Mara takes a holistic approach to risk management, considering both physical and cyber threats. In the latest episode of WE’RE IN!, she cautions against focusing too much on the "flashy object of the day" and describes why she imbues diversity in risk management for the best outcomes.
A first-of-its-kind 2016 cyberattack on Ukraine’s power grid was a wake-up call for countries around the world to shore up protection of vulnerable energy resources. Mara Winn, Deputy Director for Preparedness, Policy, and Risk Analysis at the Department of Energy's Office of Cybersecurity, Energy Security, and Emergency Response (CESER), is in charge of acting on just that. From securing electric vehicles to safeguarding electric substations, Mara and her team help to ensure the resilience of the energy sector against cyber, physical and climate-based disruptions.
Mara takes a holistic approach to risk management, considering both physical and cyber threats. In the latest episode of WE’RE IN!, she cautions against focusing too much on the "flashy object of the day" and describes why she imbues diversity in risk management for the best outcomes.
Listen to hear more about:
Blake: Thanks so much for joining me on the podcast, Mara. It's great to have you.
[00:00:03] Mara: Thanks for having me. It's, uh, exciting topics to talk about.
[00:00:06] Blake: Lots to talk about. And so you're Deputy Director for Preparedness, Policy, and Risk Analysis at the Energy Department's Office of Cybersecurity, Energy Security, and Emergency Response, otherwise known as CSER. So I'd like to hear more about what your work entails. But first off, for listeners who may not be familiar with CSER and what it does, what can you tell me about the office and its mission?
[00:00:29] Mara: Sure. Um, besides that title, I swear, being the longest on record. Um, it's a very long name when you say it, everything. And as you said, we do call ourselves CSER. It's much easier, in that way. But really, CSER's mission is to, focus on the energy sector and make sure that it is secure and resilient from cyber, physical, climate based disruptions.
[00:00:52] You name it, we're an all hazard shop, and we look, from cradle to grave, so CSER is looking at what are the actual risks. is threat, vulnerability, consequence, right? So we need to work with the intelligence community and understand what threats are out there. We work with all of our federal partners and private sector partners to understand the vulnerabilities.
[00:01:11] And we work with our private sector partners who actually own and operate that infrastructure to understand the consequences. And this allows us to really think through How do we work and prepare as a nation for that secure energy infrastructure? We then, if we are finding that we don't have the right tools and mitigations, CSER also does research and development and deployment activities.
[00:01:35] So we can partner with private sector, universities, national labs to try and get the right solutions out there. We know that it's not easy, um, fixing the problems in this space, and so you need as many great minds as possible. But at the end of the day, you also need training and workforce development.
[00:01:52] These are hard problems. We want to make sure those who are hands on keyboard, physically on site at our, uh, utilities, are the ones, are prepared, um, and know the latest, uh, to be able to react. And then finally, when the bad day happens, we're the response organization too. When the hurricane comes through, we do the federal government coordination.
[00:02:11] When the cyber attack happens, we're doing reach back and support to make sure that we're able to repair and restore the infrastructure and, and get recovery back in place.
[00:02:22] Blake: It's interesting that you joined CSER as I understand that you spent part of your career with another kind of security focused agency and dealing with a lot of these issues at the Cyber Security and Infrastructure Security Agency or CISA. What can you tell me about the different cultures at CSER and at CISA? I guess both agencies are relative newcomers to the federal space. So how would you compare your experiences there?
[00:02:46] Mara: Sure. Well, I, I do think here while CSER itself as an organization is relatively new, the mission space has been around for a while in the department. Under various other office and organizational structures, but, but really, I think DOE elevated it to its own office recognizing the importance of the work.
[00:03:04] And where CSER really looks across all 16 critical infrastructure sectors, and tries to, to think of that more cross functional, holistic approach, as well as their, sectors that they're the sector risk management agency for. You know, we in CSER are diving in deep into the energy sector. And I have to say it's a lot of fun, right, because in this energy sector, and I know you, you've spent time, working and, and looking into the sector, you're the underpinning of the nation.
[00:03:29] We like to think that the rest of the nation can't function without us, and which gives, um, a sense of gravitas, a reason to be connected and for the importance of making sure that, that we're safe and secure. And it also brings together all of our private sector partners as well because they also appreciate it.
[00:03:44] So you get a lot of fantastic commitment and focus in on the work here in CSER and it allows you to, to get a little more targeted direction as well, which is, which is pretty great for me.
[00:03:55] Blake: As you were alluding to there, Mara, I, um, used to cover the energy space quite closely , in my role as a reporter and later editor at a publication called E& E News. And I always used to joke, even covering it from an objective standpoint or whatever, I always had a pro energy bias in the sense that when I turn on the lights, I kind of want them to work.
[00:04:13] And, being a digital only outfit back then, it was a little bit important. And I guess that kind of maybe flicks at my next question of cyber workforce challenges. These can kind of persist in the, in the, in the private and public sectors of attracting talent. And it can be sometimes especially challenging for government agencies to recruit the really top tier cyber talent.
[00:04:32] How do you navigate that at Caesar? And how have some of the recent moves, I guess, by the White House or other groups impacted that ability to attract and retain talent?
[00:04:41] It
[00:04:42] Mara: is hard because everyone is in need of these skills. But I do believe that we have a special, a special sauce here in the energy sector in that, we are transitioning, at a record pace. And we're able to, to hook into a lot of that entrepreneurial spirit in the distributed energy resources to get people in and focused in on the energy sector.
[00:05:08] But it's still hard, right? I mean, most of our sector utilities, especially our small ones, 3, 000 different utilities across the country. And a lot of those are really small. Rural co ops and municipal governments, and it's hard to attract the right talent there. But one thing that we do know is that, we can try and entice people who have the skill set already, but we can also upskill those who are there.
[00:05:37] And that's one of the things that, that we focus in on in the department. I have a couple of programs that we look at, we have Cyber Force, which is where we get the excitement in the, collegiate space, to be able to, engage with, with those who are in process of their education and, and I use that term pretty widely because, the last Cyber Force, I think we had people there from Universities, colleges, community colleges represented, and people from all walks of life.
[00:06:03] And so those are our next generation and getting them engaged in the energy sector work, is to show them how fun and exciting it really is. You're solving real world problems. These are real on the ground issues. It's not some fictitious, uh, place somewhere else. And also defending is hard. Right, so you talk about some of the offensive side of cyber, and that's exciting, but there you get to plan it out here, you don't know when that attack is going to come, so you have to always be on the ready, and for a lot of people that's an exciting space to be because they have to make sure they're always on their game, they're always thinking ahead of the adversary, but for those that are already in a utility, we have programs such as CyberStrike, um, and OT Defenders, and they are the ones who are, training those who are already in and embedded in the organization.
[00:06:51] CyberStrike, has educated more than 1, 500 individuals, both domestically and internationally. I, I say Caesar's superpower. is that when we build something for our domestic market, it is so good that all of a sudden we get asked to use it internationally to all of our allies and partners and CyberStrike is a great example of that.
[00:07:11] So it really started in 2016 with the people who are actually on the ground in Ukraine when Ukraine was first having its attacks. And the team of people who were on the ground from the U. S., bringing that knowledge back to the U. S. and saying, okay, this is how Ukraine was attacked. How do we teach people how to defend ourselves?
[00:07:29] And it's grown, right? Because a lot has changed since 2015, 2016. And so now we have new components like StormCloud that looks at DERs, making sure that we're staying relevant to, to the real utilities today. And then also looking at OT defenders. We do a lot in the IT space. That's pretty well known and, and has lots of training and skills.
[00:07:49] Um, The OT side is a lot harder, right? It's not as nuanced, it's not, or it's more nuanced, it's not as regular. And so, looking at those who are mid level in OT space to train them on cyber, help them understand the federal government side, connect them in with our national lab experts, and most importantly, create a community for them.
[00:08:09] Right? These are the people when you're having those hard days, when you have something that's suspicious, you want to call up a peer who understands where life is. Where you're trying to defend against what that particular thing that doesn't really feel right is going on and can talk you through it.
[00:08:23] And so, while we do the education and training, really that benefit is that Lifelong networking commitment, um, because that's really also creating that whole of government, whole of nation benefit. We are always learning. We, we can't stop learning. The adversary doesn't sit down and say, okay, I'm done learning for the day.
[00:08:40] So we have to always be in that space as well.
[00:08:43] Blake: Yeah, that operational technology focus is so important. And I'm glad you mentioned the on the ground trip, all the way back now in 2016. For listeners who may not be familiar with that episode, Ukraine suffered really the first of its kind grid 2015 that actually, it was later traced to Russia, but actually had the effect of cutting off power in the dead of winter to several, I believe, several hundred thousand residents in, Western Ukraine, which was, truly kind of a shot across the bow for others.
[00:09:09] And so, as I recall, the U. S. sent quite a big contingent to learn from that and make sure that, you know, as much as we can repair as possible over here. That, that doesn't happen. And it sounds like with the names you've got going, cyber strike, cyber force, I feel ready. I feel good Like that,
[00:09:24] You can come join
[00:09:26] Right, right. Well, um, on the flip side, the, you know, Bloomberg did report that power, that attacks on the U. S. power grid did recently hit an all time high, I guess, in, in 2022. What did we see in 2023? And I guess, what do you think that this year will have in store for us on the, on the risk front?
[00:09:42] It is a
[00:09:43] Mara: concern, right? Those that want to affect our way of life understand the importance of the energy right? It is in your face. As you said, you like flipping the switch and having the lights go on. You like showing up and being able to put gas in your vehicle. If you have a gas powered vehicle, you like making sure there's natural gas coming to your house.
[00:10:02] If you heat your home with natural gas, those are important things. And so it does provide a big target. But I also think we are, one of the most cognizant sectors to protect ourselves as well. There's a great community amongst all of the sectors whether, you know, and across all of the energy sector, whether you're talking electricity, oil, natural gas, DERs, and all the other components that make it up.
[00:10:27] With an understanding of the importance of their work on our nation, right? And so yes, there's an increase, especially in the, the physical attacks, and we're always doing our due diligence to make sure we're resilient. One of the things that we do have is that a lot of resilience, is built into the system already.
[00:10:44] So making sure that, that that is in place, that we're following our standards, but also, Leveraging what are those learnings to get ahead of the game. How do we partner better with local law enforcement so that they understand how a utility works, so if they're an investigator or taking action, that they're knowledgeable.
[00:11:00] We actually, uh, worked with the interagency to create a placemat, a how to as a first responder. What are those things that are sticking up there? What's important, what's not? To make sure that we do take that whole of government approach to, to help. And then really, I mean, you have the cyber side, which continues to increase.
[00:11:16] We have seen all of the messaging on Volt Typhoon with China embedding itself in our infrastructure, across all of critical infrastructure, and it's, it's really concerning, but companies also have ransomware on a day to day basis that they're concerned with, and we can't discount Russia. In the latest annual threat assessment by the intelligence community that was, uh, published last month, it once again, uh, Reminds us to focus in on, on those nation state adversaries.
[00:11:45] And that's a concern that we need to be prepared for as well.
[00:11:48] Blake: You just listed an eye opening bevy of various threats. Which one do you think is the single greatest threat to US critical infrastructure? And I guess we can open that up widely. It doesn't have to be cyber. Uh, you know, what do you think is really the biggest risk?
[00:12:03] Mara: I think the biggest risk is getting stagnant in our resilient measures. , so I think when you, when you really look at risk comprehensively and, and I would, be amiss to not mention things like wildfires and the climate change issues that are happening across the board. You can no longer just plan that, oh, I don't live in a wildfire territory nowadays.
[00:12:23] We see them in Texas. We see them in Quebec. We saw them in Hawaii and it was devastating. And so really it's thinking about that resilience and, and what are the, we call them the crown jewels. What are those things, um, within the system that keep the main structure up and running and how do you protect them?
[00:12:40] Both from a climate change perspective as well as a physical perspective and then a cyber perspective. One of the reasons why Ukraine came back up online is that they actually hadn't gone to a more logic based computer system. They had people physically on site and just went and flipped a switch, right?
[00:12:55] That's not the way our infrastructure works. And that's great for so many reasons. It gives us a lot of flexibility, it allows us to be, very agile, but that means we also have to plan our resilience, uh, into the same light, and honestly, it's also that understanding a cyber attack also be mitigated through physical means, right?
[00:13:14] If someone doesn't have access, if you're doing your proper insider threat, you're watching your maintenance. So those are all ways that cyber comes in to play. So really thinking holistically, I think is most important.
[00:13:27] I'm
[00:13:27] Blake: reminded of Andy Bachman, long time contributor through the National Lab Network there of the cyber, what was it, his philosophy of consequence driven cyber informed engineering, right, of keeping that cCE
[00:13:41] we have a whole CCE program definitely.
[00:13:43] yeah, keeping that kind of physical backstop, right, in case, if all goes haywire on the cyber side, you're still not going to get to the crown jewels because there's the, the final valve to pull or whatever, the final, flip to switch, switch to flip.
[00:13:56] Whichever. I, I guess on the flip side of that previous question, what's a risk or a threat that you feel like receives kind of a disproportionate amount of attention? Obviously with the caveat that this is your, your personal view here, and not necessarily that of Caesar.
[00:14:10] Mara: without a doubt a personal view. Um, you know I, I have been contemplating this and think that it is the flashy object of the day, right? So people are going to direct their attention like, oh my gosh, company X from China is our concern, right? Particular component over here is the problem child.
[00:14:32] And that gets a lot of attention because people feel like it's tangible, I can do something about because I can point the arrow at this, right? And then the reality of the space that we live in. None of that is accurate, right? An adversary will just move on to the next one, right? Our adversaries are not paying as much attention to an individual component or entity.
[00:14:54] They want to know what's most popular, right? What are, and you know what? If you all switch to a different one, that's now the most popular one that they'll do their research on. And so making sure that bright, shiny object interest is, is not detracting from the true systematic, that CCE. Um, also we have Cyber informed engineering, where I know when I went to school as an engineer, we did not talk about cyber.
[00:15:17] I'm sure many of our power systems engineers out there and electrical engineers and computer engineers did not, maybe the computer, but did not talk about cyber in the same space
[00:15:28] the engineers did talk about cyber either. For the
[00:15:30] Right! But like, they, you know, We need to be talking about cyber because if an engineer understands how a cyber attack can happen, then they can plan that they're designed to have the proctor protocols in place. If the physics doesn't allow it to happen, then it can't be a vulnerability to allow an attack. And so I think that that's a really important, core attribute to be taking instead of the bright shiny object and pointing at this particular component or this particular company.
[00:16:01] You
[00:16:01] Blake: say bright, shiny object, and all I can think about is AI and AI chatbots and generative AI and how, you know, that's the next big threat on the, looming on the horizon or whatnot. And I'm like, is it, is it, I don't know. We'll find out,
[00:16:12] It's already here.
[00:16:13] It's that's true. And, and I know, you know, DOE and, uh, you know, various federal agencies have been using AI for quite some time. Now speaking of that though, I, you know, I have heard that there's somewhat of a, can be somewhat of like a startup mentality. I know you mentioned the mission's been around for a little while, but you know, Caesars, maybe not the, the, the largest agency on the block so what, what can you tell me about the, the culture at, at Caesar and what it's like working there?
[00:16:37] I, I
[00:16:37] Mara: do think we are, we are small but mighty. Um, without a doubt, CSER is not the largest office in, in the department. And we are really focused on making sure we get stuff done right, right? That's what, that's what I really do appreciate about this team, is we're focused on The mission, we're focused on building things as a team.
[00:16:56] I think risk management as a whole, and that's really what CSER does, is risk management, teaches you that the more diverse perspectives you have, the more diverse experiences you bring to the table, um, the better your solutions are going to be. Right? And I think when you keep that mindset in place, it, it holds together a team that appreciates and respects each other and has a single focused objective of what we need to do to take care of the nation and the energy infrastructure.
[00:17:24] And that's probably the best thing about CSER, right? And that's one of the things that, that works really well for being a particular sector is we can really hone in on that. That we're driving towards it. I always say at the end of the day, when CSER is done doing its work, when I'm done doing my work, I actually have not achieved what I need to yet.
[00:17:42] It's when the sector actually goes and puts those, uh, mitigations into practice, when they're making better, more fulsome decisions, at the end of the day, that's when our job, um, is done.
[00:17:53] And
[00:17:53] Blake: speaking of diverse backgrounds, you've had, you mentioned your own engineering background, you've had experience in nuclear areas you know, CISA, how did you come to join Caesar and be focused on these risk issues?
[00:18:05] Mara: Yeah, uh, you didn't even throw in medical device product development into that. Um,
[00:18:10] development. There go.
[00:18:12] Um, so it's one of those things where I think you just see what interests you and where the path leads. But to your point about culture, it's also being around people I want to work with. Right? I can work on lots of different problems.
[00:18:26] I've done immigration, I set up family reunification task force, you know, done stuff at TSA and innovative transportation security, and every time I'm reminded of the people I'm with. Right? And in CSER, I have this team with me, the team of CSER who I get to work with on a day to day basis, but also that industry partnership.
[00:18:45] There's just a strong collaboration and, and feeling like you can achieve a goal in that, and that's really what I've always looked for in the positions that I've taken is, is am I doing something bigger than just me? Um, and I contributing to something much bigger than me and doing so in a way that is providing a greater value to, um, to the world.
[00:19:05] And so when that opportunity presents itself, you kind of just go through the door. Yeah.
[00:19:11] you
[00:19:12] Blake: flicked at this a little bit earlier, but talking about DERs, or distributed energy resources, and, and CSER's goals and what's coming around the bend, you know, the Department of Energy, writ large, has announced a whole bunch of funding opportunities for boosting the resilience of energy infrastructure, whether it's, cyber, physical, climate related threats.
[00:19:29] So, What are some of the security challenges associated with those, with those DERs, that wind, that solar, that, you know, not, not like one power plant in one location, kind of, kind of source of energy.
[00:19:41] Mara: Yeah, I think that that distributed, that word distributed is is key there, right? In our traditional mindset, you have one person that controls the entire natural gas plant that can ensure security is in place. With DERs, with virtual power plants, It's a lot of different people, right? And they have varying backgrounds, varying understanding of risk.
[00:20:02] And so with the community that is building in DERs, we're working with them to understand the opportunity that they have, right? We understand they have a lot of drivers, they're driving down cost, they're trying to have more and new products that perform better, but in order to have the longevity In those products, they need to build the security and resilience in early.
[00:20:23] That is the most cost effective way and the most, efficient way to achieve the goals we're, we're trying to have in our nation. The key challenge is helping those that are on the ground understand that importance, understand that, uh, honestly, financial calculation.
[00:20:38] Right? It does come down to business and we understand that, but if you are making business decisions without looking at the full risk picture, then you're not really making good business decisions. Right? And so it gets into the education of the investors, the entrepreneurs, the designers to make sure that they're talking about things like cybersecurity and their design reviews.
[00:20:58] Understanding they may only see themselves as a small entity. Oh, I only have a couple of these, but you're one entry point into the grid. And you might be small now, but what are you going to be later? If you achieve that vision that you have of whatever you're trying to do with your particular company or technology, then you're going to grow and, and let's design those security practices now for where you're going to be in the future, not where you are at the moment or where you were even a couple of years ago.
[00:21:23] Those are key, important attributes to, to take into account and, and this really fascinating, exciting opportunity we have to get in at the ground floor.
[00:21:32] It
[00:21:32] Blake: sounds like, are you sure you're not a sleeper agent for CISA and CSER there? you're, you're, you're sounding a lot like a secure by design approach is what you're recommending here
[00:21:40] Yeah, I will, I will tell you CIE came out first,
[00:21:43] Okay.
[00:21:43] Secure by Design.
[00:21:45] Got got it, got it. All right. You were there first. Noted. the record, let the record show.
[00:21:50] So, on that note, you know, talking about some of these DERs, I'm not sure if electric vehicles technically qualify as a distributed energy resource. It's not really a resource so much as it is like a load on the grid, I guess. But, I understand that Caesars recently published, uh, a blog series on some of the research you all have been up to in the electric vehicle space, which I might have a slightly vested interest in this subject as an EV owner myself, uh, in DC here, but, what can you tell me about the findings there and some of the need for EV, uh, protections?
[00:22:19] Mara: Yeah, I mean, it's an exciting space. I am about to be an EV owner myself. So I also have a vested interest in, in this. With the, the charging stations. There is a lot of, um, computer engineering that goes into that and how it manipulates and leverages that battery charging is really important.
[00:22:37] And ensuring that there is a convenient, affordable, and reliable charge for the EV is there, but also that it's not susceptible. To hacking, that it's not susceptible to, all of the threats that, that we see. And, and it is for that individual charger, right? But it's also if you could envision a future state where you have batteries being charged at truck stops, right?
[00:23:01] EV trucks. they're not a thing of, of science fiction, they're, they're a reality, but that's a lot of draw. And we want to make sure that that draw is consistent, that it is planned, and that no one is manipulating that draw. But also, EVs provide a lot of potential resilience into the, into the grid.
[00:23:20] Yes, it's, it's a draw, but also, especially those truck batteries, that can be, uh, a mechanism to, You know, take care of your house in the future to, uh, kickstart a black start capability. And those are important things to also take into account. The benefits and the reliability and the resilience that come with it.
[00:23:40] So, within the three years, 2022 to 2025, CSER will have invested over 8 million in several projects. Several research projects with the public and private partners to make sure that there's cyber security standards for the EV and EV supply equipment, right? If you don't tell people what they need to know, you're not setting them up for success.
[00:23:58] And that's really Caesar's role in all of this is, is making it easy for people to do the right thing.
[00:24:04] You
[00:24:04] Blake: mentioned blackstart capabilities. Don't, don't even get me started. I'm so interested in those rabbit holes of like what to do if the grid, if the whole grid goes down, how you kickstart it back up and things. Hydropower. Okay. That's the secret, the ace the
[00:24:16] need electricity to start.
[00:24:18] Oh, that's a good point. Right. Falling water, I guess.
[00:24:20] Huh? Okay. Well, there you go. See, Mara's got
[00:24:22] I mean, there's not hydropower everywhere, rely on it everywhere, but it's a great capability to keep in your back pocket.
[00:24:30] Well, there you go. And so speaking of some of these risks and thinking about them and addressing them with, uh, as I understand it, you know, Caesar has done quite a bit of work with the National Association of Regulatory Utility Commissioners or NARUC, and I know we've, we've covered a lot of acronyms here so far.
[00:24:45] So for, for listeners who might not know about NARUC or the first thing about the utility structure in the U. S., can you help unpack the significance of that collaboration?
[00:24:55] Yeah, so, the
[00:24:56] Mara: way, and I'll get a little wonky on you for a second, but the Federal Power Act, defines what are the federal responsibilities and what are the state responsibilities in our, in our energy system. And, at the bulk power, that's what sits at the federal level with, uh, like FERC, right, where you're worrying about bulk power.
[00:25:13] The distribution system is with the states, and each state has their own regulatory authority, and, and how they implement that. Most of the time for what are investor owned utilities or larger utilities, they are regulated by the Public Utility Commission in that state, and their trade organization is NARUC.
[00:25:32] And so one of the things that we're mindful of is across all of the states, many of them are, are trying to figure out how to put in cyber security, regulations into place at the distribution level. And we wanted to make sure in CSER that if that is under consideration, that we didn't have a patchwork of different requirements, right?
[00:25:54] That wouldn't actually be beneficial to us all. And so what CSER did is it brought together all of these different utilities and, representatives from different state level organizations and also federal government experts and said, okay, like, how do we partner together to create cyber baselines?
[00:26:13] So back to CISA. CISA had created some cyber baselines. This is the specific energy sector one. So we knew that the most important ones to hit right off the bat were distribution systems and distributed energy resources. Because there's not a lot there right now. Not that we won't hit the other sectors, but we're like, this is our biggest gap, we should address this first.
[00:26:34] And that's where we came together to try and say, okay, what are our cyber baselines? Whether you use them for regulatory or not, we just want to make sure everyone has a consistent set of messages of what good looks like. And that's why we came up with these. So you can download them, uh, you can take a load of them, you can be regulated, you can be unregulated, you can be an inquisitive developer, and you can look and say What are those cyber practices that I really need to be putting into place?
[00:27:00] We want a guidebook for you. We want, people to understand, you know, what to do so they can put it into their planning. And that's really what the Cyber Baselines work was created to do. More work to be done. There's implementation. We've got implementation plans to create. We've got bulk power. We've got ONG to tackle.
[00:27:18] but it was, uh, it was really important to get these out the door quickly. And also get the feedback from industry, from, from states, to make sure that, that they're reflective and delivering what's needed.
[00:27:29] So
[00:27:29] Blake: what's coming around the bend for Caesar? What's on your radar, whether from a research perspective, AI, next projects or exercises that you're hosting? What's, what's coming up?
[00:27:38] I, I think
[00:27:39] Mara: we are really digging into a lot of the, the Volt Typhoon work. Right? I think that is, is hard pressed to make sure that we are partnering with industry, to have that, that complete package, the prioritization of mitigations that they need to do. I mentioned that we have a lot of really small utilities across the U. S. that don't have a lot of resources. So we have our Rural Municipal Utility Cybersecurity Program that was part of the, the IIJA funding. We call it RMUC. It's got 250 million there to, um, uplift some of our smallest of the smalls, to make sure that they're capable and have the support and resources.
[00:28:18] And so making sure that they're poised to be responsive. We are looking at it through a five factor perspective. We are looking at risk, right? Like you have to understand what is actually your risk. You have to have visibility. What is actually happening on your system? We have several programs and we partner also with CISA and we partner with industry.
[00:28:42] To use all of their sensors for information sharing. So we know actually what's happening today and what do we need to see in tomorrow? It's much harder to understand the OT side and consolidate it. So what do we need to build and do and grow those? We also have hardening, right? This is where we're getting in and we're, we're putting mitigations into place in partnership with our utility partners, making sure that when vulnerabilities are known, we help educate industry about how to close them as quickly as possible. We do our training and workforce development. We've got a lot in the exercise space. CSAR has some of my favorite exercises with Liberty Eclipse, which was over on Plum Island right now.
[00:29:23] I'm DOD RADIX program. The DARPA RADIX program. And this allows companies to come in and actually physically experience a cyber attack, What does it physically do to shut down the power? And we set up our National Lab Red teams, right? The professional hackers to try and hack our utilities who are teamed up to fictitious utilities to try and defend it.
[00:29:50] And so really that live fire experience make sure that when they return back to their entities, and really it's not just those that participate, but we disseminate the information across the entire sector. We're all better to defend and, and harden ourselves. And then at the end of the day, um, we also have our, uh, response. The bad day will come. Do we have the resilience in place to, make sure that we can recover quickly? Do we have the procedures, the playbooks so we know who to call and how to be in place so any situation is minimized? And so we exercise those also regularly, but making sure that we have good response protocols in place.
[00:30:29] So that's really, I think, how Caesar is attacking, the, this problem across the board, because you can't just have a one stop solution. We've got a lot of cool RD& D activities going on, and then really partnering in to put it into implementation.
[00:30:44] Blake: You mentioned of the Liberty Eclipse exercise and some of the red teaming and pen testing activities. I'm sure you've just set gears turning in any SYNAC red team member listeners of this podcast because they certainly are always interested in finding the next cool project. And have you been out to Plum Island?
[00:30:59] This is like a remote, this is a remote, uh, isolated grid, super atmospheric little island off the coast of Long Island. It's just, it's, it's a bizarre place.
[00:31:10] It
[00:31:10] Mara: is, it is, but you can totally geek out when you're there. It is a lot of fun and, uh, and I also, for me, I'm not a hands on keyboard cyber expert, but I love watching all of those experts that we bring in, like truly the best of the best of industry. To see them learn and grow together. Like it is just absolutely fascinating.
[00:31:31] And also they get very downtrodden when the Red Team gets them. And all of a sudden you have the little, uh, you know, used car flyer man, with the wind blows up and he deflates. And it's very sad and then they like go back in, but it's a learning experience, right? Like, that's one of the things we have to know is that I would rather for us to find our faults so we can fix them.
[00:31:52] We can address them then for an adversary. you have to have that, that sense of vulnerability and authenticity in all of your work, um, to be able to, to always say, how is someone else doing? Going to attack me. How have I not thought creatively enough and what do I need to do to protect it?
[00:32:09] 'cause you just can't sit still.
[00:32:11] And you
[00:32:11] Blake: can always fall back on the old mantra as a defender that attackers only have to get it right once and defenders have to get it right time. Might be a slight oversimplification, but hey, if I just got, uh, if I just got popped there by the best red teamers out there, maybe I'd use that excuse as well.
[00:32:25] Mara, really appreciate all your insights into these really fascinating and, national security relevant issues. We do have one, uh, Last question we ask all of our guests on the We're In podcast, which is, you know, looking at your extensive and impressive LinkedIn profile, what's something we wouldn't know about you just by looking at that profile?
[00:32:43] So
[00:32:44] Mara: I think part of my passion for training that you hear in my voice, I, I love training. I love that engagement is because I'm a mom of two teenagers. And so it's in your face every day about, the importance of the efforts that we're doing, kids are watching you on your day to day basis.
[00:33:01] They're forming their world views. And being mindful of that, that impact we have on the world and even not just the greater world, but on an individual. And so that comes through training that comes through engagement. It comes through how I work with my team, my partners on a day to day basis. And so I think that passion has shaped my efforts. To promote workforce development internally, and throughout the energy sector.
[00:33:25] Blake: That's why we're doing it, right? I'm, I'm a new father myself. And so, yeah, I've got to keep that, keep that world secure and ready to go for the next generation. So, yeah. Thank you. Thank you.