Protecting America’s electric grid from cyberattacks is a formidable and evolving challenge, requiring continuous evolution and improvement. In recent weeks there have been seven notable developments. While there is no single solution or “silver bullet” to ensure the electric grid is safeguarded from cyberattacks, each of the following is an important and positive building block.
Senate Legislation. On September 25, the Senate Committee on Energy and Natural Resources passed two measures. The Energy Cybersecurity Act, introduced by Senator Maria Cantwell (D-WA), directs the U.S. Department of Energy (DOE) to develop advanced cybersecurity applications and technologies for the energy sector. A bill introduced by Senator Cory Gardner (R-CO), the Enhancing Grid Security through Public-Private Partnerships Act, calls for the U.S. Secretary of Energy to work with state regulators, industry stakeholders, and others to develop programs for assessing grid security and to share related best practices.
GAO Report. Also on September 25, the U.S. Government Accountability Office (GAO), publicly released a report, “Critical Infrastructure Protection: Actions Needed to Address Significant Cybersecurity Risks Facing the Electric Grid.” GAO found the grid faces significant cybersecurity risks from hostile nations, terrorists, criminals and others. It said, “The grid is becoming more vulnerable to cyberattacks – particularly those involving industrial control systems that support grid operations.”
National Institute of Standards Program. This U.S. Department of Commerce agency issued a Federal Register notice on October 8 that “invites organizations to provide products and technical expertise to support and demonstrate security platforms for Securing the Industrial Internet of Things (IIoT) for the energy sector use case. This notice is the initial step for the National Cybersecurity Center of Excellence in collaborating with technology companies to address cybersecurity challenges identified under the energy sector program.”
FERC and NERC Proposal to Name Utilities for Grid Security Violations. An August 27 white paper from the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) calls for naming utilities that violate Critical Infrastructure Protection Reliability Standards, and specifying the standards violated and the penalty amounts. Any information helpful to those planning an attack would not be disclosed. The threat of increased public scrutiny, and related embarrassment for violations, will lead many utilities to be more diligent in their cybersecurity practices.
TVA Devotes Vast Resources to Grid Security. The Tennessee Valley Authority’s (TVA’s) commitment to grid cybersecurity was the subject of a profile story in the October 18 Chattanooga Times. “The 60-employee cybersecurity division monitors more than 1 billion activities a day across different digital platforms in TVA’s 7-state region while also keeping in contact with government and private watchdog agencies for signs of possible cyberthreats from around the globe to the electric grid,” says the article.
FERC Chairman Op-Ed. In an October 6 Fortune Op-Ed, “The Power Grid Is Evolving; Cybersecurity Must Too,” FERC Chairman Neil Chatterjee made a strong case for robust, evolving and nimble standards. “I believe that technological advancements will play a critical role in building the stronger and more secure grid of tomorrow. To allow for that innovation to flourish, we as regulators must continually evaluate our rules, ensuring that utilities can both harness the benefits of new technologies and mitigate associated risks,” said Chatterjee.
Siemens/Ponemon Institute Study. An October study by Siemens and the Ponemon Institute, “Caught in the Crosshairs: Are Utilities Keeping Up with the Industrial Cyber Threat?” assessed how the global energy sector is able to meet cyberattacks. The survey of 1,726 utility professionals responsible for cyber risks found that 25 percent are impacted by a mega attack each year. Fifty-six percent have a shutdown or an operational data loss each year.
About the Author: Paul Steidler is a Senior Fellow with the Lexington Institute, a public policy think tank based in Arlington, Virginia.
Find Archived Articles: