The electric grid often utilizes industrial control systems to automate generation, transmission and distribution. As utilities adopt digital technologies to keep up with electricity demand and consumption, cyber attack vulnerabilities increase and new entry points emerge. Many public utilities commissions (PUCs) have not required utilities to boost their cybersecurity, placing customer electricity access in jeopardy. Regulators need to incentivize and mandate cybersecurity standards for utilities.
Utilities operate the distribution part of the grid -- the final stage where electricity is delivered to customers. Currently, mandatory cybersecurity standards only exist for the bulk power portion of the electric grid, but not the distribution system. The distribution system delivers electricity to pipelines, medical facilities, telecommunications, military bases and other critical infrastructure. If a successful cyber attack on the distribution system disrupts electricity, devastating economic and security consequences can result. Clearly, the distribution system also needs to be protected to prevent damage to the bulk power system.
A successful cyber attack on the U.S. electric grid is possible. Russia has a well-resourced central cyber command. It is widely believed that Moscow has already penetrated U.S. government organizations such as the State Department, Department of Defense and the White House. China is very active in cyber as well. Beijing utilizes viruses and botnets to access targets, but these efforts are likely aimed more at intellectual property theft and gathering intelligence to improve their own infrastructure. Iran also uses its cyber program against political enemies to collect intelligence, but is less sophisticated in comparison to Russia and China.
PUCs could play a significant role in motivating utilities to boost cybersecurity efforts. This is because they decide what percentage of profits utilities can keep and authorize which investment costs can be passed on to the consumer. Yet, PUCs have been slow to motivate utilities to enhance security from cyber threats. Funding cybersecurity efforts is costly and some PUCs are reluctant to gather information about utilities’ cybersecurity weaknesses. This is because they fear that they could then be held responsible if sensitive information is publicly disclosed. This attitude needs to change.
Boosting utilities’ cybersecurity efforts is expensive. Though the Department of Energy and the Department of Homeland Security offer grants to fund cybersecurity efforts, government funds are limited. Utilities should seek private investors to create revenue streams for funding such projects. Updating energy infrastructure could also result in savings that may then be applied to enhanced cybersecurity measures. Rates can also be reasonably increased to ensure delivery of electricity is secure. More utilities need to pursue such funding opportunities to protect electricity access for consumers.
PUCs should require utilities to conduct a risk analysis so they better understand cybersecurity weaknesses. This profile will allow for informed decision-making, identify steps to reduce threats and create clear cybersecurity goals. PUC commissioners then need to determine whether utilities are making sufficient investments in cybersecurity and whether those assets are properly prioritized.
Since utilities are decentralized, conducting a risk assessment for each will be challenging. For example, a utility may own multiple power plants and control centers in different states. In addition, utilities perform multiple functions such as distribution, power trading and customer service. While each site or department operates more or less independently, they also have different cyber access points and they tend to not share threat data.
A centralized committee in each state tasked with aggregating and sharing threat data across the enterprise needs to be created. This would streamline the risk assessment process and serve as a central hub for cyber threat information. Two exercises conducted by the financial and energy industries, Quantum Dawn 2 and GridEx II, have demonstrated the need for improved communication and sharing of cyber threat information. This is because without information sharing, it is almost impossible to detect systemic attacks early enough to contain them.
State legislators and governors also have the power to develop actionable mandates for PUCs with the guidance of Chief Information Officers (CIOs) and Chief Information Security Officers. State legislators and governors need to be more proactive and encourage PUCs to take a strong stance on cybersecurity protection.
CIOs play a critical role in preparing and responding to a cyber attack on the grid by disseminating threat information to government agencies. They also work with state emergency services to provide technical assistance. CIOs should collaborate with industry and other government organizations to anticipate and understand emerging cyber threats. This would open lines of communications with colleagues and allow better forecasting of potential next threats.
Products already exist to boost the cybersecurity of the smart grid. The Sierra Nevada Corporation has created Binary Armor that provides bidirectional security for communication layers on the grid by setting tailored rules as to what messages are allowed to enter the network. Utilidata and Raytheon have also partnered to combine their expertise with real-time data to detect and respond to cyber attacks on the grid. Utilities need to collect input from such partners to prevent data loss and power outages as a result of a cyber attack. Periodic cyber intrusion scenario drills conducted with the private sector could help stress test utilities’ response plans and communicate protocols.
If a cyber attack is successful and creates power outages, utilities need to be prepared to respond. While utilities have limited experience in responding to such an incident, they could utilize their know-how to prepare for storms and natural disasters as a foundation. When utilities expect a weather incident on the horizon, they increase the number of customer service staff to handle an influx of calls. Utilities also have preexisting arrangements with suppliers to obtain equipment in a matter of hours after a storm, and have contracts and processes in place to accept storm crews and equipment from other utilities around the country to assist with repairs. Such detailed preparation and planning also must be done in case of a cyber crisis.
Of course cyber incidents are different from weather events because they cannot be predicted. This is why utilities need to increase their situational awareness on the grid. The National Association of Regulatory Utility Commissioners has encouraged utility commissions to adopt the North American Electric Reliability Corporation Critical Infrastructure Protection principles to make cybersecurity monitoring and evaluation a priority. Companies such as Siemens, Dragos, Schneider Electric and Hewlett Packard provide products that can help utilities detect irregular activity and known malicious events on their network.
Cybersecurity of the grid is critical to avoid power outages. Utilities need to protect against cyber threats on the distribution system to prevent damage to the bulk power system. With countries such as Russia, China and Iran active in cyber, it is reckless to allow the system that provides electricity for citizens to be an open target.
Constance Douris is Vice President of the Lexington Institute. She has published articles and white papers on the smart grid, nuclear deterrence, missile defense and European security. Douris has given speeches on smart grid data privacy, cybersecurity of the electric grid and the European financial crisis. You can follow Constance at @CVDouris and the Lexington Institute @LextNextDC.
Image: United States Air Force