The Value of Defense in Depth: Cybersecurity of the Electric Grid

For more than a decade, electric utilities, the U.S. government and other organizations have been building a robust and multi-faceted defense against cyberattacks that would disrupt the operations of the U.S. electric grid. At the same time, the cyber threat has evolved, the number of attacks has increased and the nature of attacks has advanced. The security that we’ve gained isn’t fail-safe against new and emerging threats. The risks and challenges posed by this type of dynamic risk require a defense in depth that includes a focus on prevention, resiliency and recovery.

The capabilities of the electric utility industry in each of these areas have grown significantly over the past decade, increasing our knowledge of the threat environment, known threat vectors, and best practices aimed at building a mature and flexible security posture. As Congress and the Trump administration explore technology advancements to minimize cybersecurity threats, it’s important to consider how we got here.

As far back as 1999, the realities of an increasingly digital world, and the related risks, became a national focus. There was a comprehensive national effort to prepare for “Y2K” and potential disruptions to digital systems as we entered a new millennium. In 2005, through the Energy Policy Act, Congress approved the process for mandatory, enforceable reliability standards for the bulk power system. In 2007, Idaho National Laboratory’s “Aurora” experiment suggested that control systems for generating stations might be hacked and manipulated. In December 2015, a cyber attack on the Ukrainian grid underscored concerns over the grid’s vulnerability.

Fortunately, in each case, we increased our knowledge and evolved our defenses through collaboration, standards, exercises, information sharing and best practices designed to harden the defenses of the electric grid. We had the benefit of developing these capabilities without the consequences of an actual event disrupting our national grid.

The electric industry has always held reliability of service as its highest priority, and we are approaching the deterrence of the threats of tomorrow with the same focus and rigor as we have in defending against past and current threats.

We have implemented the nation’s only mandatory suite of cyber security standards, the Critical Infrastructure Protection standards, promulgated by the Federal Energy Regulatory Commission, and the North American Electric Reliability Corporation (NERC). We have increased our situational awareness through expanded coordination with the Electricity Information and Analysis Center and the Industrial Control Systems Cyber Emergency Response Team. We have also expanded our partnership with government through participation in the Electric Sub-Sector Coordinating Council and the Department of Energy’s Office of Energy Delivery and Reliability.

The ESCC has recently established a Cyber Mutual Assistance program to allow for timely support in the face of a cyber attack to any member utility or group of utilities. This model has long been in place to address extreme weather outages so we have a long history of practicing mutual aid. We also share best practices through our national associations to raise the individual and collective cyber-readiness of the industry.

After more than a decade of public and private sector collaboration and engagement, the foundation and framework is in place for a multi-faceted defense in depth. But we know we cannot stand still.

There is much yet to be done to anticipate new cyber threats and to continue to build our security capacity and capability. We welcome the opportunity to work with policymakers and regulators as they grapple with this national security risk, but we continue to believe that the flexible, risk-based framework we’ve built together gives us the chance to evolve our mitigation as the risks evolve.

An earlier version of this op-ed incorrectly stated NERC’s full name.


John Di Stasio is president of the of the Large Public Power Council and formerly served as the CEO of the Sacramento Municipal Utility District.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.