Brian Harrell, Vice President and Chief Security Officer of AVANGRID, speaks to SJA about how to fortify security in the sustainable energy sector.

Can you tell us about yourself and your current role at AVANGRID?

Currently, I’m the Vice President and Chief Security Officer at AVANGRID, a sustainable energy company.

I lead our cybersecurity, physical security, privacy, intelligence and resilience programs – most risks to the company are considered by my department.

Prior to my current role, I was the Assistant Secretary for Infrastructure Protection at the US Department of Homeland Security, but before that I spent my career mostly in the utility sector, including the generation, transmission and distribution of electric power.

What attracted you to working in the sustainable energy industry?

Before the sustainable energy industry, one of my previous roles was in the US Marine Corps and I was highly focused on anti-terrorism.

When I came out of that, I landed myself as the Facility Security Officer at an oil refinery.

I quickly realized the criticality and significance of the energy sector and I’ve been here ever since.

I’ve worked for an oil company, power grid regulator and multiple utility companies and I have not seen the threat environment as sophisticated, hostile and as aggressive as it is today.

China, Russia, Iran and North Korea continue to focus their attention on the energy sector.

We’ve also seen domestic groups that continue to fantasize about shooting substations or sabotaging wind farms or solar plants.

When you add drones, insider threat and securing our third-party supply chain, it means that there are no boring days here in the sustainable energy sector.

What we do, day in and day out, has a real impact on the business, our employees and our customers.

Critical infrastructure and sustainable energy is my passion.

I still get inspired and motivated by the mission of keeping critical systems secure, keeping our employees safe and ensuring the power grid is reliable.

What experiences from your previous roles are critical to your current one?

I’ve worked in law enforcement, in the military, as a regulator, and in the public and private sector – and here is what I know to be true.

The cavalry is not coming; we must have expertise in house.

Relationships must be built ahead of time and we must have the proper tools to recover, as well as a robust intelligence program to provide early warning of adversary tactics and intentions.

I’ve learned not to assume that the government is going to fly in and rid you of your malicious code or your ransomware.

The government plays an important information sharing role, but it will be your job to respond, recover and restore essential services.

I also know we must identify and protect the gaps. It’s the margins, where you’re not looking, that the enemy will try to exploit.

Therefore, exercising under blue sky conditions is essential to ensure that you know where those gaps are.

Those are really the two lessons I’ve learned over the last 25 years in my career what I’ve brought to this role.

How do you define your leadership philosophy?

I think it’s twofold: transparency and diversity of thought. I aim to keep the security and resilience office fully informed.

They should understand the ‘why’ behind decision making.

We also abide by a five-year strategic roadmap that we’ve all agreed to. As a general rule, nearly all of our investments are driven by active intelligence.

That’s important with respect to diversity of thought, as before we initiate a project, I want to hear from the ‘naysayers’ and those who might disagree, so that we can improve and refine our approach.

This helps with buy-in and frankly, makes our position that much stronger. These are the two big leadership philosophies that I try to administer every day.

How do you form your five-year roadmap?

A strategic roadmap is something that we hold ourselves accountable to.

In the sustainable energy and security industry, it’s very easy to chase shiny objects and distractions.

However, the strategic roadmap, in my estimation, keeps us grounded.

It showcases where we think the threats and the vulnerabilities are and it drives our mitigation strategy and investments.

As we built this, I brought all of my directors together and we collectively talked about adversary tactics and the future threat landscape.

We’ve tried to “anticipate” what we think the future of cybersecurity, physical security and resilience looks like for the sustainable energy sector.

We use the “A” word a lot: anticipate.

Where do we think the enemy is going next? In the roadmap document, we try to forecast where we think bad actors and nation state adversaries are going to try and exploit in the future.

How do you account for something you haven’t anticipated?

Active intelligence drives all of our investments and so it drives our strategic roadmap.

However, every security program needs to be flexible.

New tactics, techniques and procedures that adversaries use are arising every single day.

We need to make sure that the program we build is flexible and fluid enough to adapt and we also need to put subject matter expertise on any problem that materializes.

At the end of the day, it’s about not being so rigid that you become stuck and can’t pivot when you need to.

You’re on a number of Advisory Boards – why is this important to you?

These boards offer visibility and exposure to others in the national security space.

We don’t have a monopoly on good ideas and we want to see what other industries and companies are doing that might add real value to the day job.

I don’t want to reinvent the wheel, but if I can use what others have been using to add value and bring success to my organization, then it’s something we should try to replicate.

It’s best to learn about other great programs and understand what others are doing as we embrace collective defense, which is something we’re really trying to advance and contribute to.

Collective defense is the idea that what impacts you might also impact me. And what impacts me might also impact the federal government.

We need to reshape our thinking to be able to embrace collective defense and a “we’re all in this together” mindset.

We have to work with each other to keep our adversaries at bay and mitigate threats.

Whether it’s the government, private sector, academia or other critical infrastructure sectors, we can all get better at the same time.

What are some of the main challenges and considerations you face in the sustainable energy industry?

It’s an exciting time to be in renewable and sustainable energy. We’re seeing dramatic growth and investments in wind and solar.

The energy transition includes a digital transformation as well.

As we embrace the internet of things (IoT), AI, smart sensors and metering, we are also potentially introducing new “avenues of approach” for our enemies.

This is why the resilience of systems is so important. I operate with the understanding that it’s not if we are attacked, it’s when we are attacked.

As such, adding redundancy and removing single points of failure is just as important as threat reduction.

Another key consideration and challenge for the sustainable energy sector is understanding and better securing the supply chain.

In many of the technology components that industry has, regardless of sector, when you go three and four layers down and supply chain, it quickly becomes very fragile, very fast.

Having robust assessment procedures during the procurement process is becoming increasingly important in sustainable energy.

This has been a major investment area for us over the last couple of years and that helps us to understand and minimize risks in a vulnerable supply chain.

How will your role evolve in the future?

The role of the CSO has changed dramatically over the years.

The threat landscape is becoming more violent and very sophisticated digitally.

It requires robust intelligence, coordination with federal partners and complete buy-in from the Board of Directors.

Sometimes, CSO also stands for “chief storytelling officer” as well.

We must have the ability to take very technical topics and break them down for non-security executives to consume and understand.

Additionally, we cannot be the “department of NO”. We serve the business, the business does not serve us, so being a business enabler is critically important.

What are your parting thoughts?

IT, operational technology (OT) and physical security convergence is here to stay.

If you’re still operating in old silos where cyber reports to the CIO and physical security reports to operations, then you are not seeing the entire threat picture and you’re likely introducing risk.

The threat landscape is too blended and bad actors are moving too quickly to operate under the old model from 2010.

We need to truly embrace IT, OT and physical security convergence for a more secure future.

This article was originally published in the June edition of Security Journal Americas. To read your FREE digital edition, click here.