Legislation on Infrastructure Resilience is Key to Grid Security
By Steven T. Naumann, former Vice President, Transmission and NERC Policy, Exelon
The Biden Administration’s proposed infrastructure plan, known as The American Jobs Plan, contemplates hundreds of billions of dollars of investments in infrastructure resilience, including the construction of large, new high-voltage electric transmission lines that can handle 20 gigawatts of power.[1]
As we saw recently with the large-scale power outages in Texas, and the total destruction of the electric system in Puerto Rico in 2017, extreme events can result in widespread, long-term electrical outages that can have severe adverse impact on life, the economy and national security.
While the blackouts in Texas and Puerto Rico were weather-related, a successful cyberattack on the nation’s electric power system also has the ability to cause major blackouts, with the same negative impacts on society. While the devil is in the details of the proposed infrastructure legislation, there are some investments and other provisions that must be considered to better ensure a resilient and secure electric grid.
A key part of determining where to make grid investment is defining the word “resilience.” No single or common definition of resilience is used by all critical infrastructure sectors. In 2009, the National Infrastructure Advisory Council (NIAC), which advises the White House on how to reduce physical and cyber risks and improve the security and resilience of the nation’s critical infrastructure sectors, developed a definition that provides a starting point:
Infrastructure resilience is the ability to reduce the magnitude and/or duration of disruptive events. The effectiveness of a resilient infrastructure or enterprise depends upon its ability to anticipate, absorb, adapt to, and/or rapidly recover from a potentially disruptive event.[2]
Following the NIAC definition, the Federal Energy Regulatory Commission (FERC) proposed a definition of resilience specific to the grid and FERC’s grid oversight role:
The ability to withstand and reduce the magnitude and/or duration of disruptive events, which includes the capability to anticipate, absorb, adapt to, and/or rapidly recover from such an event.[3]
These definitions are useful in guiding policymakers as they target specific areas for investments in grid cyber resilience. Such investments are critical to ensuring our ability to continue supplying power in the face of cyberattacks. Toward that end, Protect Our Power suggests that the following specific investments and policy directives should be included in final infrastructure legislation.
Testing and Evaluation of Critical Equipment and Software
As others have pointed out, testing and evaluation of critical equipment is needed to mitigate risks that, in spite of standards and processes to minimize the cyber supply chain risk, adversaries will find ways to exploit weaknesses within the supply chain.[4] The Department of Energy has established the Cybersecurity Testing for Resilient Industrial Control Systems (CyTRICS™) program for testing the cyber resilience of operational technology in the energy sector.[5] Infrastructure legislation should include funds for expanding DOE’s equipment and software testing ability. Furthermore, because of the need to test many pieces of equipment and software, legislation also should include funding for testing by private organizations that have been certified by DOE to perform such testing for the energy sector.
Technology Transfer
The U.S. government develops advanced technology to enhance cyber security that can be, and is, used by the electric power industry. One such example is the Cyber Risk Information Sharing Program (CRISP).[6] This program, which has participation by utilities that serve at least 75% of the load in the U.S., is enormously successful in providing threat information – it enhances the ability of the electricity subsector to “identify, prioritize, and rapidly mitigate threats.” However, the up-front costs of the necessary equipment remain an obstacle for smaller utilities.
In addition, DOE is looking to expand its technologies to identify threats to the industrial control systems of utilities.[7] Including funding in infrastructure legislation to expand CRISP, and other DOE-developed technologies, especially to smaller utilities, represents a small investment with big returns for enhancing grid cybersecurity.
Secure Communications
Having secure communications mechanisms in place to monitor and control grid operations — – in real-time — is critical to maintaining a stable and resilient grid. The President’s American Jobs Plan should provide funding to build a separate and more secure communications systems that control actual power system operations.[8]
Rapid Recovery
Even with all the investments to anticipate, absorb and adapt to a cyberattack, the possibility exists that a successful attack can occur with devastating consequences. Investments in equipment for rapid recovery will help mitigate against those consequences. According to the CEO of the Electric Reliability Council of Texas (ERCOT), if a full blackout had occurred, “power could have been out for 90% of Texans for weeks.”[9] Fortunately, ERCOT avoided a full blackout, but from any objective point of view a recovery taking weeks is not acceptable.[10]
While the North American Electric Reliability Corporation (NERC) and FERC have reviewed restoration and recovery plans and made a number of recommendations,[11] it would appear more work is needed to analyze possible blackout scenarios and identify investments that are needed to assure rapid recovery.
The American Jobs Plan should 1) provide for funds for DOE to analyze whether existing “black start” plans to restore power rapidly following an incident are adequate, and 2) provide funding for investments for additional black start infrastructure, including but not limited to more black start generation, as well as local fuel storage, if the studies find a need.[12]
Regulatory Provisions and Cost Recovery
The American Jobs Plan states that it will “require goods and materials are made in America.” Many components for the electric grid are imported either due to unavailability of domestic sources or price. To the extent there are higher-cost domestic alternatives, it is imperative that any regulatory disincentives to Buy American be eliminated.
To that end, The American Jobs Plan should include provisions requiring FERC to adopt a rebuttable presumption that the additional cost of American-made components for the electric grid are prudent, just, and reasonable. Without this assurance, utilities purchasing American-made components, not only for increased resilience but for normal system expansion and replacement, would be faced with uncertainty about cost recovery and that can act as a disincentive to buy materials made in America.
The cost of making the grid cyber resilient continues to grow as new threats emerge. This is especially true for smaller entities where the costs of investments in hardware, software and personnel are spread over fewer customers. Infrastructure legislation should provide funding, perhaps to be matched by the receiving municipal power companies and rural electric utilities, to offset the cost impact on consumers of these investments in cyber grid resilience.
Conclusion
The clear need, and apparent Congressional desire, to pass comprehensive infrastructure legislation in this session of Congress presents a once-in-a-generation, if not once in a lifetime, opportunity to address some of the nation’s most pressing, literally foundational, needs. Chief among those needs is making our electric grid more secure and resilient — harder to penetrate and quicker to recover — so that the rest of our critical infrastructure, our economy, and our society, can function reliably in good times and bad.
The time is now for Congress to seize the opportunity and act boldly and deliberately before we fall further behind, or worse, victim to a devastating cyberattack that could have been avoided.
Sources
[1] FACT SHEET, The American Jobs Plan, located at https://www.whitehouse.gov/briefing-room/statements-releases/2021/03/31/fact-sheet-the-american-jobs-plan/.
[2] National Infrastructure Advisory Council, “Critical Infrastructure Resilience, Final Report and Recommendations,” at p. 8 (Sept. 8, 2009), located at https://www.cisa.gov/sites/default/files/publications/niac-critical-infrastructure-resilience-final-report-09-08-09-508.pdf.
[3] Grid Reliability and Resilience Pricing, 162 FERC ¶ 61,012 at P 23 (2018).
[4] Paul N. Stockton, “Securing the Grid from Supply-Chain Based Attacks,” at pp. 15-16 (Sept. 2, 2020), located at https://inl.gov/wp-content/uploads/2020/09/StocktonEOReport.pdf.
[5] See Idaho National Laboratory, “About the CyTRICS Program,” located at https://inl.gov/cytrics/.
[6] U.S. Department of Energy, Cyber Risk Information Sharing Program (CRISP), located at https://www.energy.gov/sites/prod/files/2018/09/f55/CRISP%20Fact%20Sheet.pdf.
[7] Office of Cybersecurity, Energy Security, and Emergency Response, “Department of Energy Announces Partnership to Expand Cybersecurity Information Sharing Program” (Dec. 3, 2020), located at https://www.energy.gov/ceser/articles/department-energy-announces-partnership-expand-cybersecurity-information-sharing-0.
[8] For a more detailed discussion of the benefit of secure communications to grid cybersecurity see Hank Kenchington and James Fama, “Private Telecommunication Networks Can Provide Grid Cybersecurity Advantage for U.S. Electric Utilities,” located at https://protectourpower.org/blog/private-telecommunication-networks-can-provide-grid-cybersecurity-advantage/.
[9] Statement by Bill Magness, President and Chief Executive Officer, ERCOT to Oversight and Investigations Subcommittee of the House Energy and Commerce Committee, at p.2 (March 24, 2021), located at https://energycommerce.house.gov/sites/democrats.energycommerce.house.gov/files/documents/Witness%20Testimony_Magness_OI_2021.03.24.pdf.
[10] While it took four days to restore full power to some areas in the US and more than a week in Ontario following the August 14, 2003 Northeast Blackout, see, U.S.-Canada Power System Outage Task Force, “Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes and Recommendations,” at p.1 (Apr. 2004), located at https://www.energy.gov/sites/default/files/oeprod/DocumentsandMedia/BlackoutFinal-Web.pdf, almost 80% of the load was restored 19 hours. See NERC August 14-15, 2003 , Power Outages – Media Briefing 11:00 AM, located at https://www.nerc.com/pa/rrm/ea/August%2014%202003%20Blackout%20Investigation%20DL/talking-points-08-15-03.pdf.
[11] See Report on the FERC-NERC-Regional Entity Joint Review of Restoration and Recovery Plans, Recommended Study: Blackstart Resources Availability (BRAv) (May 2018), located at https://www.ferc.gov/sites/default/files/2020-05/bsr-report.pdf; Report on the FERC-NERC-Regional Entity Joint Review of Restoration and Recovery Plans, (Jan. 2018), located at https://www.ferc.gov/sites/default/files/2020-04/01-29-16-FERC-NERC-Report.pdf.
[12] As the local blackouts in Texas showed, a large-scale loss of electric power can result in loss of electricity to natural gas production and transportation facilities. Black start generation that utilizes natural gas but has no on-site storage would not be able to start, hampering timely restoration.
Steve Naumann
Author Bio