 Thanks, Ian. And I'm very happy to have here with me Tom Fanning. He's the CEO of Southern Company, which is one of the largest utility companies in the world. And he is also the chair of the ESCC, that's the Electricity Subsector Coordinating Council. Got it right. It's the main liaison between the federal government and the electric utility industry. So I know he has a lot of thoughts about the industry writ large. So let's get right to it. The US government just recently confirmed that a malicious cyber attack was what took out the power for some 225,000 people in Ukraine. And that appears to have been the first known successful cyber attack that took a power grid offline. So I think the question that we're all wondering here is, how much do you worry about that happening here to the US grid? And is the US prepared? Yeah, that actually can take a lot of different angles. I'd rather not talk a lot about the specifics of the Ukraine, but rather talk about the implications to us. In order to do that, let me go through a little bit of background context, and then I'll dive right into what did that mean. In general, in fact, I was with General Michael Hayden last weekend, I would argue he would say the National Infrastructure Advisory Council has made a report to President Obama would say that arguably the electric sector, among the 16 sectors as identified as segments of commerce by the Department of Homeland Security, is arguably as well prepared as any other sector in United States commerce, finance right there also. We continually are challenged with cyber issues, and when you think about cyber, in my view, you should think about cyber and physical terrorism jointly. Generally those, the really sophisticated attacks, the ones that could be really cataclysmic to the American economy would likely be joint. When you think about how we array ourselves, what distinguishes the electric utility sector from other sectors, is that the ESCC, Electricity Subsector Coordinating Council, very well done, is kind of hallmarked by the idea we have 20 CEOs from the sector. This includes investor own utilities, cooperative utilities, municipal utilities. We have 20 CEOs that are dedicated to handling different segments of the cyber issue and the terrorism issue. The kind of first thing we do, and I chair this whole thing, and one of the things I spend my time on is trying to figure out the strategic plan. Well, skate to where the puck will be. That is particularly challenging in this environment because this is a threat that consistently evolves. It always moves. This is a little bit of an aspiration, but at the same time it is something that we've always got to do. So somebody ever says, I got it, they're wrong, they're lying. This is something that always evolves. Second, we work really hard to coordinate our sector with the federal government. Now, we're under the umbrella of Homeland Security, but we know that, for example, there's a whole lot of other three-letter agencies that we've got to tie together. Particularly for us, the Department of Energy is kind of our sponsoring agency. They do a heck of a job. I was just with Liz Sherwood Randall all day yesterday. Ernie Moniz, arguably the best DOE secretary we've ever had. These people are tuned in. They get it. The other thing that I want you to know is we're working on R&D. We're working on information sharing regimes. So there's this tightly knit idea of how do we align government? How do we align our own sector? How do we think about cross-sector involvement? There's nothing, if you think about Sandy and what the implications were there. There's nothing about electricity that doesn't touch finance and water and telecom and transportation. We've got to tie all that together. Finally, there's this notion of state and local governments. I think here in Washington we get centered on federal responses to everything. You all know that the boots on the ground are the ones that see the problem and generally solve the problem. So we've got to tie together all the fusion centers and all the local responses to how these things go. One last thing, international makes this all complicated. There's this guy, Peter Zeihan has written wonderful books about geopolitics and a variety of things. The latest book you all should read is the accidental superpower. The notion that because we have two oceans on our side and other kind of natural riches, we're kind of insulated. We know in this environment there's no such thing as a border that kind of protects you from cyber. So the international element is something else that's really important. I think that's a really helpful outline and understanding that all of these different organizations on the local level, the federal level, are all talking to each other. Let's just back it up for just one simple question. Would you say that the US grid is safe? Yes. Is the US grid 100% insulated from threat? Absolutely not. But are we safe? Yeah. Let's talk about, let's go back to the Ukraine question. So it's been reported, for example, that black energy may have been involved in that. I can't say whether it was or wasn't. I'm just saying that was what was reported. We were informed, just to give you a case study of how we work, we were informed of the threat of black energy, which, you know, it's interesting. I view, and for those of you that don't know, black energy really has nothing to do with energy. It has everything to do with, I call it a cyber Swiss army knife. The big blade may be a doorway that allows bad guys to get in, but there's a whole lot of other functionality associated with black energy. So early in 2014, we got the word that this black energy thing was out there, and we started to take steps to protect ourselves against that. And there's very clear things you can do to protect yourself against black energy. But we all know there's a host of other things, and I was interested, I was listening to the panel before here, you know, naming the particular cyber threats is really kind of an impossible task, right? What you have to do is operate with principle and execute consistently. And so, you know, the security researchers in the U.S. have pointed to a Russian hacking group as the source of the incident in Ukraine. And of course, there are a lot of geopolitics that are at play here. So would you say that you, as the CEO of a major company, are watching, you know, the news and the trends and the geopolitics and things as they play out in the U.S.? Because it seems like you were saying earlier that cyber does not necessarily just exist in a vacuum. Oh, absolutely. And in fact, I mean, I'll just tell you, we activate the ESCC. We have something called a playbook. And when something happens, the very first thing we do is make sure that our industry has what we call situational awareness. And I'll give you an example. Paris. When the attacks in Paris happened, we turned on the ESCC. We alerted everybody to this event. And if you recall, that was during the fall, where there was a lot of public gatherings, football games, NBA season was just starting a marathon in Las Vegas. And so we all started taking steps to go to a heightened level of security and particularly focused on where you may see crowds. We really do try to take a consistent effort to identify not only cyber threats, but physical threats in protecting the electric grid. I think we do a darn good job of it. So on a more personal level, when you first hear about such a major attack on another country's grid like in Ukraine, and what is your first reaction? And what is the mood at your next office meeting? So I chair, let's keep it at the ESCC level. So I chair the ESCC. And we have a wonderful industry group, the Edison Electric Institute. Tom Kuhn is the president of that. There's a guy that's the secretariat of the ESCC, works in the EI, his name is Scott Aaronson. And a very typical response will be for me to call one of those two folks and just say, Hey, are you aware of XYZ? I'll give you another one that started there and went nowhere. There was a blackout under Pepco's they lost some power somewhere. And immediately I called a guy at Pepco and just said, Hey, what's going on? And turned out to be nothing. But in the event of Paris, we all said, Yep, so let's get a note to the ESCC. We also worked with DHS, great folks there, Suzanne Spalding, Caitlin Dirkovich, like I said, a DOE, we would alert Lischer would Randall and Ernie Moniz. So the first thing you do is situational awareness. If there are specific threat environment issues that seem to be arising, we make sure everybody knows that and we all go to certain levels of security to protect ourselves. And so there's, there's a, you know, a sequence you follow. And so speaking of sequence, if something were to happen to the grid here, what are some of the steps that the sector needs to be taking on the local level to make sure that everything is up and running? And how much variation do you think that there is industry wide in terms of how seriously organizations are taking cyber security threats? Yeah, let me do the second question first, because that's I think most important. One of the other distinguishing characteristics of the electricity response to this threat is that we have moved to standardize as much as we can systems, technology and information sharing regimes. We now have virtually, I don't know, vast majority of our customers in the United States covered under something called CRISP, which if anybody ever, I don't know, I like to use sports analogies, but anybody ever is a trout fisherman, or if you can imagine a trout fish, maybe watch the movie or River runs through it. But what do you look for when you fish for trout, right? The river is going by and imagine the river is this immense amount of data that's going through all the servers in the industry and everything else. We have a wonderful structure called the EISAC that's analyzing kind of the amount of data moving through the servers via this CRISP technology. And what we're really looking for are anomalies, swirls. So when you trout fish, if you see a swirl in the water, that may be where you want to throw your line to catch something. I'm getting the sense that you're a trout fisherman. Actually, I'm not. Okay. But it's just a useful thing because I love the metaphor of this immense amount of water moving through a river and then you're looking for something little. Through technology, what we look to do is identify perturbations or anomalies and then react to those and share those. I think it's an extraordinarily effective kind of technique and there's a whole lot of others. So let me tell you something. You know, I think sometimes we can criticize government. But when you look at the three letter agencies and how they work together and how they try to share information at a federal level, they do a darn good job. And so what we try to do is leverage that capability in our own industry. The next steps will be for the ISAC to identify what it is, get information back out, and get ahead of these threats as they arise. So speaking of information sharing, Congress passed a bill not so long ago encouraging the sharing of information from across the private sector, not just within one sector or another, with the government and vice versa from the government back to the private sector. So as that starts to get going, what do you think that the new era of corporate information sharing is going to look like? Yeah, terrific question. See, let's look at the lifeline sectors. Okay, NIAC, National Infrastructure Advisory Council has made a report to President Obama that deals with critical infrastructure and cyber security. They call out five sectors among the 16 that's been identified by DHS. Arguably the most, I don't know, maybe I'm being parochial here, but the most important is electricity. I would go to finance right behind it. Maybe right behind that would be telecom, whatever that is, because that's a pretty broad thing, right? The next three, I mean, four and five might be water and transportation, whatever transportation is. And so we would say those five would create the lifeline sectors. Among those five in the United States, 87 percent of the critical infrastructure is owned by private companies. So it is imperative, in my view, and it's the recommendation of NIAC, to bring together these five companies, CEOs, these five sectors as CEOs to represent those industries, to make very timely, clear decisions about how to prepare for and respond to. Also to tie together at the ESCC level, the ISAC level, however we assimilate data and assess threats and then respond to, to do that at a priority basis. Third, that we use this group of people, CEOs, and I think CEOs are important here, because these people can make decisions quickly, and to act as a pitcher, not a catcher back in sports at spring, pitchers and catchers. I want to tell the government, and I want to inform Congress about the regulatory and legislative relief we need in order to better prepare and better respond to an attack. So these are the things that I want to use these lifeline sectors for. So when you say, well, here's a bill, let me tell you something. There's a few things in Congress today that I think we can get bipartisan support. One of those clearly is cyber protection. Now, some of that's pretty controversial. Apple versus the FBI, I get it. But in general, protecting the homeland, particularly for critical infrastructure, particularly in the lifeline sector group, is something people can get behind. One of the challenges Congress always faces, the administration faces everything else, is understanding what's important, and how we can better prepare for or respond to by the private sector. I know there's a lot of smart people in Washington, but the private sector I think can inform that decision making a heck of a lot and make us better. So I do want to ask you about Israel, where hackers were able to use ransomware to infect a branch of the Israeli government that regulates the Israeli electricity market. And this brings up a question about the human factor of security. No matter how critical the service or how aware of cyber security threats an organization might be, it seems like there's always an employee who might fall for a fishing scam. So what is a lesson that you could maybe draw from what happened there for in terms of just cyber hygiene in this critical infrastructure sector? Yeah, great stuff again. This is a wonderful question. And boy, sometimes I feel like Genghis Khan in responding to this one. But insider threats, one of the biggest deal you have to deal with. Now I will talk Southern. Southern Company. I'm actually from New Jersey, folks. We have an insider threat program. I don't want to give every detail about it. But it is similar to kind of two things that you're generally familiar with, I bet. One is FBI has a well-established process to evaluate insider threats. And so we use that kind of regime inside our company. The second thing is in the nuclear industry there is likewise a well established behavioral based approach to identifying potential issues. And so we bring those together. We have a terrific, I think, insider threat program. So that was kind of, what was the other one? Anyway, insider threat program is a big deal. And certainly there's different ways to evaluate it. But clearly there are, oh fishing, that was the one you said. Yeah, the cyber hygiene question. We attack ourselves all the time. I'm a former CIO, right? You all know what CIO stands for, right? Most days I thought that stood for, career is over. But I think in my industry, I'm the only CIO that rose to be a CEO. Interestingly now, in our own succession planning at Southern Company, we view these kinds of experiences, IT experience, this kind of thing as being critical to leading a large complex organization. You know, it used to be legal and finance and marketing. But markets are changing because of technology, threats and opportunities are changing because of technology. I think it's really important for future CEOs to have that. We regularly attack ourselves, we regularly attack ourselves with fishing. Right. And we even attack our board with false fishes, which is a lot of fun. Yeah, I bet they love that too. So I do want to ask you one question about your role as your previous role in a former life as the CIO. Because there have been some surveys that show that often top executives might view their CIO or their CISO, the Chief Information Security Officer, as coming just from the IT department and just even worse, a fall guy for any kind of technical or security breach. And I know there are a lot of security folks in the audience here. So now that you are CEO and you've had this role under your belt, is there a piece of advice that you would give to senior security professionals to make sure that their words are heard and fully understood by the top leaders? So one of my first messages upon becoming CIO at Southern Company was really to say there's very little about IT that is IT. You are inextricably intertwined with everything we do, whether it's making, moving or selling electricity, how you touch customers, how you reach out to your external public. And so I tried to define IT not by, you know, servers and bits and bytes and all that stuff, but rather what are the outcomes in the business and therefore create kind of an organization which has certain technical expertise but which also has essentially people that are dedicated to working as liaisons between the different parts of the business and how to apply the technology. We have, we're the only company in our industry that does proprietary robust research and development. We also have an R&D guy that works purely for Southern that does push, pull evaluations of IT in the business. Just made an acquisition or announced the proposal to make an acquisition a week and a half ago or something that deals somewhat with this idea of a changing business model and how IT may enable that. So really my thing is to you guys that are CISOs or CIOs, don't define yourself by geeky kind of stuff. Define yourself by outcomes in the business and people will realize how central you are to your company's success. Great. So with that I do want to open it up to audience questions and I know there's a mic around and maybe we can take two or maybe three at a time and we can come to talk. I think that will get me in trouble. Yeah, well, we'll get me in trouble. Thank you very much. Yes, sir. Mr. Panning, two questions. Yes, sir. You mentioned first the connectivity between cyber and physical. Yes. So what are the lessons learned from the Palo Alto attack in which PG&E's facilities were attacked as well as the cables, the telecommunication cables? That's a wonderful example. The first thing you should know is the lights didn't even blink. All right. And if I could just throw out the second question as well. On the Ukraine, what do you know specifically about the nature of the delivery of the attack? Was it an insider job or wasn't an external hack? Yeah, so I know pretty well what happened and I'm not saying I'm just not. I we do we have spread around our industry all the learnings we think and the government has been very good. I think about working with us. So one of the challenges you have at the federal government, particularly for classified information is the way you take classified information and make it actionable is very often a challenge because we have certain levels of security. And if, you know, in order for you to get complete kind of transparency, everybody would have to have security. Well, that would destroy the purpose of security. So one of the challenges we have is how do we take classified information and make it actionable that people can do? And we work really hard on that. That's about all I'll say. We do have in our industry, I think a lot of people that have the kind of clearances we need to really understand what's happening and then be able to translate it for public consumption. So that was thing one. Thing two is you're right. The attack at Pacific Gas and Electric was a joint attack, right? It started out as physical and they tried to kill a transformer. Unfortunately, and the lights didn't even blink. Unfortunately, particularly in our industry, particularly kind of broadly right now, this is such a sexy topic. And even people have suggested that formerly had important offices that you could kill nine transmission substations and take the electricity grid out. It's just dead wrong. It's just not true. And scaring people doesn't work. I would argue that now I'm going to get high again and talk broadly. The original kind of concern about cyber and physical really went to denial of service, pinging attacks, Aurora, that was pretty public. The second one now seems to be in vogue is talking about industrial control equipment, SCADA devices, things like that. Let me tell you, it's just kind of interesting that, you know, the more connected you are, the more digital dependent you are, the more exposed you are. And I think we all get that. And we all thought, oh, man, air gaps would save us. Well, we know air gaps can be covered. It's interesting. Now when you look at Annapolis and how they train midshipmen now, now they're going to learn how to use sextants. The electric utility industry before we came digital was operated manually. And let me assure you that if we have several stages of response and recovery, we can run the system manually. So you should understand that. So we have, I think, time for one more question on the far right over there, if we have a microphone. Thanks for the question. Thank you. I'm a professor at Georgia Tech's Scheller College of Business. As I think you're proud graded, I believe, from the Georgia Tech. Undergrad and graduate. Yes, sir. Thank you. I teach cybersecurity policy and management there. And we're asking our students this semester to think about what changes when there's nation-state actors as the threat, rather than all the threats maybe that we're being most focused on in earlier stages. I was wondering if you could say anything about thinking when there's concentrated efforts, nation-state resources, how that changes anything in terms of what you've been describing here. Well, okay, people should know that nation-states are involved all the time. Attacks happen relentlessly. And in fact, so I chair the Atlanta Fed. I'm the vice chair of the Conference of Chairs at the Big Fed. One time I led the audit committee. We're particularly concerned about the vulnerability of the Fed to a cyber attack. We're concerned about the electricity. So look, this is on you all the time. And the threat environment changes all the time. So it's happening. Your vision, I don't know what your vision of is some guy in a fifth floor office building in Beijing attacking you if it's a nation-state and using China as an example. I think all that's going to change to machine-to-machine attacks one day. And instead of talking about tens of millions of attacks, you're going to see trillions of machine-to-machine attacks. And so whether this guy is some punk, whether he's some, whether it's some kid that gets a thrill out of a hack job, whether it is theft, or whether it is a nation-state that's involved in a cyber and physical attack in order to either stop kind of a diplomatic or other intervention around the world or threaten you. We're on it. We understand it. And I would argue it's not just a cyber event. If it's some of those areas, it could be a DOD fireback event. So this idea of offense and defense has to be combined as well. And on that note, that's all the time we have. So thank you very much for joining us. Thank you. Great seeing you. Appreciate it.