If Ben Franklin lived today, he might say that nothing is certain but death, taxes and cyber-attacks. Cyber-attacks occur when individuals or groups hack into another group’s computer information systems to steal, alter or damage key infrastructure. Our nation’s electric grid is under constant attack according to a survey of electric utilities by U.S. House Representatives Henry Waxman and (now) Senator Edward Markey. The grid was the greatest engineering achievement of the 20th Century, but cybersecurity was equally unknown to those grid engineers as it was to Ben Franklin. We need to do more to protect our energy infrastructure.
The U.S. has finally called out China for repeated and pervasive cyber-attacks. Mandiant, a cybersecurity firm, released an alarming report in February 2013 regarding the ongoing cyber-attacks by the Chinese army. James Clapper, the Director of National Intelligence, described cyber-attacks as a soft war already underway and a dire global threat in his April 2013 World Threat Assessment to the U.S. House Permanent Select Committee on Intelligence. In May of this year, for the first time, the Pentagon’s annual report to Congress on the Chinese military openly accused China’s military of repeated cyber-attacks on the U.S. government and defense contractors.
Cyber-attacks are underway not only by China, but also by Iran, Russia, Al-Queda, organized crime, industrial spies, ex-utility employees and rogue hackers. The U.S. Department of Homeland Security investigated over 200 serious cyber-attacks against critical infrastructure during the first half of 2013. The electric grid was targeted in over half of these attacks. At the recent Black Hat security conference in Las Vegas, Cyrill Brunschwiler of Compass Security explained how the smart grid’s wireless network can be easily exploited to steal electricity and to cause massive blackouts. Though innovation and new clean energy technologies are key to modernizing our antiquated energy system, the electric grid is more vulnerable to cyber-attacks with increased use of smartphones, tablets, mobile apps and electric vehicles to connect with our home electronic devices. A July 2012 report by the Government Accountability Office (GAO) outlines the various threats to the electric grid.
Have any of these grid cyber-attacks succeeded? Some experts blame cyber-attacks for the Northeast blackout of 2003 and a massive 2008 Florida blackout. The Central Intelligence Agency (CIA) has reported that cyber-attacks against the electric grid have caused blackouts in several cities around the world.
Here are the key highlights of our country’s efforts to protect the U.S. electric grid:
- In 2002, the nuclear industry adopted cybersecurity standards; the Nuclear Regulatory Commission expanded these standards in 2009 with cybersecurity regulations for nuclear facilities.
- The Energy Policy Act of 2005 authorized the Federal Energy Regulatory Commission (FERC) to approve mandatory cybersecurity reliability standards for the grid. FERC selected the North American Electric Reliability Corporation (NERC) to develop these standards.
- In 2006, NERC developed mandatory reliability standards for the grid.
- In 2007, FERC approved NERC’s Critical Infrastructure Protection (CIP) cybersecurity reliability standards.
- The Energy Independence and Security Act of 2007 authorized the National Institute of Standards (NIST) to develop technical standards for interoperability of smart grid equipment and software, including cybersecurity standards. In 2009, NIST formed the Smart Grid Interoperability Panel (SGIP), a public-private partnership, to develop these standards. In turn, SGIP formed the Cyber Security Working Group (CSWG).
- In 2010, NIST issued its initial cybersecurity standards for smart grid equipment and software, developed by the CSWG.
- In 2010, FERC issued Order 743, directing NERC to revise its reliability standards to cover all electric facilities necessary to operate an interconnected grid.
- In 2011, FERC clarified the reliability standards regarding actions utilities can take to keep the grid running during electric emergency conditions.
- In 2012, FERC approved NERC’s revised reliability standards for the electric grid. In January 2013, NERC asked FERC to approve further revisions and FERC is reviewing these new revisions.
- In February 2013, President Obama issued Executive Order 13636, which directs NIST to develop a Cybersecurity Framework with standards for the protection of critical infrastructure facilities, including the electric grid.
- In April 2013, the SGIP was formally established as an independent organization, known as SGIP 2.0, Inc. The organization will continue to function as a public-private partnership, and will be funded by industry and NIST. Cybersecurity standards will be developed by the Smart Grid Cybersecurity Committee of SGIP 2.0. This committee is developing a user’s guide for the NIST cybersecurity standards.
- In July 2013, NIST released a preliminary version of its Cybersecurity Framework.
Here’s what our country still needs to do to protect the U.S. electric grid:
- Our leaders must ensure that federal budget cuts do not impair the Department of Homeland Security’s capability to protect our nation’s critical infrastructure.
- Our leaders must develop a clear, overarching cybersecurity strategy, governance methods and cybersecurity response procedures, as the GAO recently recommended.
- FERC and electric utilities must implement the GAO’s recommendations, detailed in its July 2012 report Cybersecurity: Challenges in Securing the Electric Grid.
- NIST must finish developing its Cybersecurity Framework and utilities must implement the standards. NIST is scheduled to release the Cybersecurity Framework for public comment in October 2013, and to finalize the standards by February 2014.
- Electric utilities should comply with NERC’s voluntary cybersecurity recommendations. Currently only 20% of electric utilities follow these recommendations.
- The public and private parties responsible for protecting our critical infrastructure facilities must adopt GAO’s recent recommendations for implementing better communication protocols.
- The Department of Homeland Security and the Federal Communications Commission must develop performance standards for cybersecurity measures for the communications network and the internet in a timely manner, as recommended by a recent GAO report.
- The Department of Homeland Security must implement the GAO’s recent recommendations regarding the Regional Resiliency Assessment Program.
- The Senate should pass the Cyber Intelligence Sharing and Protection Act of 2013, which better enables the government and companies to quickly share vital information needed to respond to a cyber-attack. The electric utility industry provided input for this bill and is a strong supporter. The bill passed the House on April 18, 2013 by a 288-127 vote.
As the U.S. improves its preparedness, we must strike the appropriate balance between security and privacy. Preparation and privacy rights can co-exist and are not mutually exclusive. This has been brought into critical focus by Edward Snowden’s release of top-secret National Security Administration surveillance practices.
We can and must improve the cybersecurity of our critical electric infrastructure. As Ben Franklin also said: “By failing to prepare, you are preparing to fail.” Let’s prepare to succeed in protecting the electric grid with effective cybersecurity measures.