As we saw recently with the large-scale power outages in Texas, and the total destruction of the electric system in Puerto Rico in 2017, extreme events can result in widespread, long-term electrical outages that can have severe adverse impact on life, the economy and national security.

While the blackouts in Texas and Puerto Rico were weather-related, a successful cyberattack on the nation’s electric power system also has the ability to cause major blackouts, with the same negative impacts on society. While the devil is in the details of the proposed infrastructure legislation, there are some investments and other provisions that must be considered to better ensure a resilient and secure electric grid.

A key part of determining where to make grid investment is defining the word “resilience.” No single or common definition of resilience is used by all critical infrastructure sectors. In 2009, the National Infrastructure Advisory Council (NIAC), which advises the White House on how to reduce physical and cyber risks and improve the security and resilience of the nation’s critical infrastructure sectors, developed a definition that provides a starting point:

Infrastructure resilience is the ability to reduce the magnitude and/or duration of disruptive events. The effectiveness of a resilient infrastructure or enterprise depends upon its ability to anticipate, absorb, adapt to, and/or rapidly recover from a potentially disruptive event.[2]

Following the NIAC definition, the Federal Energy Regulatory Commission (FERC) proposed a definition of resilience specific to the grid and FERC’s grid oversight role:

The ability to withstand and reduce the magnitude and/or duration of disruptive events, which includes the capability to anticipate, absorb, adapt to, and/or rapidly recover from such an event.[3]

These definitions are useful in guiding policymakers as they target specific areas for investments in grid cyber resilience. Such investments are critical to ensuring our ability to continue supplying power in the face of cyberattacks. Toward that end, Protect Our Power suggests that the following specific investments and policy directives should be included in final infrastructure legislation.

Testing and Evaluation of Critical Equipment and Software

As others have pointed out, testing and evaluation of critical equipment is needed to mitigate risks that, in spite of standards and processes to minimize the cyber supply chain risk, adversaries will find ways to exploit weaknesses within the supply chain.[4] The Department of Energy has established the Cybersecurity Testing for Resilient Industrial Control Systems (CyTRICS™) program for testing the cyber resilience of operational technology in the energy sector.[5] Infrastructure legislation should include funds for expanding DOE’s equipment and software testing ability. Furthermore, because of the need to test many pieces of equipment and software, legislation also should include funding for testing by private organizations that have been certified by DOE to perform such testing for the energy sector.

Technology Transfer

The U.S. government develops advanced technology to enhance cyber security that can be, and is, used by the electric power industry. One such example is the Cyber Risk Information Sharing Program (CRISP).[6] This program, which has participation by utilities that serve at least 75% of the load in the U.S., is enormously successful in providing threat information – it enhances the ability of the electricity subsector to “identify, prioritize, and rapidly mitigate threats.” However, the up-front costs of the necessary equipment remain an obstacle for smaller utilities.

In addition, DOE is looking to expand its technologies to identify threats to the industrial control systems of utilities.[7] Including funding in infrastructure legislation to expand CRISP, and other DOE-developed technologies, especially to smaller utilities, represents a small investment with big returns for enhancing grid cybersecurity.

Secure Communications

Having secure communications mechanisms in place to monitor and control grid operations — – in real-time — is critical to maintaining a stable and resilient grid. The President’s American Jobs Plan should provide funding to build a separate and more secure communications systems that control actual power system operations.[8]

Rapid Recovery

Even with all the investments to anticipate, absorb and adapt to a cyberattack, the possibility exists that a successful attack can occur with devastating consequences. Investments in equipment for rapid recovery will help mitigate against those consequences. According to the CEO of the Electric Reliability Council of Texas (ERCOT), if a full blackout had occurred, “power could have been out for 90% of Texans for weeks.”[9]  Fortunately, ERCOT avoided a full blackout, but from any objective point of view a recovery taking weeks is not acceptable.[10]

While the North American Electric Reliability Corporation (NERC) and FERC have reviewed restoration and recovery plans and made a number of recommendations,[11] it would appear more work is needed to analyze possible blackout scenarios and identify investments that are needed to assure rapid recovery.

The American Jobs Plan should 1) provide for funds for DOE to analyze whether existing “black start” plans to restore power rapidly following an incident are adequate, and 2) provide funding for investments for additional black start infrastructure, including but not limited to more black start generation, as well as local fuel storage, if the studies find a need.[12]

Regulatory Provisions and Cost Recovery

The American Jobs Plan states that it will “require goods and materials are made in America.” Many components for the electric grid are imported either due to unavailability of domestic sources or price. To the extent there are higher-cost domestic alternatives, it is imperative that any regulatory disincentives to Buy American be eliminated.

To that end, The American Jobs Plan should include provisions requiring FERC to adopt a rebuttable presumption that the additional cost of American-made components for the electric grid are prudent, just, and reasonable. Without this assurance, utilities purchasing American-made components, not only for increased resilience but for normal system expansion and replacement, would be faced with uncertainty about cost recovery and that can act as a disincentive to buy materials made in America.

The cost of making the grid cyber resilient continues to grow as new threats emerge. This is especially true for smaller entities where the costs of investments in hardware, software and personnel are spread over fewer customers. Infrastructure legislation should provide funding, perhaps to be matched by the receiving municipal power companies and rural electric utilities, to offset the cost impact on consumers of these investments in cyber grid resilience.

Conclusion

The clear need, and apparent Congressional desire, to pass comprehensive infrastructure legislation in this session of Congress presents a once-in-a-generation, if not once in a lifetime, opportunity to address some of the nation’s most pressing, literally foundational, needs. Chief among those needs is making our electric grid more secure and resilient — harder to penetrate and quicker to recover — so that the rest of our critical infrastructure, our economy, and our society, can function reliably in good times and bad.

The time is now for Congress to seize the opportunity and act boldly and deliberately before we fall further behind, or worse, victim to a devastating cyberattack that could have been avoided.