This means war, but are we prepared for cyber warriors?Published In: Intelligent Utility Magazine Summer 2015
Co-Author:
Marvin T. Griff
Cyber thieves take personal and financial data.
Cyber pirates steal industrial and commercial
intellectual property. But the cyber attacks
that threaten to destroy or disarm critical
infrastructure systems like the electric grid
are true declarations of war. Pernicious cyber
warriors seek to undermine society's sense of
security and its standard of living. A survey
conducted by McAfee and the Center for Strategic
and International Studies reveals that 80
percent of critical infrastructure providers
have faced threats ranging from
denial-of-service attacks (flooding servers with
hits that overwhelm servers or locking out
users), to extortion and advanced persistent
attacks. While physical attacks on the grid are
likely to be geographically limited, the
potential harm and economic dislocation from
just a few cyber warriors can rapidly cascade
across a broad geographic area that could be
catastrophic. The nation's highly interconnected
bulk power system makes it a prime target for
those hoping to inflict significant physical
damage and economic destruction. In 2003, when
the Northeast U.S. and part of Canada was
blacked-out, it cost the economies of both
countries between $7 and $14 billion-despite the
industry's quick action to restore power. The
threat that cyber warriors pose to the nation
make this a critical public policy priority.
The grid as a potential casualty
Grid modernization generally means greater
digital control and greater integration. With
the advantages of improved dispatch of power
over greater distances and smarter, self-healing
power networks, come more sophisticated and
multidimensional cyber risks.
Even before cyber attacks featured so
prominently as a public policy challenge, the
electric industry and federal government began
addressing the security of the grid outside the
legislative process. Collaboration between the
White House and agencies of the executive branch
first became institutionalized after 9/11
through the National Infrastructure Advisory
Council. Electric utilities brought together
public policy experts and private sector
technical expertise to assess cyber readiness in
the electric industry.
Today, only critical electric infrastructure is
subject to mandatory and enforceable
cybersecurity standards because Congress
recognized the gravity of the threat. Following
the enactment of the Energy Policy Act of 2005,
the North American Electric Reliability
Corporation developed Critical Infrastructure
Protection, or CIP, cybersecurity reliability
standards that the Federal Energy Regulatory
Commission subsequently approved in 2008. The
Energy Independence and Security Act of 2007
gave FERC and the National Institute of
Standards and Technology responsibilities
related to coordinating the development and
adoption of smart grid guidelines and standards
so that this new information technology can be
incorporated safely into grid operations.
Timely access to information is key to the
grid's defense. Without this, defeating the
cyber warriors will be impossible. Few electric
industry employees presently have the national
security clearances needed to access information
that could strengthen grid protections. Analysts
often find tips from the FBI or the Department
of Homeland Security too late and vague to help
counter cyber attacks. This is often
attributable to the "classification" of
government information. Legal roadblocks can
also prevent electric utilities from sharing
information with each other and with the
government.
Close coordination is also required to meet
cyber warriors at the threshold. Utilities are
not in the law enforcement or intelligence
gathering business, and most government agencies
(with some exceptions) cannot master grid
operation. And, it can be expected that
emergencies may quickly scramble all but the
most hardened lines of communication.
Congress to the rescue?
With recent high-profile cyber breaches at Sony
and health insurer Anthem Inc., the time may be
ripe for new national cyber legislation and
fresh initiatives to combat cyber threats that
can benefit the electric industry.
The president last month called on Congress to
pass legislation promoting greater information
sharing between the government and the private
sector, and announced the creation of the Cyber
Threat Intelligence Integration Center, or
CTIIC, to coordinate real-time analyses of cyber
threats between governmental agencies and the
private sector. The president wants companies
and industries to set up information sharing and
analysis center hubs to exchange information
rapidly with each other. A common set of
standards is supposed to be developed, including
protections for privacy and civil liberties, so
that the government can share threat
information. One obvious question is whether
this sharing of information itself could become
vulnerable.
Members of the 114th Congress, not to be
outdone, introduced nine cybersecurity bills in
their first six weeks in legislative session.
Many focus on protecting consumer privacy,
requiring data breach notifications and
promoting information sharing among agencies and
the private sector. Other bills have been
introduced that include some
cybersecurity-related language that is not the
primary focus of the broader bill.
The proposed Cyber Threat Sharing Act of 2015,
S. 456, is largely based on President Obama's
cybersecurity information-sharing proposal and
is aimed at increasing the communication and
coordination of cyber threat data between
private industry and the federal government. The
legislation would grant liability protections to
companies for sharing cyber-threat data with the
Department of Homeland Security's National
Cybersecurity and Communications Integration
Center and with information-sharing and analysis
organizations that have self-certified that they
follow best practices for the operation of such
organizations.
The Cybersecurity Information Sharing and
Protection Act, H.R. 234, better known as CISPA,
is also designed to help the public and private
sectors share information following a cyber
attack. But the bill is controversial and it is
given little chance of passage. Critics of the
bill argue that the ability of the government to
gain and transfer personal user information
collected from private companies is virtually
unlimited. In addition, the bill grants broad
liability protections to the very entities
placed in a position to abuse this information
collection authority. The president threatened
to veto a similar bill in 2013.
Thankfully, cyber legislation is starting to
move. In 2015, committees started holding
hearings on cybersecurity issues in an attempt
to address public concerns about protecting
privacy and to take up components of measures
the president put forward in January. In
February, the Senate Select committee on
Intelligence circulated a draft version of the
Cybersecurity Information Sharing Act that it
plans to introduce soon. It may garner
bipartisan support because, while the committee
is now led by a Republican, the previous CISA
bill was introduced under Democratic leadership.
It is expected that the Senate will move
sometime in March to mark up the 2015 CISA bill
and move it to the floor.
Cyber warriors beware.
Hoecker, a senior counsel member of Husch
Blackwell's Energy & Natural Resources team, is
a former chairman of the Federal Energy
Regulatory Commission. Griff is an Energy &
Natural Resources partner with Husch Blackwell.
Cyber thieves take personal and financial data. Cyber pirates steal industrial and commercial intellectual property. But the cyber attacks that threaten to destroy or disarm critical infrastructure systems like the electric grid are true declarations of war. Pernicious cyber warriors seek to undermine society's sense of security and its standard of living. A survey conducted by McAfee and the Center for Strategic and International Studies reveals that 80 percent of critical infrastructure providers have faced threats ranging from denial-of-service attacks (flooding servers with hits that overwhelm servers or locking out users), to extortion and advanced persistent attacks. While physical attacks on the grid are likely to be geographically limited, the potential harm and economic dislocation from just a few cyber warriors can rapidly cascade across a broad geographic area that could be catastrophic. The nation's highly interconnected bulk power system makes it a prime target for those hoping to inflict significant physical damage and economic destruction. In 2003, when the Northeast U.S. and part of Canada was blacked-out, it cost the economies of both countries between $7 and $14 billion---despite the industry's quick action to restore power. The threat that cyber warriors pose to the nation make this a critical public policy priority. The grid as a potential casualty Grid modernization generally means greater digital control and greater integration. With the advantages of improved dispatch of power over greater distances and smarter, self-healing power networks, come more sophisticated and multidimensional cyber risks. Even before cyber attacks featured so prominently as a public policy challenge, the electric industry and federal government began addressing the security of the grid outside the legislative process. Collaboration between the White House and agencies of the executive branch first became institutionalized after 9/11 through the National Infrastructure Advisory Council. Electric utilities brought together public policy experts and private sector technical expertise to assess cyber readiness in the electric industry. Today, only critical electric infrastructure is subject to mandatory and enforceable cybersecurity standards because Congress recognized the gravity of the threat. Following the enactment of the Energy Policy Act of 2005, the North American Electric Reliability Corporation developed Critical Infrastructure Protection, or CIP, cybersecurity reliability standards that the Federal Energy Regulatory Commission subsequently approved in 2008. The Energy Independence and Security Act of 2007 gave FERC and the National Institute of Standards and Technology responsibilities related to coordinating the development and adoption of smart grid guidelines and standards so that this new information technology can be incorporated safely into grid operations. Timely access to information is key to the grid's defense. Without this, defeating the cyber warriors will be impossible. Few electric industry employees presently have the national security clearances needed to access information that could strengthen grid protections. Analysts often find tips from the FBI or the Department of Homeland Security too late and vague to help counter cyber attacks. This is often attributable to the "classification" of government information. Legal roadblocks can also prevent electric utilities from sharing information with each other and with the government. Close coordination is also required to meet cyber warriors at the threshold. Utilities are not in the law enforcement or intelligence gathering business, and most government agencies (with some exceptions) cannot master grid operation. And, it can be expected that emergencies may quickly scramble all but the most hardened lines of communication. Congress to the rescue? With recent high-profile cyber breaches at Sony and health insurer Anthem Inc., the time may be ripe for new national cyber legislation and fresh initiatives to combat cyber threats that can benefit the electric industry. The president last month called on Congress to pass legislation promoting greater information sharing between the government and the private sector, and announced the creation of the Cyber Threat Intelligence Integration Center, or CTIIC, to coordinate real-time analyses of cyber threats between governmental agencies and the private sector. The president wants companies and industries to set up information sharing and analysis center hubs to exchange information rapidly with each other. A common set of standards is supposed to be developed, including protections for privacy and civil liberties, so that the government can share threat information. One obvious question is whether this sharing of information itself could become vulnerable. Members of the 114th Congress, not to be outdone, introduced nine cybersecurity bills in their first six weeks in legislative session. Many focus on protecting consumer privacy, requiring data breach notifications and promoting information sharing among agencies and the private sector. Other bills have been introduced that include some cybersecurity-related language that is not the primary focus of the broader bill. The proposed Cyber Threat Sharing Act of 2015, S. 456, is largely based on President Obama's cybersecurity information-sharing proposal and is aimed at increasing the communication and coordination of cyber threat data between private industry and the federal government. The legislation would grant liability protections to companies for sharing cyber-threat data with the Department of Homeland Security's National Cybersecurity and Communications Integration Center and with information-sharing and analysis organizations that have self-certified that they follow best practices for the operation of such organizations. The Cybersecurity Information Sharing and Protection Act, H.R. 234, better known as CISPA, is also designed to help the public and private sectors share information following a cyber attack. But the bill is controversial and it is given little chance of passage. Critics of the bill argue that the ability of the government to gain and transfer personal user information collected from private companies is virtually unlimited. In addition, the bill grants broad liability protections to the very entities placed in a position to abuse this information collection authority. The president threatened to veto a similar bill in 2013. Thankfully, cyber legislation is starting to move. In 2015, committees started holding hearings on cybersecurity issues in an attempt to address public concerns about protecting privacy and to take up components of measures the president put forward in January. In February, the Senate Select committee on Intelligence circulated a draft version of the Cybersecurity Information Sharing Act that it plans to introduce soon. It may garner bipartisan support because, while the committee is now led by a Republican, the previous CISA bill was introduced under Democratic leadership. It is expected that the Senate will move sometime in March to mark up the 2015 CISA bill and move it to the floor. Cyber warriors beware. Hoecker, a senior counsel member of Husch Blackwell's Energy & Natural Resources team, is a former chairman of the Federal Energy Regulatory Commission. Griff is an Energy & Natural Resources partner with Husch Blackwell. Copyright © 1996-2015 by CyberTech, Inc. All rights reserved. To subscribe or visit go to: http://www.energycentral.com To subscribe or visit go to: http://www.energybiz.com
http://www.intelligentutility.com/magazine/article/410043/means-war-are-we-prepared-cyber-warriors |