U.S. Electric Grid Needs Improved Cybersecurity
The ability to generate and move electric power is the centerpiece of any civilization. Without power there would be virtually no communications, water supplies, food harvesting, processing or storage, or industrial production. This is why the security of the power grid against both physical and non-physical attacks is so important.
Today’s power grids are vulnerable to a variety of threats, the least understood but potentially most dangerous of which is cyber attack. In 2008, the outgoing Bush Administration published National Security Presidential Directive 54 on Cybersecurity which warned that “hackers and insiders have penetrated or shut down utilities in countries on at least three continents.” The U.S. electricity grid is under near constant attack from malware, cyber-criminals and even foreign states. Intelligence agencies are concerned that some foreign countries, including China, have been conducting cyber reconnaissance of the power grid in order to identify weakness and possibly even leave behind malware that can be activated in the event of conflict with the United States. By some estimates, the national power grid is subjected to 10,000 attempted cyber attacks or intrusions every month. In recent testimony before the Senate Energy and Natural Resources Committee, Gerry Cauley, president of the North American Electric Reliability Corporation (NERC), stated that, “I am most concerned about coordinated physical and cyber attacks intended to disable elements of the power grid or deny electricity to specific targets, such as government or business centers, military installations, or other infrastructures.”
The threat is likely to grow substantially worse even as our dependence on power increases. The proliferation of power generation sources, energy storage media and sensor systems in homes and businesses could make tomorrow’s power grid even more vulnerable to cyber attack. Our experience with cyber intrusions and hacking has taught us one fundamental lesson: every IT system and network is only as strong as its weakest link. In a world in which micro-grids, smart meters in individual homes and businesses and even cars are linked into the national power grid, the risk of cyber attack to that system will grow exponentially.
At present, most utility companies implement only the barest minimum of security measures. There is no centralized data base of attacks on which utilities or local and state governments can rely for estimates of the character and severity of the cyber threat. There is no nationally-accepted set of standards for cybersecurity of the power grid. Looking ahead, who will set standards for the cybersecurity of smart meters, micro-grids and electric cars?
The Department of Homeland Security (DHS) has responsibility for cybersecurity of U.S. critical infrastructure, including the electric power grid. However, DHS relies largely on industry to protect itself. As a result, the utilities and transmission companies tend to take only such measures as are required under the minimal standards established by NERC. According to a report released last year by Congressmen Ed Markey (D-MA) and Henry Waxman (D-CA), only 21 percent of investor-owned utilities, 44 percent of municipal or cooperatively-owned utilities, and 62.5 percent of federally-owned utilities said they had taken any additional, voluntary measures.
What else should be done? The Department of Energy has published an Energy Delivery Systems Cybersecurity Roadmap which calls for, inter alia, facilitating public-private partnerships to accelerate cybersecurity efforts for the grid of the 21st century; funding research and development of advanced technology to create a secure and resilient electricity infrastructure; supporting the development of cybersecurity standards to provide a baseline to protect against known vulnerabilities and; facilitating timely sharing of actionable and relevant threat information. However, the federal government has not put much actual effort or resources behind any of these recommendations.
Thus, it is up to the private sector as well as state and local governments to take the initiative and make their portions of the power grid more secure. Fortunately, private U.S. defense companies such as Lockheed Martin, BAE Systems, General Dynamics and ManTech have been developing sophisticated cybersecurity capabilities. These can be applied to the needs of energy utilities for enhanced security of the power grid.
A report by the Bipartisan Policy Institute recommends that energy companies should create a new industry-led body to deflect cyber threats to the electric grid — from large generators to local distribution utilities. State and local regulators should work with this body to develop common cybersecurity standards, create metrics by which to evaluate utility investments in cybersecurity and even establish cost-recovery modalities for such investments.
Find Archived Articles: