Attempted cyber-attacks on the electric grid seem commonplace these days. Fortunately none have caused blackouts or other disruptions. But cyber threats pose a unique challenge, as they evolve rapidly and change constantly. The electric utility industry, which itself is undergoing a transition, faces a determined foe. Yet as the industry has proven time and again, we are up to the challenge.
October is “Cybersecurity Awareness Month,” an opportunity to educate the public about cyber threats and “increase the resiliency of the nation in the event of an attack.” So it’s a good time to review what the challenges are and what industry, in collaboration with federal officials, is doing to thwart cyber-attacks and keep the lights on—our number one priority.
For starters, we can’t forget that grid security is a shared responsibility between the federal government and electric utilities. As for cyber threats in particular, the federal government and industry share information and intelligence, and work together through established organizations to plan for and defend against attacks, while also ensuring the grid’s resiliency—in other words, to keep it operational should a breach occur.
But the information exchange between the federal government and utilities can certainly be improved. That’s why the utility industry supports legislation aiming to break down the barriers that prevent more robust communication, as well as provide important liability protections that incent information sharing. A bipartisan bill with those provisions has passed the House, while a similar bipartisan bill awaits consideration in the Senate.
Despite the absence of legislation, we are working aggressively to stop cyber-attacks on several fronts. We continue to follow, and update when necessary, mandatory critical infrastructure protection standards for the cybersecurity of the bulk power system issued by the North American Electric Reliability Corporation (NERC), a non-profit entity chosen by the Federal Energy Regulatory Commission (FERC) to be the grid’s reliability watchdog. FERC recently approved the latest iteration of NERC’s cyber standards, which the utility industry strongly supports, and they will replace existing standards in 2016.
We also continue to work with federal partners to stay several steps of ahead of would-be attackers. In 2013, President Obama issued an executive order directing the National Institute of Standards and Technology to work with stakeholders to develop a voluntary framework for reducing cyber risks to the nation’s critical infrastructure. The framework includes, among other things, federal cybersecurity procurement guidelines, including for energy delivery systems on the grid.
For vendors and utilities, these guidelines will prioritize cybersecurity considerations at every phase of system development. They were developed by the Energy Sector Control Working Group, which includes the Departments of Energy (DOE) and Homeland Security, and utility representatives. As the group wrote in a report in April, the guidelines ensure that “cybersecurity is implemented throughout the testing, manufacturing, delivery, installation, and support phases of the product life cycle, improving overall reliability and reducing cybersecurity risks.”
This is especially important as smart grid technologies replace the traditional components of the power system. Smart grid refers to computer-based, two-way communication between utilities and end-use consumers. In short, as DOE put it, smart grid is about “computerizing” the grid. As such, it’s essential to protect the sensing and communications devices that make the smart grid possible.
DOE is also collaborating with the utility industry on another important project to implement the President’s NIST framework. DOE has developed a cybersecurity model (C2M2) that can be used by utilities and grid operators to assess their cybersecurity capabilities and prioritize their cyber investments. In effect, the model serves as a checkup on utility’s cybersecurity defenses.
As we continue to bolster those defenses, we can’t forget the overlap that exists between physical and cybersecurity. Some physical attacks, for instance, can compromise a utility’s information technology infrastructure. Conversely, a cyber-attack on an outward facing website can damage billing or other business functions without harming industrial control systems needed to keep electrons flowing. This interrelationship requires that utilities employ a holistic approach in their risk management strategies.
We know that bad actors won’t stop making mischief with technology. But equally true is the utility industry’ steadfast commitment to protect the grid and ultimately our customers, who depend on reliable electricity for their homes, businesses, and other critical services in the economy.
Joy Ditto is the Senior Vice President, Legislative and Political Affairs, of the American Public Power Association (APPA).