WASHINGTON, December 22, 2021 – Protect Our Power, the nation’s leading independent organization dedicated to making the electric grid more secure and resilient, is calling upon the electric industry, policymakers, regulators and cybersecurity vendors to make meaningful progress on four priorities in 2022 to better safeguard the grid and the people and entities that rely upon it. The priorities are:

  1. Continue encouraging investments in cybersecurity and grid resilience by endorsing, on an ongoing basis, the incentives and cost-recovery mechanisms needed by investor-owned utilities, and by providing federal funds to under-resourced entities such as municipal public power authorities and electric cooperatives.
  2. Establish a consensus-driven protocol to govern practices and reduce vulnerabilities in the electric sector’s supply chain and accelerate efforts to establish a national testing structure for grid hardware and software.
  3. Establish a Best Practices data bank to improve timely information sharing among buyers and sellers of cybersecurity products and services that are known to be effective in repelling or mitigating threats to grid reliability.
  4. Accelerate the expansion of separate, more secure communications systems exclusively dedicated to mission-critical power system operations that will better address all threats, including cyberattacks and EMP events, and thereby improve grid resilience.

“Because virtually every segment of our nation’s critical infrastructure is dependent upon reliable power supplies, it is imperative that we accelerate progress in the coming year with those activities that are central to the electric grid’s security and resilience,” Protect Our Power President Jim Cunningham said.

“Positive steps – most notably enactment of the 2021 bipartisan infrastructure legislation – are being taken. The funding it provides for energy sector cybersecurity is laudable. Nonetheless, there are massive needs that remain unmet and that demand immediate action to protect against a crippling cyberattack that could wreak havoc on our nation,” Cunningham said. “In the hope that resources will be effectively focused in the coming year, Protect Our Power has identified the four priorities that we believe most urgently need attention to safeguard our nation.”

Cost recovery for cybersecurity and resilience investments is paramount. Smaller electric utilities, public power entities and rural electric cooperatives, in particular, need help above and beyond the funding provided in the infrastructure legislation, Cunningham said.

He pointed to the findings of a study conducted for Protect Our Power by the Vermont Law School’s Institute for Energy and the Environment. It calls for reducing regulatory obstacles to utility investment.

“Even for those utilities that have the resources to invest in cybersecurity tools and talent, it can take months if not years for rate cases to run the regulatory gauntlet,” Cunningham said. “It’s very difficult for utilities to make needed investments up front to protect their systems not knowing whether the expenditure is going to be approved or disapproved. Clarity and timeliness with regard to cost recovery is urgently needed.”

Recent grid intrusions already have shown that the integrity of the electric sector’s supply chain is a glaring vulnerability. Coupled with the modernization of the electric grid and the increased reliance on distributed energy resources, the need for a coordinated, comprehensive effort to establish consensus protocols for the supply chain is immediate.

“We absolutely must have leadership and cooperation from the public and private sectors to drive the formation of standards that will reduce vulnerabilities in the electric sector supply chain and other interfaces at the edge of the grid,” Cunningham said. “This is not a criticism of the efforts made to date. It is our attempt to highlight this as an area that urgently requires resolution.”

Testing and evaluation of critical equipment and software goes hand in hand with this risk mitigation priority, he said.

Intensified efforts to identify and implement best practices in cybersecurity will yield significant long-term benefits, Cunningham said. More than 1,000 companies sell cybersecurity products to electric utilities in the United States and Canada. It is vitally important that a mechanism exists to make it easier for utility companies to make informed decisions on products and services that meet their specific cybersecurity needs, he said.

Secure communications mechanisms capable of monitoring and controlling control grid operations in real-time also are critical to maintaining a stable and resilient grid.

“Regardless of what the nature of the threat turns out to be, having a dedicated communications system in place to control actual power system operations will prove immensely beneficial to the grid’s stability,” Cunningham said.

He noted that, over the past year alone, extreme weather events in Texas, Louisiana, Kentucky and other states have shown how devastating widespread power outages for sustained periods of time can be. A little-known fact is that the grid is subjected to millions of unsuccessful attacks per day. Continuous cyberattacks on the electric sector have the potential to cause disruptions that last longer and are more widespread, Cunningham warned.