The Stuff You Don’t Think About

Guest: Brannan Villee, Division Director Infrastructure and Security Solutions

Host: John Verrico, Chief of Media & Community Relations

[00:00:00] Brannan Villee: A lot of times the mantra is, “If it ain't broke, don't fix it.” And they don't often invest in bringing their systems up to new technologies because, hey, the power system has worked fine as far as we know it for a while. And until something happens, it'll keep working fine. And so over time, these systems have become out of date and they've become more vulnerable.

[00:00:25] John: Hello and welcome to Technologically Speaking, I'm John Verrico and I'm your host. I have with me today, Brannan Villee. Brannan, you are the Division Director and Strategic Program Manager for Infrastructure Resilience and Security Solutions. Hi there.

[00:00:55] Brannan Villee: Hi, John. Thanks so much for having me today.

[00:00:58] John: Hey, you know, I'm really looking forward to our conversation. When did you actually start here with S&T? I'm trying to remember when that was.

[00:01:06] Brannan Villee: I started with S& T back in 2012. So, it's been 11 years now.

[00:01:10] John: Wow, congratulations. Yeah, I'm over 15, going on 16 myself. I can't believe it, rocks don't even live that long, but I remember when you first started, you had a different role.

[00:01:22] Brannan Villee: Yes, sir. When I came into the organization I was a program manager, I was on the support side of S&T. So, I focused on a lot of process automation. I managed some support contracts for the directorate. However, in 2019, S& T went through a revitalization and I realized at that time that I really wanted to get closer to the mission. So, I turned down a promotion and made a move across the organization to our office of mission and capability support. And it was over in the office of mission and capability support that I got greater exposure to our research and development portfolio, and I had the opportunity to work directly with some of our customers and DHS components, including CISA, which is the Cyber Security and Infrastructure Security Agency.

And I worked on some cyber efforts, as well as some critical infrastructure efforts. And since then it's been really neat to work directly with our components and also with critical infrastructure owners and operators to make a difference in improving the resilience of critical infrastructure for the U. S.

[00:02:34] John: You know, we use the term critical infrastructure a lot, how is critical infrastructure defined? What makes infrastructure critical or not?

[00:02:42] Brannan Villee: Well, I will tell you the textbook definition is that critical infrastructure protection is vital to national economic security and national public health and safety. And so, when most people think about critical infrastructure, they think about roads and bridges. They think very tangible forms of critical infrastructure. However, critical infrastructure is a lot of the stuff you don't think about, those services that we depend on every day. So, for example, you can think about the power of the electricity that we receive, the water system, the water we drink. Is it clean water? Is it available? Our communications network - we depend on the fact that our cell phones are going to work or that our landlines are potentially going to work. And connected to communications is also emergency communications. When we call 911 are they going to pick up? Are they going to be able to come out and support us? And also, are our first responders going to be able to connect with each other? Are the firefighters going to be able to speak with the paramedics and the police department when responding to an emergency? Also, gas and oil - I think a lot of people didn't think much about gas and oil until the Colonial Pipeline hack a few years ago, when all of a sudden you couldn't get gas at the gas station on the East Coast.

So I think it's some of these services that you don't realize you need until something goes wrong. And one of the things that's challenging is critical infrastructure owners and operators, like power companies, and internet providers, and telecommunications companies, they have a lot that they need to spend their money on. So a lot of times the mantra is, “If it ain't broke, don't fix it.” And they often don't invest in bringing their systems up to new technologies because, hey, the power system has worked fine, as far as we know it, for a while. And until something happens, it'll keep working fine. And so over time, these systems have become out of date, and they've become more vulnerable. That's why critical infrastructure, the emphasis on resilience and protection of critical infrastructure is so important.

[00:05:00] John: So in protecting this critical infrastructure, there's a lot of different things we need to protect it from. Automatically, you first think, well, you have to protect it physically, right? From damage, whether that is damage from storms or from intentional types of attacks. But then there's also, you know, in our modern age, and you brought up the cyber-attack on the pipeline. So, lots to consider here. How do you address all of this?

[00:05:34] Brannan Villee: One thing that's really interesting that you brought up, John, about the power grid, is I did not realize that most of our electric grid in the United States is dependent on GPS for precision timing. There are relays in the system that rely on the signals from the global positioning system or GPS to provide precise timing. And GPS is free, it's great. You know, we use it to navigate and go places in our cars and on our phones, and it is very low power. And so, because of that, it can be easily jammed, which is when you don't get service. It also can be easily spoofed, which means you might get a bad signal. So when something like that happens…the Bonneville power administration, out in the Western part of the United States, they had something happen a few years ago where they accidentally got some bad GPS and the timing was messed up and it took down the grid. It took down, it took out power to, you know, hundreds of thousands of people because of a blip in a GPS signal. And of course, we don't see GPS. We don't think about that, like we might think about a pothole in the road.

[00:06:58] John: Is it, is the acronym PNT? Position, Navigation, and Timing?

[00:07:03] Brannan Villee: Correct. In the U.S. the Global Navigation Satellite System is called GPS, and we use that kind of synonymously with the service that we get to navigate around. Since the 90s, there has been an unencrypted civil sector that we all can use, and you may not realize, but it provides time to your phone as well. There's a lot of synchronization between the apps and your phone and the services it provides, and of course, it provides that navigation as well. We depend on things like GPS for location, but it's not 100 percent accurate. There's some latency, which means it's a little slow. There's also, GPS is only guaranteed to be, I think, within about 3 meters accurate, that's almost nine feet. So again, that could be the difference between turning onto a road or into a pond.

[00:07:56] John: I was going to a doctor's office just the other day that I'd never been to before, and the GPS told me I’d arrived, and I'm looking, and I'm in the woods. And I'm saying, this is impossible. So, I literally had to go about another, almost a quarter mile further to find an access road that came up into a parking lot, up a hill and behind the tree line was where this doctor's office was located. But it was just, it was insane. I was sitting there going, “I am not at his office. It is not here.”

[00:08:30] Brannan Villee: John, that's funny because GPS will tell you that you've arrived at my house when you're in the woods on the back of my property.

John: We laugh about GPS all the time, but there's so much more to this. I remember a project we did years ago with Wall Street and understanding how critical timing is for financial transactions.

[00:08:54] Brannan Villee: And John, it's funny you mentioned that because that is actually another big part of critical infrastructure that the Department of Homeland Security supports is the financial services sector. When you think about precise time, think about high-speed trading, it can be microseconds, nanoseconds between trades. And if someone was to mess up that timing, it could have huge financial implications and also a loss of trust in the financial services community. While we think about the more physical attacks that could happen from a bad actor, these invisible attacks that could affect our way of life and our ability to get gas for our cars or clean water or trade safely in the open market or safely use telecommunications equipment. Those things can really erode public trust and really impact our country at the heart of what keeps us safe as a homeland.

[00:09:51] John: How does that make you feel to be part of protecting all of this?

[00:09:55] Brannan Villee: Well, I'll admit the first time I started working on the critical infrastructure work, I was scared because I felt safe. I felt that my power was safe. my water was safe and my communications were safe. I think that's one of the challenges is that you don't realize how much you depend on things until they're gone. So when I first learned about all the risks, I was frightened. And now that I've gotten more invested in the program, it's really exciting to be on the forefront of this research, and to make a difference in this space because America depends on us, and one of our jobs, obviously, at Department of Homeland Security is to keep the homeland safe. The other thing that I've really learned a lot about is the United States government does not actually own the majority of critical infrastructure, Dominion Power, Baltimore Gas and Electric, Duke Energy, the government doesn't own those. Those are private organizations. And so because of that, we can't tell them what to do sometimes. So a lot of our work is engaging with critical infrastructure owners and operators and educating them on the risks. So how do we educate those critical infrastructure owners and operators on the risks that they're facing by depending on GPS, or depending on outdated technology, and then in turn convince them to make a business decision to invest in more resilient technology. To invest in the technologies that the Department of Homeland Security is transitioning and commercializing. and to adopt and use some of the knowledge products we've developed, and best practices to help make their company more resilient, which will ultimately help end users, and the American public.

[00:11:47] John: Brannan I'm going to ask you to talk more about some of these really cool programs that you and your team are working on for protecting the nation's critical infrastructure.

[00:11:59] Brannan Villee: So what's keeping me the most busy these days is our Critical Infrastructure Security and Resilience Research Program, or CISRR for short. You know, we love our acronyms in the government, and so the CISRR.

[00:12:13] John: We love acronyms.

[00:12:14] Brannan Villee: The CISRR program was actually established when the Infrastructure Investment and Jobs Act was signed by the president in November of 2021. This trillion dollar bill, also known as the infrastructure bill. Provided S&T with $157.5 million dollars to conduct research and development for critical infrastructure protection. This is the largest single appropriation that S& T has ever received for one program. So, while it was very exciting, there also were some focus areas that Congress wanted us to look into and research, specifically, special event risk assessment, rating, and planning tools for large events. I know one of my teammates has talked about the work being done to protect large events, like concerts and parades and large places where people gather.

[00:13:12] John: Would that be like, uh, Superbowl and things like that?

[00:13:15] Brannan Villee: Yes, Super Bowl, Indy 500, or even just street festivals. You know, any place where people gather could potentially be a target for someone that wanted to do harm. It can be challenging to protect those kinds of spaces. And so we are, we're doing some, some good work in those spaces to protect against the risks that keep me up at night.

[00:13:39] John: Talk a little bit more about how that works? What kinds of things you're doing in that space for protecting special events?z

[00:13:46] Brannan Villee: So for protecting special events, or we often call them soft targets and crowded places, they're a little bit more challenging to protect. If you think about a football stadium and people in concourses, people in seats, people on the fields. You also have many people coming and going. You have people in the parking lots, you have public transportation, so when you think about some things that could potentially happen in those areas, one thing, unfortunately, that we've seen recently is vehicle ramming. You know, people driving their cars into crowded areas to try to inflict damage. There is a very cool technology that one of my program managers is working on, it’s called DETER. DETER is the Deployable Expedient Traffic Entry Regulator, and it deploys quickly from the size of a speed bump to a four-foot-high barrier that will stop a car, even stop a truck in its tracks, and protect human life. Another neat technology that's being worked on is called RAPID.

[00:14:55] John: What does RAPID stand for?

[00:14:58] Brannan Villee: The RAPID Barrier. RAPID stands for Ready Armor Protection for Instant Deployment, or RAPID. The RAPID Barrier is a collapsible protective security product that can be used for protection of critical assets and also intrusion prevention. And it can be stood up in 30 minutes, which is much easier and much faster than some of the more permanent and heavier structures that you would need to prevent damage from a potential explosion. And that is a deployable blast protection wall. Unfortunately, you know, there are bad actors who may leave behind explosives, improvised explosive devices, you know, bombs in backpacks or pressure cookers.

[00:15:46] John: Like we saw with The Boston Marathon.

[00:15:47] Brannan Villee: The Boston Marathon, exactly, and so, when you think about the types of structures that it would take to protect against a large explosion, you're thinking about Jersey walls and huge concrete structures, which are not easy to move and deploy and put in locations. So, if you think about going to a game, a football game, at FedEx Field or M&T Bank Stadium, you know, they have a structure that's set up week after week for the NFL season, and they're able to keep their jersey walls in place. They're moved with forklifts, they're able to have more permanent structures. But when you think about a parade, or we went to the NFL draft recently, that was held in a train station, and there were events out in parks. And so how do we set up structures quickly that could protect against a potentially left-behind explosive device? So the rapid barriers are modified from a model that was previously used by the Department of Defense, and they come in a Conex box, and it can be expanded very easily to put it in place.

[00:17:07] John: We talk about, you know, the large events and pop up events and things like that, but then there's also soft targets that include things as simple as a subway station.

[00:17:19] Brannan Villee: And that is one where we're actually investing in video forensic systems to track if items are left behind, to monitor suspicious activities without violating the privacy of the people in a subway station. Again, the nuances of soft targets and crowded places are broad because obviously a subway station is set up very differently than a football stadium, or the Indy 500. Developing technologies that can work across a variety of spaces is quite a challenge, and we are fortunate to have gotten this injection of funding in some areas that were historically underfunded so that we can solve these tough problems for the Homeland Security Enterprise.

[00:18:15] John: We've talked a lot about physically protecting our critical infrastructure, but there are so many other ways that can be threats to our infrastructure, such as electromagnetic pulses or geomagnetic disturbances. Can we do something in those spaces?

[00:18:33] Brannan Villee: So, it's interesting that you mentioned that, John, because electromagnetic pulses, people may think of the movie Ocean's Eleven, where they use an electromagnetic pulse to shut down computer systems and telephones or cell phones not work.

[00:18:50] John: Yeah, that's exactly what came to mind. Exactly what came to mind.

[00:18:54] Brannan Villee: However, the risk of geomagnetic disturbances, or GMD, are, they're actually solar flares. When we think about protecting the homeland, you don't always think about space. But when we talk about GPS, we're dealing with satellites that are in space. And when we're dealing with geomagnetic disturbance, we're dealing with solar flares, things that are happening in space that can impact how our electrical systems work. There is work that the department is actively doing, which is receiving an injection of funding and new life for EMP, electromagnetic pulse, and GMD, geomagnetic disturbance resilience. And a project that we actually did before this effort was invested in testing our emergency notification system. It's actually a system managed by FEMA called IPAWS.

[00:19:59] John: That's the thing that sends signals to our phone when there's a weather alert or, that kind of thing.

[00:20:06] Brannan Villee: Yes. We tested actual shelters. It's almost like a Faraday cage, if you remember that from science in high school.

[00:20:16] John: We hear about them in movies and things like that, but really what is a Faraday cage?

[00:20:21] Brannan Villee: So, a Faraday cage is a special container that prevents electrical signals from passing through it. However, what it does is, it allows electrical pulses to go around the container. So usually they're made of a layer of conductive material, which a material that does conduct electricity. The outer layer creates a protective skin and then that redirects electrical signals around the box. So when you put something like a Faraday cage around the IPAWS transmitters, it helps protect them from a potential electromagnetic pulse. Because if someone came in and took out our emergency warning system, it could really cripple the country. And I think what that's one thing that we saw recently, unfortunately, with the wildfires in Maui, is that the fire and the wind took down their notification systems, so they were sending out notifications to people, but cell phone towers were down, televisions and cable service were out. There are so many things that can affect the telecommunications and the public warning system. It's really something that we look at from a variety of angles. Specifically, we look at EMP through the CISRR program, as well as some resilience for our 5G network, and the 5G support for telecommunications.

[00:21:49] John: So many interesting projects that you're working on. One of the things that you mentioned earlier, too, was protecting against cyber-attacks.

[00:21:56] Brannan Villee: Yes, yet again, something we don't see, but that pervades our everyday life. Hopefully, we all have virus protection software on our computers at home and our work computers, and we're updating our operating systems on our phone on a regular basis and doing patches to protect against, cyber-glitches, cyber-attacks, ransomware attacks, and in the old days, these systems were not connected to computers. You know, they were all manual and they also were not connected to the Internet. So as systems in factories have started getting connected to each other and connected to the Internet that creates a lot of vulnerabilities. And that's one of the things that happened in the Colonial Pipeline ransomware attack. There also was a cyber-attack on a meat packing factory that affected food safety.

[00:22:49] John: I didn't realize that was from a cyber-attack. I remember reading about it. Wow.

[00:22:54] Brannan Villee: So, one emphasis of our CISRR program is to invest in industrial control systems resilience, and we've done that through developing scale, which means the size of the actual industrial control system, at scale platforms to test and to understand how cyber vulnerabilities can affect these systems and affect the downstream critical infrastructure that they support. We actually are working with TSA, the Transportation Security Administration, the Department of Transportation and CISA, we have a partnership with a lot of those federal agencies, as well as the Pacific Northwest National Laboratory to focus on a new project we're calling CHARIOT. CHARIOT stands for Critical Infrastructure Hardening Achieved Through Risk Reduction in Informational and Operational Technology. But we'll just keep it to CHARIOT for now because that is much faster.

[00:23:57] John: That is, that is quite an acronym. Lord knows government loves our acronyms, but it's a cool one. Go for it.

[00:24:03] Brannan Villee: CHARIOT is cool.

[00:24:05] John: So, Brannan, tell me a little bit more about Project CHARIOT, kind of how it came about and what we're actually doing now.

[00:24:11] Brannan Villee: So, the project is really important, John, because the transportation system sector is critical to the United States economy and national security. And it's experiencing more automation and digital control being integrated into operations. So the problem is that newer technologies are being overlapped on top of the vulnerable legacy systems that have been around forever. So the goal of our program is really to have industry and the U. S. government working side by side for the first time ever on this program, and to complete an at-scale platform that is capable of testing cyber scenarios that could impact operations in oil and natural gas, freight rail operations, and also provide a structure for testing vulnerabilities in both hardware and software, which are both challenges in the industrial control system space. Also, as I mentioned, we're dependent on industry to adopt the technologies and knowledge products that are developed under the CISRR program. The CHARIOT program will serve as a resource for government/industry collaboration and to evaluate the technology being integrated into transportation infrastructure and support the development of mitigation strategies.

[00:25:25] John: We use this expression a lot at S& T. We call them Knowledge Products. How would you describe that to, you know, your great aunt Tessie at home?

[00:25:35] Brannan Villee: A knowledge product is the learning that we find through our research and development. And that can be a paper, it can be a white paper, a best-practices document. A knowledge product is anything that we learn, through our research and development, and write down for the public to use. And sometimes these knowledge products or written findings of research and development go directly to the DHS operational components, but many times, particularly in critical infrastructure, Resilience research, they go directly to the public. So we put them on our technology clearinghouse, we put them on the S& T website. We do press releases and social media releases to let people know that they're out there. We speak at conferences because the most important part is that when we learn something, we want others to know about it so they can implement our findings, and hopefully make their critical infrastructure system more resilient and secure.

[00:26:39] John: And that's something that I think most people don't really understand is the work that we do and how we share the information. Because all of the research is completely useless unless it's shared. You're doing some really, really interesting studies. What barriers are you running across in trying just to get the baseline information to work with?

[00:27:04] Brannan Villee: CISA has recently implemented mandatory reporting of cyber-attacks, and that's happened just in the last year. I think that's so critical because the more we can learn about what's happening in the critical infrastructure community, the more the government can help, and the more our tools can help, whether it's software or hardware advancements, or a knowledge product and the learning that we share. CISA has regional protective security advisors and they are out in the regions across the country. And when something happens at a power company on the West Coast they call their CISA protective security advisor to get insight and figure out what tools are available to help them respond to such an event. And we are working to leverage those relationships with our customers, to build greater relationships with critical infrastructure owners and operators so that they will trust us. It is a challenge, and I think one thing I've heard from critical infrastructure is that there are so many messages coming out of government and they don't know which ones to listen to. Whether it's a regulatory message or a financial regulatory message, they don't know. It's so much noise that we don't always have a unified message coming from the government.

[00:29:06] John: Who is Brannan Vallee, like where are you come from? Talk a little bit about who you were before you got here.

[00:29:14] Brannan Villee: Well, John, when I was little, when I grew up, I wanted to be an actress, an astronaut, and an architect. Somehow everything started with A, but I was extremely ambitious. And so, I haven't become any of those. I went to college and interestingly enough, ended up majoring in sociology. What I loved so much about sociology is, it's really the science of how people react to things and what makes people behave the way that they do. And I minored in business and marketing. I took that knowledge of what makes people behave the way they do, and used that in marketing to better understand how we target advertising to people. So out of college, I worked in marketing and financial services, as well as consumer packaged goods. I worked for a company that made hardware and home improvement products. Then I ended up working for Xerox. I never thought I would jokingly, you know, be in sales when I grew up, but what was really awesome about working for Xerox is I had the opportunity-I directly supported federal/civilian customers. So, I was working directly with large federal agencies like the Department of Energy. I worked with the Federal Reserve Board, I worked with the International Trade Commission, and I got opportunities to work closely with federal government partners and I helped them manage their internal copier programs. I also helped them run their internal print shops. A lot of big Federal agencies actually have in-house print shops where they do printing for the agency. And that's where I had the opportunity to work with FEMA. FEMA does a lot of printing for disaster response, and so my customer at FEMA said, “You know what? I need someone to come in and build and manage a nationwide copier program for the agency.”

I was with FEMA for two years before coming over to the Science and Technology Directorate, and I certainly have not looked back. It's been really great. As someone once told me, it's not a career ladder, it's a career spiderweb, so you never know how your decisions, and how things may change, and your experiences may take you in different directions, but they all really come together to make you who you are and bring your wealth of knowledge to the program you support today. And that's what brought me to the CISRR program within our Office of Mission and Capability Support.

[00:31:54] John: Brannan, you're such an interesting person to talk to because you've got so much knowledge in this area and you are so excited about the work you do. You talk about industrial control systems, which is something I never even considered to think about at all. Just thinking about systems that would need protection. But we heard this term also about open-source software. There's so much of that being used in a variety of systems. Can you talk about a little bit more about the work there?

[00:32:22] Brannan Villee: Well, John, open-source software is really interesting. Actually, the Linux Foundation has reported that open-source software comprises 70 to 90% of the software of any given piece of modern software. It's crazy to think that you could be working with an established program and there could be elements of open-source software that were developed by Joe-down-the-street. So, obviously, that introduces a lot of vulnerabilities.

[00:32:54] John: When you think about all the different ways that life can be disrupted, the way we know it, that really puts a perspective on the importance of the work that you're doing here. And I just want to let you know from my personal perspective, I can sleep at night knowing that you're on the job on this.

[00:33:11] Brannan Villee: Well, thank you, John. I'm very thankful to have an amazing team of program managers and technical managers and, of course, our outstanding performers across business and industry, and also government performers through the national labs, that are doing the great work to help us achieve this resiliency.

[00:33:32] John: Brannan, I'd like to thank you for everything that you do every single day, you and your team, and also thank you for taking time to be on our show.

[00:33:40] Brannan Villee: Wonderful. Thank you so much for having me, John. It's really awesome that through the advancement of science and technology, the Critical Infrastructure Security and Resilience Research Program will ultimately strengthen and maintain secure functioning and resilient critical infrastructure.

[00:33:59] Dave: Thank you for listening to Technologically Speaking. To learn more about what you've heard in this episode, check out the show notes on our website, and follow us on Apple and Google Podcasts, and on social media at DHS SciTech. DHS SCITECH. Bye!