Electric Grid Cyber Protection: Key Recent Developments
Below is a synopsis of six particularly notable developments since March 2020 pertaining to threats against the U.S. electric grid from cyberattacks and related preventative actions.
Presidential Executive Order on Securing the Bulk Power System. This May 1 directive determined, “The bulk-power system is a target for those seeking to commit malicious acts against the United States and its people, including malicious cyber activities, because a successful attack on our bulk-power system would present significant risks to our economy, human health and safety.” It calls for a rigorous review of suppliers and the development of a pre-qualified vendor list. In addition, now prohibited equipment already in use is to be identified, isolated, monitored and, if necessary, replaced.
The United States electric system has become increasingly dependent on foreign suppliers for essential items, including software components, that can be cyberattacked. Regulations are expected to be issued in September. For additional analysis, see here.
Cyberspace Solarium Commission Report. The March 11 report was blunt in its assessment of the poor state of U.S. cybersecurity programs and the need for major reforms. “The U.S. government is currently not designed to act with the speed and agility necessary to defend the country in cyberspace.” It continues, “The current state of affairs invites aggression and establishes a dangerous pattern of actors attacking the United States without fear of reprisal. Adversaries are increasing their cyber capabilities while U.S. vulnerabilities continue to grow.”
The report’s more than 75 recommendations include calls for a Senate-confirmed National Cyber Director to be based at The White House, within the Executive Office of the President.
The Commission was formed as part of the 2019 National Defense Authorization Act. Co-chaired by Senator Angus King (I-ME) and Congressman Mike Gallagher (R-WI), commissioners include FBI Director Christopher Wray and Deputy Secretary of Defense David Norquist.
Utility Commissioners Briefed on the Solarium Commission. In April, state utility commissioners were briefed via a webinar on the steps they can take to strengthen the electric grid. The presentation was made by two members of the Solarium Commission, Tom Fanning, the Chief Executive Officer of Southern Company and Chris Inglis, the former Deputy Director at the National Security Agency.
Important Cyber and Reliability Standards Delayed. On April 17, the Federal Energy Regulatory Commission (FERC) approved a request from the North American Electric Reliability Corporation (NERC) to delay implementation of seven reliability standards, include three pertaining to cybersecurity. NERC made this request on April 6 contending that utilities, amid the COVID-19 pandemic, should have greater flexibility to allocate resources.
The cybersecurity standards have been delayed three months, to October 1, 2020. They pertain to electronic security perimeters, supply chain risk management, and configuration change management and vulnerability assessments. The new standards were approved by FERC in 2018.
Pandemic Preparedness Takes Center Stage. The pandemic has exacerbated several threats pertaining to cybersecurity, requiring increased vigilance from utilities and regulators. In an April 2020 special report, NERC said, “The global health crisis has elevated the electric reliability risk profile due to potential workforce disruptions, supply chain interruptions, and increased cybersecurity threats. The electricity industry in North America is rising to the challenge, coordinating effectively with government partners, and taking aggressive steps to confront the threat to the reliability and security of the bulk power system.”
Cyberattack on the United Kingdom’s Electric System. Elexon, an organization that facilitates transactions between power generators and National Grid, which delivers electricity and gas, announced on May 14 that their internal IT systems and laptops were impacted by a cyberattack. Electricity supplies were not affected, and an investigation was ongoing.
About the Author: Paul Steidler is Senior Fellow with the Lexington Institute, a public policy think tank in Arlington, Virginia.
Find Archived Articles: