John Jorgensen – Black Hills Energy

He doesn’t intend to be a prophet of doom, but John Jorgensen has his concerns about critical infrastructure. He and his colleagues at Black Hills Energy take any threats seriously and encourage industry peers to do likewise.

“It’s one of the hottest areas to defend,” he tells Toggle in September from headquarters in Rapid City, South Dakota. “Nothing works without electricity; it underpins everything government does. Well, in the next five years we’ll see a lot more attacks as capabilities are developed, built and deployed.”

John Jorgensen | Chief Security Officer | Black Hills Energy

Industry experts, including Jorgensen, closely monitor potential threats or meddling in sensitive infrastructure. A growing number of threats from nation-states have made news and he says more can be expected if hostilities increase. Domestic threats, including homegrown terrorists and extremist groups, also have the potential to disrupt access to the reliable power that communities depend on.

Jorgensen speaks from experience, having garnered nearly three decades of infotech expertise with Citigroup before becoming chief security officer at Black Hills Energy in June 2019. It’s an even more critical role here, he says, explaining that vital as finance is, a public utility is more so. Black Hills Energy provides natural gas and electricity in eight states and includes among its dependents U.S. military bases, trauma centers and airports.

Expertise to bank on

Like other complex enterprises, Black Hills Energy functions through informational and operational technologies—the former managing digital flow and the latter enabling physical processes and machinery. Typically, Jorgensen says, IT is targeted first by hackers. Once one system is breached, so can be the latter and an OT disruption can be particularly disastrous.

“IT environments have controls that can get core systems running in a day or two or a little longer,” Jorgensen says. “The impact is temporary and easier to get back. OT environments don’t have the capability to recover as quickly.”

In layman’s terms, Jorgensen explains how the Open Systems Interconnection model that supports diverse computer networks has seven layers—physical, data link, network, transport, session, presentation, application—but most IT security falls a few layers short. In May 2021, Colonial Pipeline had to pay $4.4 million in bitcoin ransomware to hackers who by compromising the company’s IT, prevented it from operating its OT pipeline systems for six days.

“Recent scenarios have illuminated new concerns that all utilities need to monitor and prepare for the nation-state actor,” Jorgensen says. “You’re going to see more of it: the direct targeting of industrial control that controls a product: natural gas in our company’s case, but it could be food production or the airlines.”

From virtual to physical

He’s cultivated vendor partnerships to help defend critical infrastructure, citing among his go-to’s Gartner Inc., a technological research and consulting firm based in Stamford, Connecticut.

“Having a set of vendors that are committed to your success is key to building an effective cyber defense,” he says. “Black Hills Energy partners significantly with Gartner to navigate the sea of vendor solutions and to evaluate their effectiveness. They can provide a significant advantage for us by leveraging their subject matter expertise and best practices.”

Another vendor, Maclear, has been instrumental in implementing a robust integrated risk-management program starting with third-party risk management. Utilizing Maclear’s KaizenEVO vendor risk solution coupled with Maclear’s Sherpa services, the third-party risk program has matured extensively.  

This efficiency means that on average 120 new vendors are being assessed each year in addition to performing annual reviews for existing vendors. The combination of technology and services enables management to make informed and auditable risk-based decisions on the vendor assessments. Following the success of the third-party risk program, Maclear is now focused on other aspects of operational risk for Black Hills Energy including laying the foundation for qualitative risk-control self-assessment for key business processes. 

Vigilant as Jorgensen is about IT and OT protection, he’s just as watchful when it comes to the physical security of Black Hills Energy facilities. He trains employees to spot suspicious behavior, such as people taking photos from outside facilities or asking questions about subjects that wouldn’t seem to be of common interest. 

“We also use traditional means such as security cameras, fences and guards,” he says. “We need to keep pace with the threats we are seeing.”

He’d appreciate more help from other sources, including academia. Popular as classes in computer science and software engineering may be, Jorgensen says not enough attention goes to cybersecurity. While some schools offer IT cyber degrees, he’d like to see curriculums enhanced with OT cyber degrees.

“From a national security perspective, we’d better start quickly,” he says.

Yet Jorgensen seems an anomaly in his profession as a high school graduate who’s learned on the job or through his own initiative. As he explains, during the late 1980s and early 1990s most colleges offered just a basic computer-science degree and with technology changing so quickly, any campus learning would soon be outdated.

An industry switch

Jorgensen logged 29 years at Citigroup’s Sioux Falls office, ascending to director of information security and earning CISSP certification in 2010. When the investment bank and financial services institution moved some of its functions out of Jorgensen’s native South Dakota, he connected with a Black Hills Energy recruiter in Spring 2019.

“From banking to utility IT, there’s a parallel,” Jorgensen says with a chuckle. “But there’s much problem-solving at both, and I learned so much at Citigroup and could scale to solution.”

Black Hills Energy also offered him the chance to expand his experience. The utility’s acquisitions allowed him to tap into his knowledge of banking IT and he was counted upon to learn—fast—the nuances of a new industry. He’s also enjoyed the information sharing in the utility industry, compared to the competitive landscape of the banking world.

A self-described adrenaline junkie, Jorgensen also found that a role in the transmission of natural gas and electricity was more to his liking than anything financial. And the higher stakes the utilities face, the more excitement—so too with his hobbies.

He has a pilot’s license and flies acrobatics. A PADI-certified divemaster, he describes how by putting your hands and turning the snout of a curious tiger shark, the big fish merely swims away. A great hammerhead is more of a challenge, its eye-to-eye snout being a yard wide or more. The long South Dakota winters have him snowmobiling and the rest of the year he enjoys ATVs, motocross and derby cars—and upping the horsepower.

“If there’s something with a motor, I’ve probably built, raced and wrecked it,” he says.

IT systems, of course, excluded.

View this feature in the Fall I 2022 Edition here.