As October’s first-ever U.S. National Cyber Security Awareness month fades into history, many of the
nation’s electric utilities shifted their focus in November to an event known as GridEx, a training exercise
that tackles potential cyber-security threats and vulnerabilities in the nation’s electric grid.
Conducted biennially, GridEx aims to ensure that electric utilities are prepared to thwart potential cyber
or physical attacks on the grid, and to communicate and recover should such an attack occur. More
than 6,000 individuals from more than 400 electric utility and government organizations in the U.S.,
Canada and Mexico participated in GridEx IV.
This year’s GridEx event took place against an increasingly complex and threatening backdrop. And
while it is vitally important that the industry is focusing on looming cyber threats, the scope and nature
of those threats demands that greater federal leadership, particularly from the Federal Energy
Regulatory Commission (FERC), is needed.
The FBI and Department of Homeland Security issued a “joint Technical Alert” in October confirming
that our nation’s nuclear, energy, water, aviation, and critical manufacturing sectors, as well as some
government entities, have been the targets of repeated cyber-attacks. Some of those attacks
succeeded.
And according to recent survey data from Accenture, 52 percent of North American utility executives
reported there is a moderate risk that a cyber-attack could affect the electric grid within the next five
years, while 24 percent said there is a significant likelihood of a cyber-attack. The survey also noted the
significant increase in politically motivated threats from nation-state actors, and from profit-driven
cyber-criminals or organized hackers.
Make no mistake, a successful cyber or physical attack on the U.S. electrical grid would ripple across
every sector of our society. No one would be spared and the costs would be enormous – the three-day
blackout that affected the upper Midwest and Northeast in 2003 cost an estimated $50 billion. And that
blackout was relatively easy to fix – the core problem was a software error, but the damage caused was
isolated and largely repaired within days.
Today, the technology landscape has changed radically since 2003, and a blackout induced by a cyber-
attack has the potential to take out large sections of the national grid, and do so in a sophisticated,
digital manner that could be very difficult to unravel and fix.
Recent reports from the National Academy of Science have highlighted the issue, and the Massachusetts
Institute of Technology found that in relation to the heightened risks now faced, “it is doubtful that the
defense has improved at all. Attacks are still easy and cheap to launch and difficult and expensive to
defend against.”
The issue is so widely-acknowledged that the Spy Museum in Washington, D.C., in the shadow of the
U.S. Capitol, now has an exhibit titled “Weapons of Mass Disruption” that features “some of today's top
experts on the new intelligence battlefield of cyberspace. Explore what would happen if a cyber-attack
hit the electrical grid.”
Many entities are working to make grid improvements. But therein also lies part of the challenge – the
myriad of entities, interests and polices involved requires coordination at the national level. Such
oversight is vital to ensuring that critical grid improvements are made in a timely manner, that the end
result is a more sophisticated, resilient grid that can integrate a diverse array of electric generation
sources without increasing vulnerabilities, and that consumers alone do not bear the full financial
burden in their electric rates. Strengthening and protecting the grid is a national security matter, so
federal funding must be part of the financial equation.
Improving the grid of the future also supports and ensures resilience in the other key infrastructure
areas that we now know are being targeted by cyber-attacks.
On the positive side, Federal regulators have taken notice of the critical need to strengthen the grid
against attacks, and FERC recently proposed new cyber-security management controls aimed at
enhancing grid resiliency. Importantly, FERC has the legal mandate and authority to take the lead on
these critical issues.
As such, FERC is the logical agency to drive the establishment of a large-scale public-private partnership
that brings together the necessary expertise – utilities, system operators and technology companies –
and financing – Congress, regulators and the private markets – to focus on making the electric grid more
robust and resilient in the near-term.
Developing that partnership, and creating a national grid enhancement program will require four
components:
- An independent and candid assessment of exactly where improvements and upgrades are
needed, in order of priority, to be completed as soon as possible; - Development of a collective national plan, codified by Congress, with oversight from the
relevant federal regulatory agencies, to drive short- and long-term improvements; - Regulatory reform, including development of improved, uniform practices for the North
American bulk power system that rise to the level of detail and rigor required to meet the
threats we face; and, - Identification of public and private funding mechanisms, including the potential use of tax-
exempt government bonds, to raise the necessary financing in an equitable manner.
As a nation, we can no longer afford to put off until tomorrow that which our own self-interest says
must begin today. The threats are increasing every day and the consequences of inaction are both
devastating and unnecessary.
With regard to enhancing the grid, as the saying goes, failure is not an option.
___________________________________________________________________________
Paul Feldman is a former Chairman of the Midcontinent ISO (MISO), and a former Independent Board
member of the Western Electricity Coordinating Council (WECC). He serves on several energy-related
Boards, and Advisory Boards, including Protect Our Power, a not-for- profit organization whose mission is
to strengthen the reliability and resilience of the U.S. electric grid.