Thought Piece

This is an excellent piece about the importance of cyber-security on the American grid. With the geo-political implication of a vulnerable grid, it is good time to have a non-partisan discussion about how to evolve a forward-looking strategy, being called “”segmentationnetwork.” Lexington Institute’ Constance Douris gives us a thoughtful review of the issues, with an eye toward a national plan. Thank you, Constance.

Russia Attacked the US Power Grid for Two Years. Now What?

The Trump administration has accused Russia of a two-year cyberattack campaign against the U.S. electric grid. This is the first time the U.S. has openly accused Moscow of threatening America’s energy infrastructure. And it demonstrates why the grid must be able to resist cyberattacks on networks and ensure customers have stable electricity access.

Department of Energy Secretary Rick Perry announced a new Office of Cybersecurity, Energy Security and Emergency Response last month, indicating that the administration is taking grid cyber threats seriously. This effort aims to enable coordinated preparedness and response to man-made threats. President Donald Trump’s Fiscal Year 2019 budget allocates $96 million for this center.

While the federal government is boosting its grid cybersecurity efforts, electric utilities must do the same. Each utility has unique cyber strengths and weaknesses, meaning there can be no one-size-fits-all solution. However, there are some steps that all power companies can take to protect information and operational technology systems from cyber threats.

It is estimated that U.S. utilities will spend over $7 billion on grid cybersecurity by 2020. To protect their systems, utilities must first understand how they are interconnected. Utilities will then be equipped to make better decisions as to which products are best to protect their systems from cyber threats.

Every utility should create a register with details about identified risks, an analysis of exposure severity and evaluations of possible solutions. The register must be updated regularly as cyber threats and vulnerabilities change quickly.

This will serve as a common document to motivate internal thinking and discussions about organizational cyber risks. It would also provide a tool to inform the board, management, and key stakeholders about cyber vulnerabilities, helping prioritize financial resources for protection.

In a recent interview I conducted, Michael Daly, Chief Technology Officer of Cybersecurity and Special Missions at Raytheon, noted that more utilities need to implement “segmentationnetworks. Segmentation enables more monitoring on systems because rules are defined so that only specific traffic is allowed to enter each designated network, enhancing the detection of known and unknown zero-day cyber threats.

An industrial standard has also been developed by Full Spectrum, the Electric Power Research Institute, the Utilities Technology Council, and several U.S. utility companies. This allows grid operators to manage a secure and cost effective private network over large territories. Systems that meet this standard operate independently from the public internet and protect the grid’s data communications, helping block hackers from critical parts of the network.

In the event an adversary is able to gain access through the administrative network, this standard enables the remote control and isolation of servers within the grid without having to leave the control center, according to a phone discussion I had with Stewart Kantor, Chief Executive Officer at Full Spectrum.

Supervisory control and data acquisition systems provide utilities with valuable knowledge to distribute and transmit electricity effectively and to operate generation assets. Sierra Nevada Corporation offers Binary Armor to protect these systems from cyber threats with bidirectional security for communication layers. More utilities should consider adopting this product to ensure electricity delivery is not compromised.

While many cybersecurity solutions are available on the market, some utilities have a tough time evaluating their performance. Reps. Bob Latta (R-OH) and Jerry McNerney (D-CA) introduced the Cyber Sense Act to create a program that will identify, test, and report on cybersecurity product effectiveness for the bulk-power system.

Assessing readily available cyber products will help utilities become aware of solutions for the bulk-power system. Perhaps state leaders and public utility commissions can create a similar program to help utilities evaluate cybersecurity products for the distribution system that are on the market.

A second piece of legislation, the Enhancing Grid Security Through Public-Private Partnerships Act, was also introduced to encourage public-private partnerships and improve cybersecurity of electric utilities. It aims to advance best practices for sharing and collecting data and to provide training and technical assistance to electric utilities and mitigate cyber risks.

Utility commissions could play a major role in utilities’ ability to invest in cyber protection since they determine what percentage of profits investor-owned utilities can retain and authorize which investment costs can be recovered from customers rates.

The federal departments of Energy and Homeland Security offer grants to fund grid cybersecurity initiatives. But resources are limited. Utilities must find creative ways to fund cost-effective cybersecurity efforts. Since some utilities, states, and public utility commissions are reluctant to invest in cyber protection, outcome-based actionable mandates could be implemented to focus on cyber threats.

Congress could also help by requiring a minimum level of cybersecurity. It is crucial that any such requirements be outcome-based, though, so that companies can flexibly achieve objectives. Utilities, meanwhile, should be equipped with the freedom to tailor cyber solutions to their specific needs.

Such flexibility is necessary to account for differences in company structure, size, and resources. (A helpful resource to support policymakers making decisions about such standards is the National Institute of Standards and Technology’s Cybersecurity Framework, which was recently updated.)

Cyber threats to the electric grid are increasing in severity and frequency. No one company can counter cyber threats to the grid alone; grid operators, policymakers, and the private sector will have to work together.

As Vice President of the Lexington Institute, Constance Douris manages the energy portfolio. She has published research and given speeches about smart grid data, cybersecurity of the electric grid and the impact of electric vehicles on the grid. You can follow her on Twitter @CVDouris.