Whether it is an after-effect of new tensions with Iran, the discovery that hackers have penetrated power plant control rooms, or the spate of warnings from utility industry professionals, security analysts and government agencies, one thing is clear: The likelihood of a serious cyberattack on our electric infrastructure is greater than ever in 2020, and perhaps imminent.
The “threat landscape focusing on electric utilities in North America is expansive and increasing” and includes a “unique and specific risk” to power grid control systems, according to global security firm Dragos.
Our cybersecurity “risk is worsening, with potential for severe financial, environmental and infrastructure damage,” says utility equipment manufacturer and supplier Siemens.
The president’s National Infrastructure Advisory Council issued an even more dire warning in December: “We believe the clock is ticking down to a cyber 9/11.”
And just last month, the Departments of Energy, Homeland Security and Defense formed the new “Pathfinder” initiative to bolster the government’s ability to proactively address cyberthreats to critical energy infrastructure and to respond effectively should those threats materialize, according to DOE.
This latest move comes as the “threat surface” of cyberattacks is expanding to target industrial control systems and operations technology — the machines, systems and networks used to actually generate, transmit and distribute power — which may pose more serious consequences than attacks on information technology systems.
We are also seeing more frequent warnings that the global utility industry supply chain is vulnerable to groups targeting original equipment manufacturers, third-party vendors and telecommunications providers.
Against this reality, the need for immediate, high-level collaboration between the government and the private sector has never been more urgent: Electricity is the lifeblood of our economy. The economic, societal, human health and safety impacts of a major power outage are potentially devastating.
In a world of increasingly sophisticated, aggressive cyber actors, the federal government and the utility industry must forge a new kind of public-private partnership — one in which both lead, but on parallel paths that eventually unite in the common goal of significantly enhancing the cybersecurity of the grid.
This dual-path strategy is necessary because of the fundamental differences between the public and private sectors and what each one does well.
The federal government moves slowly but can pass legislation, promulgate and enact regulations, and otherwise provide financial, policy and legal structure to do the following:
- Secure state energy infrastructure against physical and cybersecurity threats, and enhance recovery from grid disasters or disruptions;
- Provide physical and cybersecurity assistance to smaller electric utilities, cooperatives and municipals with limited resources;
- Increase the sharing of best practices, grid intelligence and data collection;
- Identify, enhance and test supply chain vulnerabilities and response capabilities between government departments and agencies, national labs and private industry;
- And provide incentives and enhanced cost recovery options to federally regulated utilities to spur investment in advanced cybersecurity technology.
At least four pieces of legislation that would address many of these needs are at various stages of activity in the House or Senate. Collectively, these bills could form the core of the comprehensive energy legislation package that Sen. Lisa Murkowski (R-Alaska) recently announced.
In the private sector, which can move more quickly than government, the utility industry needs to move beyond current regulatory standards and toward the identification and implementation of best practices, which will provide better protection in a much timelier manner.
Formalizing a best-practice approach allows the rapid adoption of existing and emerging technologies that meet current and future threats, rather than settling for standards that may be outdated by the time they are published and only establish minimum levels of cybersecurity protection.
Utilities must also move quickly to secure the industry supply chain, much of which is global in nature, and ensure the integrity of every key component of grid hardware and software. The grid is only as strong as its weakest link, and those links come to the United States through a global supply chain. Work has begun on this issue, but much more remains.
Lastly, individual states have a critical role to play in promoting and supporting grid improvements through regulatory policy, procedures and approvals. As new threats emerge and new vulnerabilities are identified, utilities must be able to move quickly to respond and invest in new technologies and upgrades, something that current regulatory oversight of their investments does not readily allow.
Some type of uniform, flexible ratemaking or cost-recovery mechanism must be developed to incentivize large and small utilities to make necessary investments in cybersecurity and implement best practices on a sustained basis. And while the impact on electric utility ratepayers will need to be carefully overseen by the appropriate state regulatory agencies, utilities must also have some reasonable measure of guarantee that effective, prudent expenditures for cyber upgrades will be recouped.
Just one year ago, then-National Intelligence Director Dan Coats warned Congress that serious threats to U.S. infrastructure, and especially to the electrical grid, had grown significantly and that “the warning lights are blinking red.”
Today, those warning lights would appear to be constantly red, and the possibility that those lights could be shut off, along with lights and power supplies across the country, is escalating every day.
Richard Mroz is immediate past president of the New Jersey Board of Public Utilities and former chairman of the National Association of Regulatory Utility Commissioners’ Committee on Critical Infrastructure, and Suedeen Kelly is a former member of the Federal Energy Regulatory Commission; both serve on the leadership team of Protect Our Power, a nonprofit organization whose mission is to strengthen the reliability and resilience of the U.S. electric grid.