, then I was hired in 2008, actually shortly after FERC, the Federal Energy Regulatory Commission, issued its first order related to violations of the reliability standards. So back to the question about ‘how did I find myself here,’ it really wasn't who you know. And that opportunity to sort of shape and impact– it is really an international perspective on reliability and security from MRO's perspective, because we are what's known as a cross border region.
So we operate in all our parts of 16 states today, and the two provinces of Manitoba and Saskatchewan. So joining the organization early on, I've had an opportunity to sort of help shape the federal policy, and a Canadian policy around reliability and security, which was perhaps the most attractive part about joining MRO.
I will say that it was a steep learning curve. The data broker–I was a subject matter expert and there were answers to things. You could find answers. And coming to MRO, it was a whole new body. There really wasn't any precedent as to how to apply standards, and how to, what the enforcement's process, what that would look like.
I would say that I–well, I always said that I was a newbie when I came to MRO, but having been here 16 years, I can't say that I'm a newbie to this industry anymore.
Bryson: That is certainly true. So let's think about that time period. We have the intersection of the Northeast blackouts. So we have concern around resilience, and then we have Congress stepping in and pushing regulation and compliance. And so it's this mix of again, emotion, fear. Is our grid on this side going to be okay? Are the asset owners understanding the problems? Are they making the investments? Because some of that is driven by environments, some of that is driven by demand and consumption. And then as you noted, compliance was kind of a new concept at that moment. And I think that's so interesting how often we forget how young a lot of these things are.
So it sounds like I think many of us, right, we get the next opportunity through who we know through those connections, because we'd like to work with those we trust. But your legal background had to have been a great boon to that moment.
Sara: Absolutely. When I joined MRO, there were less than 20 employees, and it was essentially a bunch of engineers and a couple of CPAs. And that recognition that they needed a lawyer was unique and also perhaps why the interview process was so different for me, because I didn't know what to ask because they weren't really sure what they needed. They just knew they needed something.
And, you know, at that time, we really wondered how often folks would contest violations. And so they were really looking for somebody who had some experience with administrative law and administrative hearings. And way early in my experience, I was an assistant AG, attorney general, for the state of Arizona and did hearings probably three a month. So I had some experience doing administrative law hearings. As it turns out, very, very few instances of noncompliance or violations of reliability standards have resulted in a contested case. But to your point, the standards are sort of the floor, and we do a lot more today than we did back in 2008, 2009, 2010, when, you know, this construct was new and the focus was on compliance.
But compliance and enforcement are necessary tools in our toolkit, but we have a much broader vision and mission that's really focused on a highly reliable and secure North American bulk power system. And those standards are the floor, but there's so much more we can do. And the biggest tool in our toolkit is outreach and education.
And we focus a lot and work really closely with our industry partners to provide a number of different outlets that really focus on, in the instance of security, security risks, OT, cyber, physical, you name it. We have probably done some sort of outreach related to that risk. And we're constantly looking at emerging risks, new risks, mitigation strategies, and working with our industry folks to get the word out and share those lessons learned, because we have a shared mission.
You know, it's not all about compliance and enforcement, but really about ensuring a highly reliable and secure North American bulk power system, and really getting those mitigation strategies, and thinking about there's a lot more to security than what's contained in the standards, you know. That's just basic cyber hygiene. But we have the ability to bring folks together in different forums to share their experiences, to share their expertise, to share what they're seeing as far as risks. And you know what? Especially in the cyber realm, you know, the little guys–when we think about operations, we're a lot of times focused on the bigger organizations. But from a cyber perspective, it really doesn't matter the size of your organization. You're all susceptible. And in some instances, the smaller organizations are more susceptible because they don't have the same types of resources.
So having a forum to bring folks together regularly, where organizations of all different sizes, and different operational challenges can share what they're seeing is really, really valuable. It's one of the areas where I think MRO shines.
Bryson: So let's talk about that growth. Compliance is the foundation of organizational execution. It's not a debate, right? You talked about that there's a few contested violations because most folks it's like, yeah, I didn't meet the checklist. It's kind of black and white. It's cut and dry. So how did you grow, or how did the organization grow that commitment to going beyond compliance?
I mean, you talked about part of it was the mission and that probably helped because that was an understanding that there needed to be more, but it's still not as easy as just going from point A to point B.
Sara: Well, I think very early on, we recognized that compliance for compliance’s sake was not going to help us achieve our vision and really wasn't what we wanted to stand for, as not only MRO, but the broader construct, the North American Electric Reliability Corporation and the other regional entities. MRO is one. You know, we all recognized that compliance for compliance’s sake was not going to get us the operational excellence that we were looking for.
So we have really, really focused on, on operational excellence. And when you focus on reliability, and security, and operate from a mindset that is focused on operational excellence, compliance just sort of happens. It's foundational, but it's not the focus.
And I think we've seen some maturation across the organization as we've grown, and our responsibilities have grown, and we've become a lot more familiar with sort of the day-to-day work, but also the risks are ever increasing and expanding. In this sector, well, in many sectors, but particularly in this sector of the world that we live in, we recognize there's a lot of opportunity for us to think broadly about security, and not just security for compliance purposes. Because there's always, you know, those regulations are always chasing risk, and, you know, those risks are ever evolving, increasing, expanding the stuff that nightmares are made of, the world that you live in.
Bryson: So let's talk risks. What are the risks that you see?
Sara: So it's interesting we have this process where you go through every year, putting together a Regional Risk Assessment. And our Regional Risk Assessment includes operations planning, as well as cyber and physical threats. And we actually survey the industry members within MRO, and look at what are the risks that others are seeing.
And we bring a group of experts together, not just staff here at MRO, but folks from our advisory councils. So those are our industry members who volunteer their time to help get the word out, and share their experiences and their challenges. And we put those risks together, and we come up with an annual regional risk assessment that really forms the basis for much of the work that we do.
And in 2024, Physical Attacks is on the list of our top eight hot risks that we focus a lot of the work on both internally and with our industry partners. We also had Insider Threat, and Supply Chain Compromise. So it's not just the whole supply chain issue, it's the Supply Chain Compromise that's much more specific.
So those were, you know, three of the top eight risks in our 2024 Regional Risk Assessment focus on cyber or physical security risks.
Bryson: So when we're talking physical threats, is this like the incidents that we've had where folks were shooting at transformers?
Sara: Absolutely. The Moore County, that happened in North Carolina, where folks were shooting at transformers and caused an outage. There have been a number of issues related to ballistic attacks across the region, and across North America. A lot of it, you know, domestic extremists, some for fun, if you can call it that.
Bryson: You talked earlier about small organizations, and I think Wendy Nather really nailed this on the head back in 2013 when she talked about the cyber poverty line. The haves and the have nots, and with the interconnected nature of how modern society rests on electricity. Whether you are small or you are big does not matter, the impact can be the same. It's just a question of scale. So what can we do to help the smaller organizations? What is MRO doing to help the smaller organizations in their scope?
Sara: Our membership really sort of spans the whole array of size and complexity of operations within different organizations. And through our Security Advisory Council, we have what we call a Security Advisory Threat Forum that hosts a weekly call. And these are calls that are–the folks who join them have been vetted, it is a safe space for folks to share what they're seeing. They are meetings that we facilitate, but that industry runs, and they do not have a set agenda. They have a set time, and folks join and they share what they're seeing. And one of the advantages to doing so is that we have large organizations with 24/7 SOC, and then we have these small organizations who may have seen something that looked a little weird, but they didn't really think much about it, but then they're on these calls and they hear, well, some other organizations saw something similar and they start talking and realize, oh, there is something here.
The Electricity Information Sharing and Analysis Center, the E-ISAC participates on those calls, and we have actually undertaken across the ERO enterprise. So that would be the North American Electric Reliability Corporation and the six regional entities, very focused efforts to encourage our members and registered entities within the regions to join and become members of the E-ISAC where they can share what they're seeing.
And the E-ISAC has the ability to compile that information continent-wide, and provide guidance to folks. So there are a number of things that we can do and are doing to help those smaller organizations become more aware of, and recognize and, well, and also what should they be looking for, if they're not.
So there are, there are a number of things that we do to help entities of all sizes.
Bryson: You've been president and CEO for the last six years. And what have you learned and what have you done in the last six years?
Sara: Well, it has been a wild ride.
Bryson: This is your performance review. You weren't ready for it. Let's go.
Sara: Well, so I was asked to serve as interim president and CEO ten days after the announcement that we would be doubling in size July 1, 2018. So I had four months as interim, and then was officially named president and CEO about a week before we doubled in size. And that occurred because originally there were eight regional entities. Today, there are six. So we took over about ninety percent of the former Southwest Power Pool regional entity. So that was a big undertaking. We did not have a budget for it. We restructured our board, added board members, restructured the board committees, restructured our organizational groups, building on the success that we had had with the Security Advisory Council that has been our longest standing advisory council, we reformatted all of our committees to become advisory councils, which means that membership and those advisory councils is selected based on experience and expertise, as opposed to what sector within our membership do you represent. So now, we have experts coming together though, they are not decision making bodies, anymore, because we do not have that sector balance that exists at the board committee level that provides direction to the advisory councils.
So that was 2018, and then 2019 we were working through all the governance changes and figuring out everything that we forgot about when we made all these structural changes, and really working to seamlessly integrate the entities who joined MRO from the former SPP regional entity. So that was the large focus in 2019, and then 2020 was going to be our first normal year.
So we reopened the office in 2022, and brought folks back on a hybrid basis, and we continue to operate on a hybrid basis.
We have one–so actually the number of staff has doubled since I took on this role. We have taken on a lot of different work. The Compliance Monitoring Enforcement Program work continues to grow because the number of standards continues to grow. But we've been involved with a number of cold weather events, and subsequent inquiries that have been conducted related to winter storm Jury, winter storm Elliot.
And then this past winter was more of a lessons learned, since we didn't have quite as bad a winter from a performance perspective. We also, this year, very much involved in the Interregional Transfer Capability Study. That was actually ordered as part of the debt ceiling bill–ironically, included a direction that NRC and the regions would work to conduct an Interregional Transfer Capability Study, looking at the ability to move power from one portion or one region of the country to another.
Bryson: So what's next?
Sara: With the energy transition, a big focus for us, actually related to the Interregional Transfer Capability Study, is the transition of energy planning from capacity based to really an energy assurance based model. Which is very different than how the system has been planned and operated, but also recognizes that our generation resources are changing, and the system looks very different today than it did even ten years ago.
Bryson: If you could wave a magic, air-gapped wand, what is one thing you would change?
Sara: Well, my word of the year in 2024 is coddiwomple. C O D D I W O M P L E. And it means to travel with purpose toward an uncertain or vague destination. And I feel like that is what is happening with the energy transition. There are lots of decisions being made today, and nobody knows what the ultimate solution is because there isn't one answer to this kind of gnarly problem. There are multiple answers. So if I could wave a wand, we would have this solved. And we would know what the grid of the future would look like, and what the ideal generation resource mix would look like, and we'd have the transmission to make that happen.
Bryson: All right. You waved your magic wand. Now looking into the crystal ball for a five year prediction. One good thing, and one bad thing that you think is going to happen.
Sara: One good thing, we are going to figure out the bridge resource we need to make this energy transition a success. And one bad thing, it's not going to be seamless. Something's going to have to give. We're fighting with energy policy, and economics, and we're not focused on the physics. And physics always wins.
So, those decisions that are being made that really don't take into account physics are what are going to result in bad outcomes.
Bryson: So if I could summarize that you're predicting a sizable blackout as a result of this?
Sara: I'm not saying a sizable blackout. I'm just saying that what we have come to take for granted in this country, that you flip the light switch on and you always have electricity, may or may not be seamless in the next five years. There may be–there may have to be some give and take in what we expect from our nation's grid, given the challenges that it faces today.
So I wouldn't go so far as to say a major blackout, as much as there might be some scheduled outages that people have to learn to accommodate.
Bryson: Now that's a really interesting comment. And I know we already have a challenge with, when we've had significant GDP growth, that there've been areas that–we're talking about bringing manufacturing back when manufacturing requires substantial–yes. You're making that face because we've been looking at–you're part of the world for that, and that requires a lot of energy. Which means it's years out to plan, to build, to be able to do that. And you can't just put a plant there, and be like, all right, plug it in.
Sara: Yeah, unfortunately it's a lot more complicated than that. I– yeah, we–I can't believe we didn't even talk about the large loads ,and the demands that new technologies are bringing to the system. And we're seeing load growth that's–probably for the last, I don't know, several decades, it's just been incremental, and now we're projecting one and a half to five times load growth in really short periods of time.
And, you know, that's great to think about from an economic perspective, but from, again, that physics perspective, it's a little challenging, to say the least.
Bryson: Do you want to talk about new technology and demand?
Sara: I also think in 2024, you know, you–I don't think I attended a board meeting anywhere somebody didn't mention generative AI. How that might solve the world's problems or create more problems.
There's opportunity and there's also a great deal of risk in how AI plays into the future, but it also is creating, you know, a need for more data centers, which creates a need for more electricity to operate those data centers. And that's a conundrum that we're facing today, it's not a problem of tomorrow.
It's a problem we're facing today in how we get these things built. From a national perspective, we want that industry here, right? But we have to figure out how we do that and maintain the expectations we have for a reliable grid. And the system needs some help to get there.
Bryson: I'm scared to ask. Beyond the fact that generative AI is also a new technology creating additional demand for energy, is there anything with generative AI that MRO is specifically concerned, or is looking at? And the answer can be no. I just was curious if the new tech was more than just, you know, like cryptocurrency, electrification of cars, these things, more computation, more power required. But is there anything specific to the application of the technology that MRO is looking at?
Sara: So I think that there are opportunities to leverage Gen AI, but right now, I think that, you know, this industry is–it's so foundational to our way of life that the risk may outweigh the benefit until we get there. Things have been tested. I say that and then there's also the, well, you don't want to get too far behind as new technologies are introduced and that, you know, the benefits that they could bring.
So, from MRO's perspective, we are, you know, toe in the water. I think that there are opportunities out there, but the risks really need to be weighed, and we need to move forward at a fairly slow pace as we learn more about those risks and what Gen AI, given the dependence on electricity. So Tom Fanning is a retired CEO of Southern Company, and you're shaking your head, maybe you've heard that, his quote, but he said, you know, electricity may be only seven percent of the U.S. economy, but it's the first seven percent, because without electricity, you just don't have anything else.
So that's a big weight on this industry to carry on their shoulders that, you know, we have to get things right, and have to be reliable and secure, so that everything else that we depend on is able to continue to function. And that's the big ask.
Bryson: My quote is, once we lose electricity, we're on a quick march to the Stone Age.
Sara: Yeah.
Bryson: Diesel will get you 24 to 72 hours at best. After that, we're done.
Sara: Chaos reigns. Anarchy.
Bryson: This is Hack the Plant, a podcast from the ICS Village. Catch us at an event near you. Subscribe wherever you find podcasts to get episodes as soon as they're released. Thanks for listening.