As October’s first-ever U.S. National Cyber Security Awareness month fades into history, many of the nation’s electric utilities shifted their focus in November to an event known as GridEx, a training exercise that tackles potential cyber-security threats and vulnerabilities in the nation’s electric grid.
Conducted biennially, GridEx aims to ensure that electric utilities are prepared to thwart potential cyber or physical attacks on the grid, and to communicate and recover should such an attack occur. More than 6,000 individuals from more than 400 electric utility and government organizations in the United States, Canada and Mexico participated in GridEx IV.
This year’s GridEx event took place against an increasingly complex and threatening backdrop. And while it is vitally important that the industry is focusing on looming cyber threats, the scope and nature of those threats demands that greater federal leadership, particularly from the Federal Energy Regulatory Commission, is needed.
The FBI and Department of Homeland Security issued a “joint technical alert” in October confirming that our nation’s nuclear, energy, water, aviation and critical manufacturing sectors, as well as some government entities, have been the targets of repeated cyber-attacks. Some of those attacks succeeded.
And according to recent survey data from Accenture, 52 percent of North American utility executives reported there is a moderate risk that a cyber-attack could affect the electric grid within the next five years, while 24 percent said there is a significant likelihood of a cyber-attack. The survey also noted the significant increase in politically motivated threats from nation-state actors, and from profit-driven cyber-criminals or organized hackers.
Make no mistake, a successful cyber or physical attack on the U.S. electrical grid would ripple across every sector of our society. No one would be spared and the costs would be enormous—the three-day blackout that affected the upper Midwest and Northeast in 2003 cost an estimated $50 billion. And that blackout was relatively easy to fix—the core problem was a software error, but the damage caused was isolated and largely repaired within days.
Today, the technology landscape has changed radically since 2003, and a blackout induced by a cyber-attack has the potential to take out large sections of the national grid, and do so in a sophisticated, digital manner that could be very difficult to unravel and fix.
Recent reports from the National Academy of Science have highlighted the issue, and the Massachusetts Institute of Technology found that in relation to the heightened risks now faced, “it is doubtful that the defense has improved at all.
Attacks are still easy and cheap to launch and difficult and expensive to defend against.” The issue is so widely acknowledged that the Spy Museum in Washington, D.C., in the shadow of the U.S. Capitol, now has an exhibit titled “Weapons of Mass Disruption” that features “some of today’s top experts on the new intelligence battlefield of cyberspace. Explore what would happen if a cyberattack hit the electrical grid.”
Many entities are working to make grid improvements. But therein also lies part of the challenge—the myriad of entities, interests and policies involved requires coordination at the national level.
Such oversight is vital to ensuring that critical grid improvements are made in a timely manner, that the end result is a more sophisticated, resilient grid that can integrate a diverse array of electric generation sources without increasing vulnerabilities, and that consumers alone do not bear the full financial burden in their electric rates.
Strengthening and protecting the grid is a national security matter, so federal funding must be part of the financial equation. Improving the grid of the future also supports and ensures resilience in the other key infrastructure areas that we now know are being targeted by cyber-attacks.
On the positive side, federal regulators have taken notice of the critical need to strengthen the grid against attacks, and FERC recently proposed new cyber-security management controls aimed at enhancing grid resiliency. Importantly, FERC has the legal mandate and authority to take the lead on these critical issues.
As such, FERC is the logical agency to drive the establishment of a large-scale public/private partnership that brings together the necessary expertise—utilities, system operators and technology companies—and financing from Congress, regulators and the private markets to focus on making the electric grid more robust and resilient in the near-term.
Developing that partnership, and creating a national grid enhancement program will require four components:
- An independent and candid assessment of exactly where improvements and upgrades are needed, in order of priority, to be completed as soon as possible;
- Development of a collective national plan, codified by Congress, with oversight from the relevant federal regulatory agencies, to drive short- and long-term improvements;
- Regulatory reform, including development of improved, uniform practices for the North American bulk power system that rise to the level of detail and rigor required to meet the threats we face; and,
- Identification of public and private funding mechanisms, including the potential use of tax-exempt government bonds, to raise the necessary financing in an equitable manner.
As a nation, we can no longer afford to put off until tomorrow that which our own selfinterest says must begin today. The threats are increasing every day and the consequences of inaction are both devastating and unnecessary.
With regard to enhancing the grid, as the saying goes, failure is not an option. (1/2)
Paul Feldman is a former chairman of the Midcontinent Independent System Operator and a former independent board member of the Western Electricity Coordinating Council. He serves on several energy-related advisory boards, including Protect Our Power, a not-forprofit organization whose mission is to strengthen the reliability and resilience of the U.S. electric grid.