Security Unlocked 8.18.21
Ep 41 | 8.18.21

Protecting the Power Grid


Nic Fillingham: Hello, and welcome to “Security Unlocked,” a new podcast from Microsoft where we unlock insights from the latest in news and research from across Microsoft Security engineering and operations teams. I'm Nic Fillingham.

Natalia Godyla: And I'm Natalia Godyla. In each episode, we'll discuss the latest stories from Microsoft Security, deep dive into the newest threat intel, research and data science... 

Nic Fillingham: ...And profile some of the fascinating people working on artificial intelligence in Microsoft Security. 

Natalia Godyla: And now let's unlock the pod. 

Nic Fillingham: Hello, the internet. Hello, listeners. Welcome to Episode 41 of “Security Unlocked.” On today's episode, we are joined by Hafid Elabdellaoui, who is a chief security adviser here at Microsoft and joins us today to discuss a three-part blog series that Hafid authored 18 months ago, back in February 2020, on defending the power grid against supply chain attacks. And quick spoiler here - it's still - 18 months - sort of unfortunately very relevant to talk about supply chain attacks and defending the power grid, which is why we've brought Hafid back on. It's a great episode. It's also a really good follow-on from Episode 36, where we spoke with Arjmand Samuel about securing IoT and sort of an introduction to IoT and OT security, or operational technology. And so today, we're really sort of double-clicking on OT, operational technology security, and specifically the power grid. Natalia, electricity - I'm told it's very popular. You're a fan. Thoughts on the sparky sparks? 

Natalia Godyla: Well, thank you for giving me a new name for electricity. Sparky sparks will definitely be how I refer to it in the future. Thoughts on electricity - I have none. There is an invisible hand that pumps electricity into my home, and I am very thankful for it, but because it's so ubiquitous, I don't think about it. And yet it's absolutely required for modern life, for my life. We have folks like Hafid to thank for this. So before Microsoft, he was the CISO at Duke Energy, so securing power grids was his full-time job. And I'm super excited that we get to pick his brain on securing power grids today. He talks about everything from the threats and risks that are inherent in securing a power grid to the solutions and best practices that he used as a CISO to insure against supply chain attacks and other attacks that might impact our electricity. 

Nic Fillingham: Another spoiler I'll give you for this episode is that we do find out that a lot of the techniques and best practices here for securing against supply chain attacks and securing the power grid are basic security hygiene that we sort of talk about week in, week out. But there are some real interesting tweaks to how to apply a zero-trust methodology and some other sort of things around network segmentation that are much more important to this particular industry and this particular problem. On with the pod? 

Natalia Godyla: On with the pod. Hello, and welcome to the podcast, Hafid Elabdellaoui. Thank you for joining us today. 

Hafid Elabdellaoui: Thank you for having me. 

Natalia Godyla: Awesome. Well, today, we'll be talking about your three-part series called "Defending the Power Grid Against Supply Chain Attacks" on the Microsoft Security blog. But before we jump in, I'd love to just know about your background. So, you know, what is your role at Microsoft today? What did you do before Microsoft? What has your career in cybersecurity looked like? 

Hafid Elabdellaoui: Absolutely. I have been working at Microsoft for almost three years. I am a chief security adviser. My group is globally about 15 mostly ex-chief information security officers who are practitioners that have had the opportunity to build cybersecurity programs, deal with incident response and attackers, et cetera. And our goal is to work with Microsoft customers and help advise them and consult with them on implementing security best practices across our entire digital footprint, whether that is on-premises, on the cloud, Microsoft Cloud, Microsoft 365 and so on. So really, the goal is to ensure that best practices are implemented across the board to safeguard digital assets and in order for companies to be able to meet their goals and objectives. Prior to joining Microsoft, I've had several kinds of different positions. I started my career as a software developer right out of college. And from a security perspective, I started my career in security some time in 2004, managed a number of groups related to directory services - Mainframe, Linex, Unix and so on - had a number of positions, leading enterprise architects and application architects in our organization. And the last four years before joining Microsoft, I served as a chief information security officer at Duke Energy, responsible for the cybersecurity organization and managing the security from end-to-end perspective, including risk management, compliance, incident response and cybersecurity operations in general. 

Natalia Godyla: I see the tie now to our blog series for today, or the conversation topic of today. So what are you discussing in the three-part blog? What's the main objective of the series? 

Hafid Elabdellaoui: Yeah, the objective is really to highlight - one is really the importance of the power grid as it relates to - when you think about our lives in general, as we're talking right now, we're using electricity without even thinking about it, right? We're using electricity to power the microphone we're talking on, to power the computer, to power our Wi-Fi that we're using and the internet connection that we're using. So we take it for granted as to how easy it can impact our lives if we lose electricity for a sustained period of time. 

Hafid Elabdellaoui: So my goal was to highlight how important the grid is to us and really highlight what the risk from a cybersecurity perspective and what we need to do collectively - not only the utility industry, but also what we need to do from a supply perspective, as well as partnering with governments to make sure that we have the right programs in place to make sure that the grid continues to be secure and resilient and that we're able to live the way we would like to live, having air conditioning and being able to get on computers whenever we feel like it. 

Nic Fillingham: Hafid, I wonder - when you started your journey into the utility electricity space those 16 odd - no, I guess it's more like 20 years ago. Tell us about the types of threats that you were thinking about and dealing with then. And did this idea of threat groups, nation-state actors, taking down or interfering with the utility and the power grid - like, was that something that you thought about 20 years ago? Or is that a new risk that's only sort of just come up in the last - in a little while? 

Hafid Elabdellaoui: Nic, that is an excellent question. 20 years ago, the threat was not really as heightened as it is today. And there are a number of reasons. Now, certainly we were concerned about security in general. We were concerned about protecting our infrastructure because really important from a power industry to continuously serve our customers, make sure that they have electricity 24 by 7. So we cannot have a period where they don't have electricity, especially when you think about serving some of the important infrastructure, like the healthcare industry, hospitals and so on. 

Hafid Elabdellaoui: So certainly we were concerned about security in general. But what really heightened the cybersecurity from the standpoint of protection capabilities as well as dealing with cyberthreat actors from nation-states is what we started doing from a technology perspective. So many, many years ago, when you think about generation plants or you think about transmission substation and so on, they were not really connected directly to networks that are connected to the internet. At the end of day, they were totally isolated from the internet. And so the threat actors really had very great difficulties, even if they tried to get into those environment to be able to impact them negatively. 

Hafid Elabdellaoui: Now we fast-forward with adoption of technology, IoT devices, our ability to be able to take large amounts of data and be able to analyze and do things like predictive analysis and predictive maintenance. Organizations saw a lot of benefit, not just for them, but for their customers. In addition to that, probably the best way to explain this is from a maintenance perspective. 

Hafid Elabdellaoui: There is regular maintenance that has to be done on the few - on transmission and distribution stations. And any companies may have thousands and thousands of transmission substations. So you would go and maintain them on a specific schedule. Well, it doesn't make sense to maintain them on a specific schedule. So if you think of your car, for example, you don't go change the oil every three months. You change the oil every 3,000 or 5,000 miles, depending on what your car is. So if you drive your car 3,000 miles in one month, you should change your oil. If you drive 3,000 miles in six months, you go change your oil in six months. So that's what really that predictive maintenance and predictive analysis helps an organization do to be able to send crews to maintain the equipment when needed and not just send them on a specific periodic time when it may not be needed, and that could be a waste of resources. 

Nic Fillingham: Wow. So much to (laughter) unpack there. I so have so many questions. Walk us through the current set of risks that exist to the power grid, the utility grid and their respective supply chains. And if you could, I wonder if you could also help listeners sort of understand where some of those risks might be applicable outside of the power generation utility industry. What other industries, what other sort of categories of organizations out there, probably can benefit from understanding this risk category? 

Hafid Elabdellaoui: Yeah, sure. From a supply chain perspective, there are two or three different areas that are important to pay attention to. One is from a software perspective. So at the end of the day, understanding having an inventory of all the software that's being used inside any organization for that matter, utility or non-utility, is really important. And making sure that that vendor that you're working with is using the best practices from a development perspective and ensuring that you're keeping that software up-to-date and patched is really important. 

Hafid Elabdellaoui: Also, from a software perspective, organizations no longer develop code from scratch. There is a lot of open source that's being used. We even, at Microsoft, are using open-source code, and we encourage our customers to use them. It's good to have a good starting point and be able to shorten the amount of development that you're spending to deploy products. But you've got to make sure you use tools, for example, to scan for vulnerabilities, doing static analysis, doing dynamic analysis, on the code is very important. 

Hafid Elabdellaoui: From a hardware perspective, hardware can also be an attack vector from a supply chain perspective, although it's very, very hard. The two ways hardware is typically infiltrated from a supply chain perspective is either in transit, where it's being delivered - now, when that's happened, you have to have an insider. You have to be really quick. Because at the end of the day, you need to make whatever change you need to make to the hardware, whether from firmware perspective or hardware perspective. Because at the end of the day, if there are delays in the supply chain in the delivery, it may raise some flags, and you may be identified as perhaps there's something going on, and it may be investigated. 

Hafid Elabdellaoui: The other area is really on the floor, on the actual factory floor, to be able to either have an insider, either bribing them or threatening them, whatever the case may be, and infiltrating that process and put in hardware that has been modified to be able to put a backdoor in or be able to use it for destruction capabilities, whatever the case may be there as well. Now, you say, well, the hardware infiltration, from a supply perspective, is very hard. Why would someone want to do it? Well, if you have time on your hand - and typically, nation-states have time on their hand, both from a resource perspective as well as from a dollars perspective, and they also have capability to be able to bribe and threaten in some areas as well. But it's really - once that hardware is infiltrated, it's really hard to identify, and it's hard to remediate. So if you just infiltrate 3%, for example, of the products that are being produced, that's still large amounts and many factories, and it's very difficult for an organization to identify and remediate. 

Hafid Elabdellaoui: Now, this is applicable, again, as I mentioned earlier, in the utility industry as well as in many other areas like manufacturing, whether it's manufacturing of automobiles - and we've seen, for example, impact on the organization from a ransomware perspective. But certainly larger organizations in general that are using industrial IoT and IoT devices to be able to make sense of their data and be able to do predictive analysis as many areas where hardware is being introduced to existing infrastructure that really needs to be scrutinized and looked into in detail. 

Nic Fillingham: So it sounds like everything that you've sort of said about the risks to the power grid supply chain, the utility sort of network, are somewhat universal across multiple industries. 

Hafid Elabdellaoui: Absolutely, Nic. 

Nic Fillingham: Maybe - is there something that is very unique to the power grid... 

Hafid Elabdellaoui: Yeah. 

Nic Fillingham: ...Or to utilities out there that maybe separates them from other industries? Or is it simply just the potential for widespread chaos and disruption to society if the power grid goes down? Is that sort of why we talk about power grid supply chain and power grid attacks? Do we just sort of treat them differently because the potential impact is so high? Or are there a few things that are sort of very unique to that category? 

Hafid Elabdellaoui: Yeah, so there are a couple of things that are unique. One is, the utility industry in general has some similarities, if you will, to manufacturing or to energy in general, like oil, for example. When you think about an energy company or a manufacturing company, they make large capital investments upfront. Those large capital investments really - they amortize over a long period of time, sometimes 25, 30 years. So these are technologies that exist for long periods of time. So many organizations in the utility industry, manufacturing industry, may have products or equipment that has been there for 15, 20, 25 years. And in order to really advance and be able to compete, that means you have to introduce something new. And that something new is devices that can collect the data that give you the ability to ensure that you understand how to run your plant at a level that gives you the most benefit for your organization. 

Hafid Elabdellaoui: The reason I focus on the electric industry and electric industry specifically is because I feel like the electric industry is at the top of the critical infrastructure that's really important to national security and economic security in any country. So if you think about critical infrastructure in general just here in the U.S., it's made up of the electric industry, it's made up of the financial industry, it's made up of telecommunication industry and so on. But you go back, and you think about the last hurricane that went through Puerto Rico, and they did not have power for an extended period of time. I remember seeing a lady on the news who had money in the bank, but she could not use her card to be able to pull money to buy a bottle of water. So you could really see the impact that not having electricity can have on society. And that's why I really wanted to focus this article on really the electric security and making sure that we shore up security for that industry. 

Nic Fillingham: Hafid, what do we know or think we know about the types of threat actors that are targeting and sometimes being successful in breaching and impacting power grids or critical infrastructure and their motivations? 

Hafid Elabdellaoui: Yeah. 

Nic Fillingham: Like, we hear about nation-states - and obviously, a nation-state's motivation is going to be very different from a cybercriminal gang who are looking to extort and make money. But what do we know? And maybe without particularly focusing on a specific scenario, could you talk sort of broadly about who are these actors and what are they motivated by? 

Hafid Elabdellaoui: Unfortunately, for this industry, they see all types of factors. We see threat actors who are cybercriminals that are motivated by financial gains to steal intellectual property, to steal Social Security numbers, account numbers, et cetera. We also see potential for threat actors who like to cause destruction, whether they are foreign or domestic. And mostly, they're typically foreign - then they're likely to cause destruction because they don't like the country where you are doing the work. 

Hafid Elabdellaoui: But for the most part, the most sophisticated actors are typically nation-state actors. And I honestly believe that cyberwarfare is something that we've been in for some time, and the critical infrastructure is top-of-mind for nation-states to be able to infiltrate. So the electric industry sees the top adversaries from nation-state perspective who are looking to infiltrate the networks and at least establish some presence. We don't see - or we have not seen yet - any nation-states who are really getting into critical infrastructure - specifically the electric industry - and trying to cause any damage immediately. But what we see is really a lot of espionage, a lot of reconnaissance. And a lot of the thinking is really, are they collecting data? Are they trying to establish presence just in case it is needed, where conventional warfare perhaps starts, and it starts including cyberwarfare. So you deal with some of the most advanced adversaries from that perspective. 

Natalia Godyla: And let's start digging into the security strategy for utility. So when you're thinking about protecting the electrical industry, what are the steps that you would take to protect an organization? 

Hafid Elabdellaoui: Yes, so and a lot of this stuff are really - in a lot of ways are very similar to what other organizations and in any industry should be doing. And I'll highlight those are - they're going to be a little bit different. Starting with identity, identity is very important. We've seen for the past many years that threat actors go after identity. As a matter of fact, there was a data breach report that was released by Verizon a couple of years ago that indicated that 80% of the compromises start with a compromised identity. So ensuring that we use a multifactor authentication across the board for all users when their accessing data, whether the data is in the cloud or on premises, is really important and cuts back the ability of threat actors to be able to use those credentials dramatically. And while we're speaking about identity, it's important to note that privileged identity, those administrator inside those environments are extremely important to protect. At the end of the day, when a threat actor infiltrates an end user's machine, for example, like mine and I don't have any administrative privileges inside Microsoft network, the first thing they want to do is to identify a way to escalate the privilege to an account that has access to important information. That important information may be, for example, sensitive data like customer data, employee data, intellectual property. And in many cases, really, the goal is to establish domain dominance, be able to get access to the main administrator and the project administrator because at the end of the day, once you have that access, then you're able to do whatever you want inside that network. So protecting privileged identity management using just-in-time access, using just-enough access, using multifactor authentication is extremely important. Using things like secure access workstation, known also as, privileged access workstation, which we use here at Microsoft for all our administrators, is really important. I'm not sure if many folks know that, you know, for our administrators, they have two workstations. They have one just like the one I have that they use for access and emails, SharePoint, OneDrive and so on. But they have a separate workstation that is locked down. So USP drives are not open. There is no Office products. You have no email. You have no SharePoint. And there are many restrictions on the device to make sure that at the end of the day when the end user is using it, is as baseline as it gets. And we take out any - you know, can't take out all the risk, but we take out as much risk from that device being compromised before the end user is able to execute any privileged access. Some of the common things - you know, user whitelisting. So especially for internet-connected devices, maybe internet-connected servers - you can't use whitelists on all internet-connected devices but at least whitelisting on servers that are connected to the internet, making sure that all your systems are patched, especially the security patches, on an ongoing basis and using things like network segmentation. We have to get away from having a very flat network. We use flat networks for many years for good reason, and that is to allow our systems to be able to talk to each other, servers to communicate, workstations communicate, servers and so on. But we have to get to a point where we're segmenting our network based on critical business applications or critical systems that are needed. So now focus in on the utility, really important to ensure, for example, that all the generation plants run on a separate network that is totally a different security zone than the corporate network environment. So what we typically see in the energy industry and the electric industry is that a generation plant will be on a different network with a totally different Active Directory Domain. All the work that needs to be done on that network uses a totally different ID and so on. You typically don't have a test environment for your power grid. You just have a power grid. So if you are looking at bringing in new technology, and you're looking at bringing technology, for example, like, sensors to measure the amount of ice that is on a transmission line or how much the transmission line is sagging before something bad can happen, you typically don't have an environment in which you can test a lot of these. And there is so many different sensors that are being used. You typically want to be able to put that and test it on the production environment. So really important for a cybersecurity organization to take those sensors and really do some incredible penetration testing on them, take them apart if they have to to make sure that they're clean, and they're doing just the job that they're supposed to do AND nothing more. 

Nic Fillingham: So it sounds like, Hafid, that the core principles of zero trust really apply here, you know, almost one to one. But I did notice that you didn't say the word zero trust. So I sort of wanted to maybe touch on that a little bit. Am I correct? Is the strategy that you're talking through here - is it zero trust, or is it something a little different or something more because of the needs of utility companies and the needs of critical power infrastructure? 

Hafid Elabdellaoui: You know, you took everything I said and you summed it up very nicely into zero trust. 

Nic Fillingham: (Laughter). 

Hafid Elabdellaoui: And that is absolutely zero-trust architecture. And I am glad you said that. When I talk to customers, it's really important to cover zero trust from an architectural perspective across the board. Zero trust is - architecture is applied to identity and device, and I talk about what we do from an identity perspective. From a device perspective, I also talk about the use of secure access workstation. There is certainly more that we do from a zero-trust perspective using conditional access with Azure Active Directory of Microsoft. That is all the telemetry that comes in with identity and device to make sure the device is healthy. It's not compromised before we allow access. But certainly, just-in-time access, just-enough access on the infrastructure perspective, ensuring that the data is identified and classified properly based on how sensitive it is and it is being protected. And from a network perspective, having that network segmentation is really important, both in the corporate data center to identify east-west traffic, to identify what the threat actor is doing inside your network, but also ensuring that your most important infrastructure is isolated from your typical corporate environment that most users are going to be. So zero-trust principles is absolutely the summation of what I had discussed, plus a couple of components here and there from that perspective. 

Natalia Godyla: As you said earlier, IT and OT are more recently connected. And prior to this, the OT industry had just a different level of security because it was isolated from the business. Is there any particular challenge to rapidly applying these modern security strategies in the utilities industry? It seems like a lot of change in a short period of time. I could imagine that there might be challenges with communication, with trying to push a lot of these changes rapidly. 

Hafid Elabdellaoui: Another excellent question. Yes, there are definitely quite a bit of challenges. And I'll talk about a couple. There is a challenge from the perspective of the goals and objectives of an OT area versus a cybersecurity organization in an IT environment. For a chief information security officer, chief risk officer, CIO or whomever they may be, their goal at the end of day is to ensure that the business meets its goals and objectives by ensuring the protection of digital assets across the board. It's really important to highlight, even from an IT and a security perspective, that safety is important. 

Hafid Elabdellaoui: But it's also important to highlight that a cybersecurity threat can be a threat to safety if not taken care of properly. We've seen, for example, several years ago, that there was a steel mill in Germany that was infiltrated by cyberthreat actors, and the heat was turned up dramatically that it ended up blowing up. That could have caused many safety issues. So really important for IT and OT to come together, from a goals and objectives perspective, and start to learn about each other's environment and start to appreciate the challenges that each environment has and begin to work on some common goals. 

Hafid Elabdellaoui: So from an OT perspective, some of these environments have existed for many, many years, so we're introducing new technologies and new devices a little bit here and a little bit there to really make them smarter in order to get the most out of them, if you will. So in IT, we've done a really good job for many years to do things like whitelisting and having AV and next generation AV and eVR and so on to be able to identify threats and be able to respond to them quickly. But you think, for example, about an industrial IoT device that exists in a plant or exists on a grid. Well, the footprint on that device is minute, there's no way you can put some of these technologies on there to be able to protect them. 

Hafid Elabdellaoui: Now, there are other different technologies that - you know, for example, Microsoft has with Azure Defender for IoT. And the name doesn't do it a lot of justice, in my opinion, because it provides threat protection for IoT and OT networks. So we really have to learn more about our environment and make sure we have common goals objectives in order to really, at the end of day, make sure we protect those assets, protect the employees, and make sure that the company is able to meet its goals and objectives. 

Natalia Godyla: Out of curiosity, how does physical safety fit into the role of a CISO at a utilities company? Or does it? 

Hafid Elabdellaoui: Yeah. So one of the things we've had and we continue to have, at least in the U.S. - really good culture from a safety perspective. When I worked in the electric industry, we did not start a meeting, no matter what kind of meeting it was, whether it was IT, security - without talking about safety. We always spent at least five minutes talking about safety. So managers were required to talk about safety regardless of what area you were in. So safety was top-of-mind for all of us. Because at the end of the day, making sure that we protect those employees are in the field dealing with voltage that is so high, that can really, unfortunately, kill somebody immediately, is something that we need to be reminded of on a daily basis and we need to make sure to keep in mind to ensure that whatever software we develop, whatever we deploy, that we take into account the safety of our employees in the field. 

Natalia Godyla: We spent a fair bit of time talking today about what a single utilities organization can do to prepare, protect themselves. What about the industry as a whole? How are utilities companies working together? How should they work together? 

Hafid Elabdellaoui: Yeah. So the electric industry, in my opinion, does an absolutely incredible job working together. And one of the reasons they're able to work together is, the electric industry, at the end of the day, is a monopoly. And it's being regulated by both the federal and the state government. And generally, there is not a lot of restrictions from an information-sharing perspective. So the electric industry has done a really good job sharing information across the board, both from an operational perspective as well as security perspective. 

Hafid Elabdellaoui: The electric industry has some of the most robust practices, in my opinion, related to sharing cybersecurity threats across the board. There are organizations that are established through - FERC and NERC, for example, like the electric ISAC, where information is readily shared. But there is also a lot of collaboration between the Department of Homeland Security, the FBI and other agencies with the electric industry, where there are programs - and the Department of Energy as well - where there are programs that are built specifically for the electric industry to share information and share threat intelligence in near real time to be able to protect what is really critical to protect in the United States. 

Nic Fillingham: So you've talked about the elements of zero trust are very much applicable here. And we talked about network segmentation and that sort of being a very important part of security architecture for power grids. I wondered a bit more perhaps pointedly in your work meeting with folks that are in the utility industry, is there one or two things that you think should be prioritized? Are there some sort of practices that are still hanging around that you really want to see security professionals in this space prioritize? Is anything sort of coming to mind here of, like, hey, if you're listening to this podcast - you're in the utility industry - here is the one thing that I really want you to try and prioritize because it's adding sort of an unnecessary amount of risk? 

Hafid Elabdellaoui: So the first one - and I've always felt passionate about it - and that is there is a lot of great technology that has been introduced to the electric industry in the form of some of the sensors that I've talked about earlier, in form of new technology that is going to provide advantages to the electric industry and therefore to the customers to make sure we have reliable infrastructure to be able to deliver electricity 24-by-7 to everyone who needs it. I believe that the electric industry, the regulators and the suppliers really need to come together to ensure that we're doing all the right things from the standpoint of applying best practices across the board. And what I mean by that is that we see that in many instances where suppliers, for example, are really putting out product that are absolutely phenomenal from providing a functionality perspective, but they may not necessarily have all the security features that are needed in order to protect those systems from being infiltrated and, in return, infiltrate the networks on the electric industry. So really important as an industry to push on suppliers to provide security within the products that they're developing, whether they're software or hardware, especially the hardware wants just because you can find sensors and hardware appliances across all of the world in areas that are remote, for example - that if somebody were to walk up to them, you may not be able to see them. So you think, for example, that the solar farms and the wind farms that exist in remote areas - we need to make sure we build security into those products so that when they are put in place, we know when they are tampered with and be able to detect any threats and be able to respond to them as quickly as possible. And frankly, the second thing is, really, I'd say - and it may sound cliche, but it's really the cyber hygiene at the end of the day. It's really multifactor authentication, whitelists and patch and segmentation. And I said all of these multiple times, and I can't say it enough. Really important to continue to do those things and, if you're not doing them, to really begin implementing them as quickly as possible. That should be No. 1 priority for every organization. 

Nic Fillingham: It is the principles of zero trust. A lot of the time, it comes back to all of this sort of bread and butter, meat and potatoes security. But I think in some ways, that's actually a really good thing. It means that if you are a security professional, your go-do list is pretty consistent no matter sort of where you are and what company you work for or what organization you're a part of. So I actually take some comfort in hearing that. But I also think like, uh-oh, if basic security hygiene and the principles of zero trust are top of mind for everyone, like, we've got to do more to actually help folks get that implemented. 

Hafid Elabdellaoui: Yeah. 

Nic Fillingham: So when you were working at your utility before, did you ever go through tabletop exercises or wargame exercises where the - like, I think it might have been "Die Hard 4" or "Die Hard 5" where they take down the power grid, and they have this, like, awesome aerial shot of - I don't know - Chicago or New York or something. And there's the, like, overly dramatic, that (imitating electricity powering down), you know? As everything's shutting down, you see the lights go out across the entire city. I want to know. Was that ever a real scenario that actually got discussed and played through in a real power utility, or is that just Hollywood? 

Hafid Elabdellaoui: So I think that NERP does a really good job in assembling electric utilities and conduct exercise every couple years. I can't remember what the name for that exercise is, but I'll figure it out, hopefully, before we're done and tell you what it is. 

Nic Fillingham: It's called the "Die Hard 5" exercise. 


Nic Fillingham: No, it's called the Bruce Willis (laughter). 

Hafid Elabdellaoui: No, it's not. But those are things that are really important to practice, to wargame. And they put the electric industry through a number of exercises, where you'll have both physical and cyberattacks going on at the same time, which is what you would expect, for example, during cyberwarfare - right? - if you combine it with a physical warfare - and really be able to react in a fashion and start to build that muscle through the exercise on how you would respond to those threats. Those threats are taken extremely seriously. So we've seen, for example, attacks against the Metcalf station in the West Coast, where they were shot by high-caliber guns for the purpose of shutting it down. Fortunately, the equipment had a fail-safe where the substation did not blow up and did not cause any large damage. So those are really important scenarios and scenarios that could potentially happen. Hopefully, they never happen. We have to get ready for them. So not a silly question. I think it's a fantastic question. 

Natalia Godyla: So thank you, Hafid, for joining us on the podcast. And we definitely hope to have you join us again, maybe to talk about the new blog that you produce. 

Hafid Elabdellaoui: All right. Thank you. Have a great day. 

Natalia Godyla: Well, we had a great time unlocking insights into security, from research to artificial intelligence. Keep an eye out for our next episode. 

Nic Fillingham: And don't forget to tweet us @msftsecurity or email us at with topics you'd like to hear on a future episode. Until then, stay safe. 

Natalia Godyla: Stay secure.