Systems that keep the grid reliable are complex, involving complicated software at the Balancing Authority level, and down through the millions of individual special purpose computers that control operations in a generating plant or substation. Due to this complexity, engineers and computer scientists are specifically trained to manage small parts of the entire system in order to maintain the absolute precision required to keep the grid in an “always-on” condition. These circumstances result in a complexity-set that demands a “Red Team” approach to penetration testing. These same circumstances, however, create a high level of reluctance to proceed with aggressive penetration testing for fear that it might cause an outage. The problem is that serious attackers will certainly use the more aggressive tools to attack, and so a utility that avoids using these tools in tests can never be quite sure if they can withstand an aggressive attack, or even what kind of attack they are prepared to defend against. In fact, most CIOs believe that they cannot keep the grid operational in the face of a concerted nation-state attack.  Many vendors and consultants offer services in this area and Protect Our Power’s Best Practices Project will analyze those options and provide utilities with a set of work products that will beneficially guide future decisions.

Protect Our Power is seeking an Educational Institution to develop information within this Topic for use by North American Electric Utilities. Contact Erick Ford at EFord@ProtectOurPower.org for more information or to recommend an Educational Institution.