The best defense against any potential disaster is preparation. Taking the time to protect key assets before disaster strikes can help to minimize the damage and expedite the recovery process. The same holds true for protecting the nation’s electrical grid against cyber and other intentional attacks.
The electric power industry takes cybersecurity threats very seriously. As part of the industry’s overall reliability effort, electric companies work to maintain the security of the computers, control systems, and other cyber assets that help them operate the electric grid. This focus on reliability, resiliency, and recovery takes into account an all-hazards approach, recognizing risks from natural phenomena such as hurricanes or solar flares to intentional cyberattacks.
As the industry relies increasingly on digital electronic devices and communications to optimize our systems and enhance reliability, cybersecurity will remain a constant challenge. Edison Electric Institute (EEI) member companies are addressing the risks they know about through a “defense-in-depth” strategy while appropriately balancing considerations of potential consequences.
This defense-in-depth strategy includes preventive, monitoring, and detective measures to ensure the security of our systems. For example, they perform penetration tests where a contractor attempts to find and exploit vulnerabilities. The results of these regular penetration tests inform companies about whether their preventive strategies are working so that they can enhance their protection as technologies and capabilities evolve. Penetration testing also allows them to practice and enhance their monitoring capabilities.
Effective cybersecurity will continue to require a strong partnership among utilities, the federal government, and the suppliers of critical electric grid systems and components. Our companies believe they are up to this part of this task, building on our industry’s historical and deep-rooted commitment to maintaining system reliability.
EEI members are also working with government partners—national laboratories, the Federal Bureau of Investigation (FBI), the Department of Homeland Security (DHS), the Department of Energy (DOE), the Federal Energy Regulatory Commission (FERC), and the Office of the Director of National Intelligence (ODNI)—in many proactive programs to enhance the cybersecurity of the electric grid. For example, industry participants worked with the DOE to develop a strategic road map to identify and prioritize projects to enhance the security of electric industry control systems.
Working with Congress and other stakeholders, the electric power industry also helped to make the country’s bulk power system more secure against cyberattacks by establishing mandatory reliability standards with the enactment of the Energy Policy Act of 2005 (EPAct). Under EPAct, the North American Electric Reliability Corporation (NERC) was given authority to establish mandatory and enforceable electric reliability standards, specifically including standards to address cybersecurity, under FERC oversight.
These cybersecurity standards are developed through a well-defined stakeholder process that leverages the vast technical expertise of the owners, users, and operators of the North American electric grid. Any stakeholder, including FERC, may request that a standard be developed to address some aspect of reliability, expressly including cybersecurity.
Once developed and accepted by NERC, the standards are then submitted to FERC for review and approval. Once FERC approves a standard, it becomes legally binding and enforceable.
Although these new mandatory reliability standards provide an important foundation for strengthening the overall cybersecurity of the grid, they do not protect it against emergency situations that threaten national security or public welfare. To complement its cybersecurity efforts and to address these specific cybersecurity threats, the industry supports special federal emergency authority.
EEI has worked with its member companies to develop two overarching principles for moving industry and government forward in making the nation’s electric grid even more resilient against cyberattacks:
- Public and private sector expertise must be leveraged, with a robust sharing of information between both sectors, as well as among other stakeholders.
- A clear regulatory structure needs to be created that focuses resources and attention on protecting truly critical assets from imminent threats. This also will ensure that emergency orders come from only a government entity.
Public-Private Coordination and Information Sharing
Both the federal government and electric utilities have distinct responsibilities and expertise in protecting the nation’s bulk power system. The federal government is entrusted with national security responsibilities, and it has access to intelligence of possible or perceived cyberthreats to which electric utilities are not privy.
On the other hand, electric utilities are experienced and knowledgeable about how to provide reliable electric service, and we understand how our complex systems are designed and operated. As the owners, users, and operators of the electric grid, we are in a unique position to understand the consequences of a potential malicious act.
The best approach for securing the grid against deliberate cyberattacks is to clearly define our two distinct roles and responsibilities and establish a more robust and explicit structure for the government and the industry to share information. Importantly, both groups can build from the already-existing strong partnerships between them.
Creating mechanisms for public-private coordination and information sharing, however, is only part of the solution. Those lines of communication must be developed at the highest levels of both government and industry and then drilled on a regular basis to ensure that, in times of crisis, those with relevant information and operational expertise can communicate seamlessly, quickly, and, when needed, securely.
Special Federal Emergency Authority
A successful cybersecurity framework also must focus on protecting truly critical assets from real, imminent threats. This is based on the security axiom that states: if you try to protect everything, you protect nothing.
Put another way, by prioritizing risks, both government and private sector resources will be allocated wisely. Prioritization begins with making a distinction between general vulnerabilities and imminent threats.
General vulnerabilities are weaknesses that might be exploited at some date in the future. The process for developing and enforcing mandatory reliability and cybersecurity standards for the bulk power system under NERC and FERC already provides the means for addressing the many non-emergency cybersecurity issues or vulnerabilities in the electric industry. Congress should seek to preserve this basic framework. It produces mandatory cybersecurity standards for the bulk power system that are clear, technically sound, and enforceable.
Imminent threats, by definition, constitute an emergency that must be addressed now. Any new federal authority should address national security emergencies requiring immediate mandatory action that cannot be addressed under the guidelines established by EPAct.
Legislation granting such authority should be narrowly crafted and limited to address circumstances where the U.S. president or senior intelligence or national security advisors determine there is an imminent threat to national security or public welfare. In extreme cases, cyberattacks against the grid could be construed as an act of war, which would trigger an entirely different set of issues, outside the purview of the electric power industry.
Also, a single federal agency, such as FERC, should be given the authority to take expedited actions to address cybersecurity threats and vulnerabilities based on advice or information from the U.S. president or intelligence agencies. This will ensure that there is no confusion and possibility for overlapping or conflicting authority.
To further focus efforts on those threats that have the potential to do the greatest harm, any new authority also should be limited to protecting truly critical assets that, if not protected, could cause substantial disruption to the nation’s electric grid. Over-inclusion of electric utility infrastructure that is understood not to represent a national security threat would be counterproductive.
Finally, this special federal emergency authority should have an appropriate “sunset” once a particular threat is addressed through permanent industry standards or the emergency situation ceases to exist.
Build Security into the Grid
Separate but equally important components of grid security are the manufacturers of critical grid equipment and systems. As grid technologies continue to evolve, they inevitably will include greater use of digital controls. Consequently, manufacturers need to ensure that they are adequately fulfilling their security responsibilities by adopting good security practices in their organizations, building security into their products, and establishing effective programs so that, as new vulnerabilities are discovered, they can inform customers and provide technical assistance with mitigation.
We are encouraging the development of a security certification program and expansion of national lab involvement to provide independent testing for new grid components. This type of program would help utilities differentiate among different vendor solutions to select those that provide appropriate cybersecurity.
EEI and its member companies remain fully committed to working with the government and industry partners to increase cybersecurity. Through ongoing consultation and sharing of information between government and the private sector, as well as promoting clearly defined roles and responsibilities, we believe the nation’s power grid will be better prepared for cybersecurity emergencies.