Every day it seems the newspapers are filled with stories of breached security at a bank, government agency, media outlet, or a utility.  According to a recent US Department of Homeland Security report, in fiscal year 2012, ICS-CERT received and responded to 198 cyber incidents as reported by asset owners and industry partners. Attacks against the energy sector represented 41 % of the total number of incidents.  While none of these attempted cyber-attacks on utilities were successful, many experts have said it is not a question of if, but when.  As these threats evolve, we must make sure we are all doing everything we can to keep systems protected and consumers safe.

Just How Big of a Deal Is Cyber security?

Cyber-attacks continue to be reported in the media almost on a daily basis:  A few examples:

• - “Hackers Crack Major Data Firms, Sell Info To ID Thieves, Says Report,” news.cnet.com, September 25, 2013;

• - “Hackers Hit Energy Department – Again,” Wall Street Journal, August 15, 2013;

• - “Washington Post, CNN Hit by Cyber-attacks,” Wall Street Journal, August 15, 2013;

• - “Exclusive:  Cyber-attack  Leaves Natural Gas Pipelines Vulnerable to Sabotage,” csmonitor.com, February 27, 2013;

• - “Hackers Take Aim at Key U.S. Infrastructure,” money.cnn.com, February 20, 2013.

• - “Power-Grid Cyber Attack Seen Leaving Millions in Dark for Months,” (Bloomberg, January 31, 2012).

Although reports about the most advanced cyber threats suggest that this risk is vastly different from other threats utilities have experienced in the past, the basic responsibilities of regulation are unchanged:  the regulatory compact assures the provision of safe, adequate and reliable utility services, no matter the hazard, at just and reasonable rates.

As the power grid is updated and modernized to include more computer networks, control systems and smart grid technology, the opportunity increases for computer hackers to cause mischief.  While many of these hackers may not have a malicious intent, others may want to steal money or confidential information (like credit card numbers) or shut down the grid entirely. Under a worst case scenario, a successful cyber-attack could disrupt our economy and national security.

Cyber security is really a three-pronged approach.  First, utilities need a set of tools to prevent a cyber-attack in the first place.  Such preventative strategies involve not only traditional security controls, like performing background checks on employees, but also use new technologies, much like antivirus software that you would install on your personal computer. Second, utilities must collaborate with other utilities to learn about the different kinds of threats out there as well as share best practices to combat them.  Third, should a cyber-attack succeed, utilities must be resilient in quickly responding to and effectively recovering from such an attack.

We know our grid is vulnerable to natural disasters, age, reckless drivers, and excavation damage, to name just a few hazards.  Utilities and their regulators deal with these risks every day, and although we will never eliminate them, electricity is extremely reliable in this country.  Also, utilities are generally good at rebuilding the system, at least on the distribution level, after a major disaster.

What makes cyber threats different are the national security implications, which stresses the importance of multi-level communications between and among federal agencies, utility operators, and state regulators—all of whom have a unique role to play.

Threats vs. Vulnerabilities

A key component to cyber security is understanding the difference between “threats” and “vulnerabilities.” A threat is a danger to the safety and security of the grid.  Discovering threats is something that the Federal government is uniquely qualified to handle.  It has the intelligence agencies and apparatus to continuously monitor what is going on in the cyber world.  If the Federal government has uncovered information about an imminent threat to the electric grid, those agencies should have the authority to take whatever actions necessary to resolve the problem as quickly as possible.  With cyber threats, time is of the essence, and the government must do what it has to do to keep us safe.

Vulnerabilities are different and, while important, generally require less immediate attention. A vulnerability is a weakness that is susceptible to a threat.  Utility infrastructures have many vulnerabilities—just take a look at the overhead power lines the next time you are outdoors.  Any one of them could come down for a wide variety of reasons—hurricane, tornado, ice storm, flood, or an out-of-control vehicle. And for some reason, squirrels like to get into transformers. The utilities know, or should know, where the most significant vulnerabilities are located on their systems, and should already have a plan for addressing them in a risk-based way.  Their state regulators, meanwhile, should also have a pretty good handle on these vulnerabilities and what actions, if any, are necessary to address them.

This is why communication between federal agencies, state regulators, and utilities is absolutely essential.  Federal intelligence agencies must communicate with each other and with utilities when they pick up intelligence on possible threats.  Once the threats have been communicated, the utilities can assess whether they are vulnerable to those threats, and if so, they can take appropriate action to address those vulnerabilities.  State regulators must be ready to work with utilities and other stakeholders to provide timely cost recovery for reasonable and prudent expenditures to shore up and secure the grid.

Are We There Yet?

A national cyber security policy has been illusory.  In Congress, the House and Senate have taken different approaches.  The House has stressed voluntary sharing of information and best practices.  Conversely, the Senate seems to prefer a top-down regulatory scheme of enforceable standards.  Since Congress has been unable to agree, in mid-February, 2013, the White House released its highly anticipated Executive Order, which aims to streamline information sharing between federal agencies.  It called on private companies to voluntarily participate in a program encouraging best practices as identified by the U.S. National Institute of Standards and Technology.

Essentially, the executive order is an information-sharing document, which is absolutely critical to successfully addressing cyber-attacks.  As a former state regulator, I believe that the voluntary approach leads to the best results.  State regulators know the utilities that they regulate, and are in the best position to determine what is necessary and prudent to protect the utilities’ critical infrastructure, whether it be for natural disasters or cyber security.  State regulators must continue to get up to speed on and stay on top of cyber security issues.  State Commissioners and their staffs must have some cyber security expertise so that they can ask the right questions of their utilities.

We still have a long way to go to effectively secure the electric grid, but the good news is that progress is being made.  The focus on sharing information and best practices is helping utilities improve their cyber security processes and programs. State regulators are taking cyber security seriously and are becoming more active in working with their regulated utilities to shore up cyber security. Three words sum up what is necessary for federal agencies, state regulators, and utilities when it comes to effective cyber security approaches:  partnership, partnership, and partnership.

Copyright © 1996-2013 by CyberTech, Inc. All rights reserved.

To subscribe or visit go to:  http://www.energycentral.com

To subscribe or visit go to:  http://www.energybiz.com

 

http://www.energycentral.com/utilitybusiness/policyregulatoryandlegal/articles/2769