Last October was the nation’s first-ever “U.S. National Cyber Security Awareness “month, and in
November 2017 many of the nation’s electric utilities shifted their focus to an event known as GridEx, a
training exercise that tackles potential cyber-security threats and vulnerabilities in the nation’s electric
grid.
Conducted biennially, GridEx aims to ensure that electric utilities are prepared to thwart potential cyber
or physical attacks on the grid, and to communicate and recover should such an attack occur. More
than 6,000 individuals from more than 400 electric utility and government organizations in the U.S.,
Canada and Mexico participated in GridEx IV.
GridEx 2017 took place against an increasingly complex and threatening backdrop. And while it is vitally
important that the electric industry is focusing on looming cyber threats, the scope and nature of those
threats demands that greater federal leadership, particularly from the Federal Energy Regulatory
Commission (FERC), is needed.
The FBI and Department of Homeland Security issued a “joint Technical Alert” late last year, confirming
that our nation’s nuclear, energy, water, aviation, and critical manufacturing sectors, as well as some
government entities, have been the targets of repeated cyber-attacks. Some of those attacks
succeeded.
And according to recent survey data from Accenture, 52 percent of North American utility executives
reported there is a moderate risk that a cyber-attack could affect the electric grid within the next five
years, while 24 percent said there is a significant likelihood of a cyber-attack. The survey also noted the
significant increase in politically motivated threats from nation-state actors, and from profit-driven
cyber-criminals or organized hackers.
Make no mistake, a successful cyber or physical attack on the U.S. electrical grid would ripple across
every sector of our society. No one would be spared and the costs would be enormous – the three-day
blackout that affected the upper Midwest and Northeast in 2003 cost an estimated $50 billion. And that
blackout was relatively easy to fix – the core problem was a software error, but the damage caused was
isolated and largely repaired within days.
Today, the technology landscape has changed radically since 2003, and a blackout induced by a cyber-
attack has the potential to take out large sections of the national grid, and do so in a sophisticated,
digital manner that could be very difficult to unravel and fix.
That our electric grid is highly vulnerable is not news. Every U.S. President since 1990 has acknowledged
that U.S. infrastructure risks are high, that the threats are real, and each has pledged to promptly
address the looming potential risks. Recent reports from the National Academy of Science have
highlighted the issue, and the Massachusetts Institute of Technology found that in relation to the
heightened risks now faced, “it is doubtful that the defense has improved at all. Attacks are still easy
and cheap to launch and difficult and expensive to defend against.”
The issue is so widely-acknowledged that the Spy Museum in Washington, D.C., in the shadow of the
U.S. Capitol, now has an exhibit titled “Weapons of Mass Disruption” that features “some of today’s top experts on the new intelligence battlefield of cyberspace. Explore what would happen if a cyber-attack hit the electrical grid.”
Many entities are working to make grid improvements. But therein also lies a key part of the challenge
– the myriad of entities, interests and polices involved requires coordination at the national level. Such
oversight is vital to ensuring that critical grid improvements are made in a timely manner, that the end
result is a more sophisticated, resilient grid that can integrate a diverse array of electric generation
sources without increasing vulnerabilities, and that consumers alone do not bear the full financial
burden in their electric rates. Strengthening and protecting the grid is a national security matter, so
federal funding must be part of the financial equation.
Improving the grid of the future also supports and ensures resilience in the other key infrastructure
areas that we now know are being targeted by cyber-attacks.
On the positive side, Federal regulators have taken notice of the critical need to strengthen the grid
against attacks, and FERC has proposed new cyber-security management controls aimed at enhancing
grid resiliency. Importantly, FERC has the legal mandate and authority to take the lead on these critical
issues.
As such, FERC is the logical agency to drive the establishment of a large-scale public-private partnership
that brings together the necessary expertise – utilities, system operators and technology companies –
and financing – Congress, regulators and the private markets – to focus on making the electric grid more
robust and resilient in the near-term.
Developing that partnership, and creating a national grid enhancement program will require four
components:
- An independent and candid assessment of exactly where improvements and upgrades are
needed, in order of priority, to be completed as soon as possible; - Development of a collective national plan, codified by Congress, with oversight from the
relevant federal regulatory agencies, to drive short- and long-term improvements; - Regulatory reform, including development of improved, uniform practices for the North
American bulk power system that rise to the level of detail and rigor required to meet the
threats we face; and, - Identification of public and private funding mechanisms, including the potential use of tax-
exempt government bonds, to raise the necessary financing in an equitable manner.
As a nation, we can no longer afford to put off until tomorrow that which our own self-interest says
must begin today. The threats are increasing every day and the consequences of inaction are both
devastating and unnecessary.
With regard to enhancing the grid, as the saying goes, failure is not an option.
__________________________________________________________________________
Paul Feldman is a former Chairman of the Midcontinent ISO (MISO), and a former Independent Board
member of the Western Electricity Coordinating Council (WECC). He serves on several energy-related
Boards, and Advisory Boards, including Protect Our Power, a not-for- profit organization whose mission is
to strengthen the reliability and resilience of the U.S. electric grid.