By Constance Douris, VP, Lexington Institute
The electric grid often utilizes industrial control systems to automate generation, transmission and distribution. As utilities adopt digital technologies to keep up with electricity demand and consumption, cyber attack vulnerabilities increase and new entry points emerge. Many public utilities commissions (PUCs) have not required utilities to boost their cybersecurity, placing customer electricity access in jeopardy. Regulators need to incentivize and mandate cybersecurity standards for utilities.
Utilities operate the distribution part of the grid — the final stage where electricity is delivered to customers. Currently, mandatory cybersecurity standards only exist for the bulk power portion of the electric grid, but not the distribution system. The distribution system delivers electricity to pipelines, medical facilities, telecommunications, military bases and other critical infrastructure. If a successful cyber attack on the distribution system disrupts electricity, devastating economic and security consequences can result. Clearly, the distribution system also needs to be protected to prevent damage to the bulk power system.
PUCs should require utilities to conduct a risk analysis so they better understand cybersecurity weaknesses. This profile will allow for informed decision-making, identify steps to reduce threats and create clear cybersecurity goals. PUC commissioners then need to determine whether utilities are making sufficient investments in cybersecurity and whether those assets are properly prioritized.
Since utilities are decentralized, conducting a risk assessment for each will be challenging. For example, a utility may own multiple power plants and control centers in different states. In addition, utilities perform multiple functions such as distribution, power trading and customer service. While each site or department operates more or less independently, they also have different cyber access points and they tend to not share threat data.
A centralized committee in each state tasked with aggregating and sharing threat data across the enterprise needs to be created. This would streamline the risk assessment process and serve as a central hub for cyber threat information. Two exercises conducted by the financial and energy industries, Quantum Dawn 2 and GridEx II, have demonstrated the need for improved communication and sharing of cyber threat information. This is because without information sharing, it is almost impossible to detect systemic attacks early enough to contain them.
State legislators and governors also have the power to develop actionable mandates for PUCs with the guidance of Chief Information Officers (CIOs) and Chief Information Security Officers. State legislators and governors need to be more proactive and encourage PUCs to take a strong stance on cybersecurity protection.
CIOs play a critical role in preparing and responding to a cyber attack on the grid by disseminating threat information to government agencies. They also work with state emergency services to provide technical assistance. CIOs should collaborate with industry and other government organizations to anticipate and understand emerging cyber threats. This would open lines of communications with colleagues and allow better forecasting of potential next threats.
Products already exist to boost the cybersecurity of the smart grid. The Sierra Nevada Corporation has created Binary Armor that provides bidirectional security for communication layers on the grid by setting tailored rules as to what messages are allowed to enter the network. Utilidata and Raytheon have also partnered to combine their expertise with real-time data to detect and respond to cyber attacks on the grid. Utilities need to collect input from such partners to prevent data loss and power outages as a result of a cyber attack. Periodic cyber intrusion scenario drills conducted with the private sector could help stress test utilities’ response plans and communicate protocols.
If a cyber attack is successful and creates power outages, utilities need to be prepared to respond. While utilities have limited experience in responding to such an incident, they could utilize their know-how to prepare for storms and natural disasters as a foundation. When utilities expect a weather incident on the horizon, they increase the number of customer service staff to handle an influx of calls. Utilities also have preexisting arrangements with suppliers to obtain equipment in a matter of hours after a storm, and have contracts and processes in place to accept storm crews and equipment from other utilities around the country to assist with repairs. Such detailed preparation and planning also must be done in case of a cyber crisis.