Ep 30: Securing the Energy Grid from Cyber Threats with Duke Energy SVP and CSO Martin Strasburger

Evan Reiser: Hi there, and welcome to Enterprise AI Defenders, a show that highlights how enterprise security leaders are using innovative technologies to stop the most sophisticated cyberattacks. In each episode, Fortune 500 CISOs share how AI has changed the threat landscape, real-world examples of modern attacks, and the role AI will play in the future of cybersecurity. 

I’m Evan Reiser, the founder and CEO of Abnormal AI.

Mike Britton: And I’m Mike Britton, the CIO of Abnormal AI.

Today on the show, we’re bringing you a conversation with Martin Strasburger, Senior Vice President and Chief Security Officer at Duke Energy. Duke is one of the largest electric and gas utilities in the U.S., serving 11 million customers across the Southeast.

There were three interesting things that stood out to me in our conversation:

First, after attackers physically damaged two Duke substations in 2022, Martin’s team built an AI-driven defense system to spot weapons, track patterns, and stop threats before they escalate.

Second, Duke is using AI and drones for rapid post-hurricane assessments, with edge computing analyzing storm damage in real time to speed up recovery.

And finally, Martin sees AI-powered phishing and deepfakes as top threats, especially since many attacks target employees’ personal devices, making training his first line of defense.

‍Evan: Martin, first of all, thank you so much for joining us. Mike and I were really looking forward to this conversation. Maybe just start, do you mind giving our audience a background about kind of your career and maybe your current role at Duke Energy?

‍Martin Strasburger: So my name is Martin Strasburger. I am the chief security officer at Duke Energy. We're arguably the largest electric and gas utility in the United States. We serve about 11 million customers in several states in the Southeast. It's a great industry to be in. You know, really, a lot of satisfaction in delivering gas and electric service to our customers and helping power their lives. That's the motto of our company. 

So, I have cyber security, physical security, and aviation. Aviation might feel like one that's a little bit of, you know, why aviation? It's not uncommon for chief security officers to have aviation these days, I think because so much, so much safety and security goes into operating our aircraft. We have corporate jets, we've got utility helicopters, we've got drones, and so, you know, protecting our drones and the data on the drones, it just sort of it fits well together. So I very much enjoy having those teams. 

I've been here at Duke Energy for three and half years. And prior to that, I was the chief information security officer at Pacific Gas and Electric, PG&E, that's arguably probably the third or fourth biggest utility in the country out in Northern California. Similar job except just focused on the cyberspace. And I was Chief Information Security Officer for my last couple of years there at PG&E. I came up though through the Security Operations Center. So I led the Security Operations Center, really had a intelligence driven defense mentality. Really focused on the cyber kill chain. For those of us old enough to remember, Lockheed Martin maybe was the baddest of all cyber security teams. had something they called the kill chain that really helped you understand how attackers attack and where you gotta be watching for them. So, came up through the SOC. 

And then my previous stop to that was with Deloitte. So came out of school in 1998, joined Deloitte into the security and privacy services practice and spent a good 11, 12 years consulting with clients on security. I focused in on identity management, vulnerability management. So yeah, that's my, now, man, 27 years in cybersecurity.

Mike: It's interesting hearing about the size and scale of Duke Energy and especially interesting to hear the aspects around aviation and drones. But given what you guys are doing in the year 2025, maybe what are some unique cybersecurity use cases that the average listener may not truly appreciate that your team is responsible for with the changing landscape?

Martin: There's just a never ending set of use cases for what we got to protect. For example, we had an incident in December 2022 where two of our important substations got shot up a ballistic attack. Moore County, North Carolina, caused forty five thousand people to be without power. Took us four days to restore. So, out of that we put together this large effort to really use technology to defend our system. So we deployed all kinds of advanced cameras and analytics and ground-based radar, intrusion detection, et cetera, all this sensors, if you will, and backhauled all that data to our data centers and really were able to do a lot to identify threats and take action. And now with the advent of least generative AI and really the focus on utilizing AI capabilities, we're piloting some AI capabilities that can not only detect, for example, there is an individual with a weapon who seems to be approaching our, our facilities. We also are trying to look across multiple facilities, across multiple days, weeks, even months and try to identify, for example, is this a group that is surveilling our facilities, doing pre-operational surveillance for a future attack and intervene, interdict and prevent an attack. 

So that's one example of really using technology in the physical space, which guns, gates, and guards in the older days. But these days, it's all about technology and leveraging those capabilities to protect your company, protect your assets, protect your people.

Mike: You know, it'd be good for our audience to understand when, if a cyber attack were to happen at Duke Energy, what's the impact for your customers? What is the real world implications of a cyber attack?

Martin: So, if I think of our risk register, I've got a good 15 risks. And for this answer, I'm going to go to the most severe, which would be a cyber attack that causes blackouts to the power grid. Not to be alarmist, but this is also not a far-fetched type of a situation either. 

We hear people like the former director of the FBI talking about how China is a very sophisticated adversary who is trying to build capabilities and do surveillance so that they could potentially take out the power grid. So you could imagine then a bad actor somehow is able to gain a foothold into our environment. Able to pivot over to our energy control systems. Is able to then take control of our energy control systems and start manipulating the grid, shutting the grid off, potentially even manipulating it so that the equipment is damaged, which would take us longer to respond. 

You saw real world examples of this in Ukraine in 2015 and 2016 and definitely here more lately, but the most notable previous attacks, literally parts of the Ukrainian power grid being shut off by Russia through a cyber attack. So very, very, very real and top of our risk register. Nation state cyber attack gets in and starts shutting off part of the eastern interconnect. We're connected with the east and then the west has the west and Texas is there in the middle. So you could see major blackouts. 

You all might remember the 2003 northeast blackout. If that, imagine that being caused by a cyber attack. And then if it was caused by a cyber attack, instead of being able to recover relatively quickly, would enough damage have been caused or bad actor still in your system, so you get it back up they shut it off. So, you know, we're talking massive power outages and if power outages last, you know Any more than a short amount of time, you have major impacts societal chaos in individual injuries or deaths due to things like power due to things like traffic lights being out, hospitals without power, you name it. So, it is a, it's one of those, yeah, what could happen? A very, very, very bad impact to society if you're able to take down the power grid with a cyber attack.

Mike: I think that's interesting. And you guys probably run the gambit on technology from old to new kind of what is Duke's, you know, what, are you guys seeing for just from a business demand perspective from, from your company on leveraging things like cloud and AI and generative AI? Is it something that your company is actively seeking to move into those areas?

Martin: Absolutely. You hit it. You hit it well when you said that the gambit of, you know, out in the field operational equipment that's built to last 20 years. And it's got to, because you make multi-million dollar investments. You want this thing to run. So yes, we do have to protect older vintage operational technology out in the field, but all the way up to yes, our business is absolutely asking us to build and implement for them technologies using the latest. 

So, for example, can we utilize generative AI to do very proactive evaluations of our grid to look for points where we lack resilience. Model out different operational states to see where we might see a failure and really get in front of, you know, the next outage. Can we, when we have, for example, a hurricane come through, can, and here's two where my aviation team comes in, can we quickly after that hurricane passes through, fly the damage area, use high resolution cameras feeding right into AI models that are running on the edge on board those aircraft to evaluate the damage and get really, really accurate data to our operations centers so they can deploy crews and get things fixed as quickly as possible. So we have a high level of demand from the business to leverage these modern technologies. 

Of course, my team is there to, to design the security controls into those systems, make sure they're secure. We have a great IT team as well. I don't actually report to the CIO, we're peers. CIO and I reporting to a leader and I think our teams have a very good partnership where they are pushing the business to adopt modern technologies and we're there right with them, ensuring that whatever we're going to design and build is built securely and operated securely.

Evan: If we went back 10 years and someone told us, you know, we're to be flying around drones to automatically inspect equipment and like, you know, read sensors from like a mile away with the telescopic lens or, you know, our employees will be asking these virtual AIs, you know, advice about how to do their job. or, know, whatever, whatever these other kinds of, you know, we have to worry about criminals creating AI deep fakes of like our employees and kind of spoofing, you know, tricking people. Those would have sounded like, again, science fiction in the past. 

Still today, I think there's a lot of people listening that are unsure, you know, where should I be? Like, is that like just, you know, hype right in marketing or is a real stuff there? When you think about kind of how the bad guys use some of these new technologies against us in the future, you know, what's kind of like, what's real and what's hype, you know, where do you, you know, where, what kind of draws your attention or what are maybe some of the specific use cases you feel, you know, you feel kind of motivation to be extra prepared for and which ones you think are a little more kind of more fantasy?

Martin: Here's a space where you do especially rely on your partners, both in industry like you all, in the government, you know, National Labs is an example. They're the ones who can really focus on what are the innovative ways that bad actors are using new technology. But we see with our own eyes, we see bad actors utilizing AI, for example, to create really outstanding phishing campaigns, to spin up really creative typo-squatting domains to try to lure you to their site. 

We, to your point, the deepfakes are just terrifying, right? I mean, for society overall, we've got a sophisticated security team. But if I've got bad actor sending a deep fake phone call to one of my employees or contractors phone, I don't even have any visibility into that because I do not monitor your personal cell phone. So how am I even going to intervene in that? So training and awareness to our personnel. 

So I really think that the use of AI in social engineering is my biggest concern. And again, so much of that is outside of my control as the security leader. I can harden my network by the best tools, et cetera. But when, again, you got a bad actor doing a call to somebody's mobile device, my only line of defense in that case is that person. Have we trained them? Are they aware enough that they should not fall for that voice phishing call, for example? So that is very concerning. 

Now, I don't want to quite say quantum and what's going to happen when quantum is available is hype. It's far enough out there that I'm convinced that eventually and that time frames differ, right? I don't know any better than anybody else is it three years, is it five years, where quantum computing capabilities will be commercially available and, you know, the price point will be such that bad actors will use it. Can they defeat current encryption algorithms? And do we all of a sudden have this big, you know, data breach type of a problem, previously exfiltrated encrypted data is getting decrypted. I believe that's likely the case, but then what else? You know, oh man, the world's going to come to end when quantum is available. It feels a little bit like Y2K. However, I do believe it's very feasible that the encryption threat, the decryption, the failure of our modern encryption algorithms and need to move to quantum resistant algorithms, that feels like it's gonna happen. But what else? Probably not the end of the world. I think that one might be a little hyped up.

Mike: Yeah, and I feel like quantum is still the TBD to really understand the impact, both from good and bad. But we're definitely seeing it with AI and social engineering, like you mentioned earlier. 

When we think about these things, where do you feel like AI could play a role in stopping these social engineering attacks and some of these advanced attacks that the bad guys are using with AI today? Where's AI for the role of the defender?

Martin: Well, I had used vishing as an example. I would love to think there's a future, a near term future where, for example, I'm not an Apple fan boy, but I've always had iPhones and I do enjoy iPhones and MacBooks. But could Apple build into the iOS. I mean, we already have Apple AI, build into the iOS capabilities that would really, really help anybody including myself avoid fallen victim to that phone scam to that that FaceTime scam to that whatsapp scam be able to detect that it is a deep fake or that, you know, that it's doesn't doesn't match a pattern of previously exhibited communication that you've done.

Now, I know that's somewhat does that feel like it maybe does that cross the line into, so you're saying my iPhone would basically be surveilling all of my conversations and FaceTime video chats so that it could tell me if it thought one of them was, you know, suspicious. Yeah, maybe, maybe. So there's this privacy balance. Notice I didn't say that Duke energy would purchase and install that kind of a security capability. I'm talking more, could it be a feature in your own device that you buy we can enjoy? 

And then on the side of, what can I control? I absolutely do think that the ability to build AI-based capabilities into things like our next generation firewalls. Our modern network defense capabilities are, hey, like you guys are, our modern email and chat-based defenses are, you know, we are a Splunk shop, and so I'm really looking for Splunk Cisco to build really advanced, you know, capabilities that help detect threats that we wouldn't otherwise detect, help my SOC analysts more rapidly take action on things they need to take action on and take the right steps, things like that. So the sky's the limit with the possibilities out there. 

I don't want to say they're slow to come because this has all been moving real fast, but when are we going to start seeing the just very, very concrete, very accessible AI-based security capabilities that we can start to leverage. I think it's still probably a little bit more of the more advanced technical shops have been able to build something here or there. But I'm thinking over the next 12 to 24 months, we're just going to see massive innovation by companies that build security products and more sophisticated corporations that have security teams building sort of custom security capabilities leveraging AI.

I feel like we're in a similar boat with many of our peers and speaking with a lot of my peers, I do feel like, yeah, we're, all in somewhat similar, situations where we all have some initiatives focused on AI. How could you not? It's such promising technology. But we all struggle with where are the right places to invest because there's a lack of a track record of good, concrete, proven examples with an ROI out there. So you're all sort of innovating and experimenting, and, while, you know. 

So I run a security team at a utility company. We're not a Facebook or a Google or some super hardcore tech development shop. So I'm looking either to my internal IT department, which is a very impressive internal corporate IT department, and they have some AI-based development capabilities. So I do have a couple of projects where we're doing some use case development and some innovation there. But I'm also heavily looking at, again, at my vendors and saying, hey, you know that we've got network defense capabilities. You guys know better than I do how you could possibly leverage AI to improve these capabilities I already buy from you. So it's a little bit of, I want you all to develop that and I'll be happy to purchase it if it works. So I'm in the same boat as everybody trying to figure out what precisely to invest in. 

I'm investing in a small amount of internal development done by my IT team and then working with some of my big cyber security technology vendors to try to push them to build capabilities into their products.

Evan: You talk about the importance of your general partnerships and specifically kind of with some of your, vendors and partners. You know, the, the other thing I get earfuls from, from our, our customers, some of the people I work with is how many of vendors feel very transactional, right? And they don't feel like the real kind of partners. And it feels like we're in an era where things are moving so quickly, right? The importance of partnerships are probably more important than ever. 

So what would be your advice to like the average security vendor out there, right? How can they really be showing up, to kind of help their customers, help the community, help us all kind of navigate this. Like what would be, if you kind of give a message to like each of the CEOs or whoever the right people are in these companies, like what's more important than ever for how kind of, you know, the technology suppliers kind of show up in this era?

Martin: You know, I really think, I you all have a difficult job and you all are out there trying your best. You have this, okay, we've got an awesome team who really understands what we do and how to develop products, but you got all of these customers that are in all of these different industries, a variety of systems and data, a variety of requirements. So how do you all know what to focus on? It's a tough one. So I do appreciate the effort that the cybersecurity technology community is putting forth. 

You talked about partnership versus transactional. And I'll admit that there's some instances where I've got the time and time, resources, appetite to do partner type of stuff. But there are absolutely are other times when I don't really have time for that. And I just want to buy your really good tech and get it implemented and see it working. And you all need to continue to innovate and not stagnate, but you all can't do that without your customers giving you feedback, partnering with you. 

So it's incumbent upon us, the customers of cybersecurity technologies and capabilities to spend an appropriate amount of time working with our vendors, be willing to take on some of those beta programs, be willing to provide feedback. Because if we don't, you guys are not going to be as successful as if we participate. So I would call the action to

customers out there. You gotta be willing to reinvest by way of partnering feedback, etc. If you want what you're buying to be good and even improve.

Mike: Switching gears just a little bit. So, when it comes to, know, we talked a lot about software providers and vendors and, just use cases for AI, but how do you feel like AI is going to change the cybersecurity workforce? What, what impacts do you think it will have on your team? And, even, even more specifically, what's it going to do to the CISO? Are we going to see AI savvy CISOs? Like, kind of what is, what is the implications of AI, from a workforce perspective in your opinion?

Martin: Very much to be determined. I mean, you hear all of this hype about AI is going to replace jobs. I'm not seeing much or any of that yet. I've seen none of that here at my company. I'm not being pressured to do that. I think you will see that concept of more of a, I know everybody uses the term co-pilot, right? Everybody's product is called something co-pilot, but, a co-pilot to my human analysts and professionals, making them more efficient, helping them to be better analysts. I think it's going to be a while before we truly see, does AI have an ability to replace skilled professionals in the security arena, or is it more of a supplement that can help them?

I also am realistic in, I've read and heard about the ability of AI to generate code and the impact on the developer world, the coder world. So it's not that security is immune to it, but I'm just not yet seeing concrete examples where you can truly have AI replace what a human does.

Evan: Okay, I think we only got a couple minutes left in my, producer kicking me under the table. So we got to, would you like to end this episode with like a quick lightning round where we ask you some questions and we're for like the one tweet response for questions that are impossible to answer in one tweet, so please forgive us, but Mike, do you want to kick it off?

Mike: Sure. What advice would you give someone stepping into their very first CISO job? Maybe something that they would overestimate or underestimate about the role.

Martin: Stay calm, surround yourself with good people, everything's gonna be okay. Just take care of your health, just try to stay calm.

Evan: What's advice you'd share to the next generation, to share and motivate the next generation of security leaders?

Martin: It's a great and rewarding job. I think the future is bright for cybersecurity professionals. Definitely, if you're in college or early career, learn everything you can about AI.

Mike: On the more personal side, what's a book that you've read that's had a big impact on you and why? and it doesn't necessarily need to be work related.

Martin: My all-time favorite work-related book, which I'll call out, The Phoenix Project, a good old-fashioned, all of us tech folks know that book. It's just one of those, just such a funny read because it's like, that's exactly how things work here. Maybe we've cleaned up a lot of that, but it's just everybody can see so much of where they work and what they do in that and it has just such good common-sense advice for running things more effectively. So I love that book

Evan: Alright Martin, final question. I know we're almost out of time. What do think will be true about the future of AI and cybersecurity that most of your peers would consider science fiction? What's your kind of contrarian take? What do you believe that most people don't?

Martin: That it's, it's partially hyped up and you are not going to have your AI fighting my AI with no humans involved. That we're going to be AI enabled with AI helpers but still going to be a highly skilled army of cybersecurity professional humans.

Evan: I have no idea what's gonna happen, but I think we're gonna find out a lot more in next couple of years, more will be revealed. 

Well, Martin, thank you so much for making time. Thank you and your team for the great work you do to keep our society powered and up and running. And looking forward to chatting again with you soon.

Martin: Absolutely. Thanks for having me. Happy to do it.

Mike: That was Martin Strasburger, Senior Vice President and Chief Security Officer at Duke Energy.

I'm Mike Britton, the CIO of Abnormal AI.

Evan: And I'm Evan Reiser, the founder and CEO of Abnormal AI. 

Thanks for listening to Enterprise AI Defenders. Please be sure to subscribe, so you never miss an episode. Learn more about how AI is transforming cybersecurity at enterprisesoftware.blog.

This show is produced by Josh Meer. See you next time.