The Buzz

How California Is Protecting Its Critical Infrastructure from Cyber Threats

To protect power grid integration from cyber threats in California, the California Public Utilities Commission has funded a cyber information sharing program, California Energy Systems for the 21st Century (CES-21). According to Jamie Van Randwyck, project lead for Lawrence Livermore National Laboratory, “The CES-21 program has been a highly productive and collaborative initiative thus far. The research and development being pursued in this program has the potential to change the way utilities protect their critical assets.”

CES-21, launched in 2012, aims to provide accurate and fast communication of cyber threats and the development of automated response capabilities to be executed prior to critical infrastructure damage. This initiative includes a team of technical experts from California's three largest public utilities -- Pacific Gas and Electric, Southern California Edison and San Diego Gas and Electric -- and the Lawrence Livermore National Laboratory that will perform research in power grid cyber security.

Organizations need a common language to be able to communicate and share cyber activity. CES-21 incorporates the three Department of Homeland Security standards for cyber threat communication and sharing to provide such a foundation. The Structured Threat Information Expression includes adversary activity and contextual threat information that provides a better understanding of a cyber adversary’s motivations, capabilities and activities, and supports effective analysis of cyber threat information.

The second DHS standard, Trusted Automated Exchange of Indicator Information (TAXII), allows automated cyber threat information to be shared across organizations to detect, prevent and mitigate cyber threats. As a result, organizations have greater awareness about emerging harm and can easily share the information they choose with selected partners. TAXII allows organizations to leverage existing relationships, and eliminates the need for tailored sharing solutions with partners.

Cyber Observable eXpression (CybOX) is a structured language for observable cyber events. CybOX provides specification, characterization and communication of occurrences that allow cybersecurity cases to be managed or logged for malware characterization, intrusion detection, incident response or management, pattern characterization and indicator sharing.

While a consistent language is important when sharing cybersecurity incidents, an automated response capability is necessary to respond to threats, especially considering the short time period a defender has before damage is done. Ideally, an automated response capability would notify critical infrastructure when it has been attacked, provide information obtained from sensors as to the type of attack, notify relevant sub networks and subsystems and execute an appropriate response while maintaining basic operational functionality and situational awareness. An automated response capability with this capacity would reduce outages, minimize power grid disruption impacts, and improve recovery times.

The Machine to Machine Automated Threat Response (MMATR) Cybersecurity Project, one component of CES-21, aims to develop advanced cyber technology and tools, not currently commercially available, so that investor-owned utilities can identify and respond to cyber threats before critical infrastructure is damaged. MMATR will identify deterrence strategies and define programs to improve warning capabilities, execute appropriate responses, and explore potential new cybersecurity defensive technology with advanced threat analytics such as machine learning, algorithms, and software analysis.

MMATR could also be applied to existing Supervisory Control and Data Acquisition (SCADA) systems in California utilities’ electrical value chain, electricity production, transmission and distribution control systems to protect them from cyber harm. SCADA is a data system, used in California and other states, that obtains power operating measurements every two to five seconds from devices in substations. This information is provided to energy management systems to estimate the operational state of the power grid every few minutes. As a result, operators have increased situational awareness to make informed decisions with real-time indications of the power grid’s instabilities.

Cyber-attacks to the power grid are increasing in frequency, speed and sophistication, and have the potential to disrupt and destroy critical infrastructure. Cyber intrusions happen quickly and partners need to be able to communicate and share information in a fast and consistent manner and respond to an attack before harm occurs. The California Energy Systems for the 21st Century has chosen to follow the Department of Homeland Security standards for cyber threat communication and sharing to alleviate communication barriers, and to develop an automated response capability to act quickly and protect critical infrastructure prior to damage. Once this program is refined, perhaps it can be duplicated in other states to boost cyber information sharing and protection capabilities for components of the power grid.

Constance Douris is Vice President of the Lexington Institute. Her current research interests include ballistic-missile defense, nuclear strategy, European security, and the Greek financial crisis. @CVDouris