I think all who are in the utility industry are aware of the critical nature of the energy sector. The Department of Homeland Security shares this understanding and sees "the energy sector as uniquely critical because it provides an 'enabling function' across all critical infrastructure sectors."
Yet, as T&D World contributing editor Paul Mauldin so adeptly pointed out in his recent article "4 Reasons Why a National Grid Won't Happen," cyber security is such a big concern it may limit deployment of a national grid. He also noted that "National Security Agency (NSA) Director Michael Rogers testified that several countries have the ability to shut down the entire U.S. power grid and other critical infrastructure with a cyber attack."
In its “2014 Strategic Directions: U.S. Electric Industry” report, Black & Veatch stated that total utility spend on cyber assets is still estimated to be in the $15 billion to $18 billion range. The report also stated that “many utilities do not have the financial wherewithal to make this expenditure, plus there are challenges associated with PUCs for rate recovery.”
I ask you this: Is utility cyber security in as dire straits as NSA Director Roger’s thinks it is, and how should utility cyber security be addressed in this age of increasing digitalization, growing reliance on intelligent energy devices and the rapid deployment distributed energy resources?
Director Mike Rogers and the NSA are all paid to be paranoid. That is not to say that there are not issues, but not all devices in all locations are created equal when it comes to issues with security. And in fact, to some extent, the decisions by the FCC not to grant spectrum to the utility industry — because it is NOT IMPORTANT in a first-response situation — may actually help make the grid more secure.
NERC with its release of NERC CIPv5 and its physical security release acknowledge the idea of different levels of priority for security and securing locations. This puts focus on the areas that are the most critical. At the same time, the FCC with the decision that eventually the “Plain Old Telephone System” (POTS) and the frame relay system (e.g., T-1 lines) are both going to be allowed to be abandoned in the near future — along with the decision not to grant any more bandwidth — leaves utilities in a pickle. They have real-time communications needs, and the system they have relied on is going away. That means they have to find a fixed-line solution. In most cases, utilities are adopting privately owned fiber-optic lines and paying to put them in. Where are they going first? In the most critical locations, as identified by the NERC CIP tests. Sure, other utility traffic is going on these lines, but they are much harder to intercept or hack from a distance than RF systems. And since they are utility owned, the traffic is all segregated on the systems in a way that supports NERC CIP and other compliance requirements.
Are these compliance requirements enough? For this year, probably. For the long-run, no, but with a strong physical layer (the fiber), the other layers of security can be put in place for a much more reasonable cost than if the utility had to work to secure new wireless bandwidth or work with commercial carriers to secure their systems. It will be a never-ending battle, and the DOE has given the industry a wonderful set of tools in the Cyber-Security Maturity Model (CSMM) to do semi-annual or annual reviews of the adequacy of the cyber systems. Will this model catch everything? No, not at all, but it will inform decision makers (and possibly regulators) of issues that need to be addressed.
With NISTIR 7628, NIST has offered great guidance on how to work through the issues that may exist on any distributed infrastructure (like the grid) and how to prioritize threats. Any utility industry vice president of T&D or CIO who has not spent the time to read the NISTIR and taken the time to do the CSMM is not as well informed as they should be. Any CEO or president of a utility who has not reviewed the outcomes of the CSMM is also not as informed as they should be.
No security system is perfect; someone will always find a way in if they work hard enough at it. The key is to make it very hard and then continue to evolve the solutions. I can find dozens of examples in history of defense in-depth decisions that were completely defeated by other attack strategies (e.g., France in World War II). NERC and the DOE provide a lot of guidance to the industry, offer exercises to test what exists and train people on what can happen. If people take the lessons from the exercises and the CSMM and use them to evolve what they have, then we will probably remain reasonably secure – not totally secure, just reasonably so. We need to think about grid separation at the transmission level, making regional grids when under attack. We may need to think about physical separation of the communications systems (but that was defeated with Stuxnet-type attacks) and other isolation technics — in addition to pure physical security and cyber security.
The grid is out in the open, and with the right understanding and planning, it can be defeated by a small number of people with commonly available equipment — no restricted items required.
Is Director Rogers correct that the grid is vulnerable? Yes, but not at the level he claims.
Will it cost a lot of money and continue to cost more each year? Yes.
Will some utilities be too small to do all that needs to be done? Absolutely.
The operation of the grid and the investment continues to grow. Supporting distributed generation, storage, demand response, emissions reduction and all the other priorities that are being demanded and security will stretch anyone’s budget. Security just adds another multiplier to the growing costs of the infrastructure.
State commissions don’t like to see the power prices rise, they also don’t like to see their ratepayers without power. Balancing increasing costs with high reliability is a decision that the states will make one utility at a time. It is up to the commission to decide if the costs are prudent. Some commissions may even decide, as Ontario did that the smaller utilities need to sell themselves to larger utilities or sell critical assets to others as Michigan did in encouraging the sale of transmission assets to pure transmission companies.
The future is not clear, the path has many branches, and each state will probably make their own path. That alone may make it a lot harder for a foreign actor to bring down the whole grid. We learned something in the summer of 2003, and a lot of those lessons have been deployed. We learned more with Sandy. Those lessons are starting to be applied now.
It is right to focus on cyber security (and physical security) of the U.S. grid as well as other critical systems that drive the U.S. economy. I am not sure the entire grid will be taken down in one event scenario given the nature, diversity and complexity of the grid structure. However, there can be some risk of cyber and physical vulnerabilities on a metropolitan or regional basis. On a U.S. grid basis, we benefit today from a very wide variety and vintage of millions and millions of digital and (old) analog elements to keep us less vulnerable to a common-mode attack scenario.
What is very clear to me is that there is no silver bullet to solve this problem. The evolution of technology and the creativity of attackers will require continual attention (and spending) to keep cyber security efforts current and at least one step ahead of the attackers. I am not one to estimate the billions needed, because that implies a finite project with an end date. This effort has no end date and will require ongoing projects and spending to stay one step ahead.
While preventive measures have been and will continue to be developed, steps to detect attack signatures to mitigate or at least limit the spread need attention, as well. We are data rich in this sector but analysis poor on this front. "Big data" efforts can help advance on this front. We also need to make sure the grid has regional "black start" ability to quickly restore should an attack be successful.
No Lone Ranger with a silver bullet can help, either. Cooperation between the industry and the government is needed. If an event is occurring, and either the industry or the government detects the issue, the information must be shared in real time to mitigate the impact, or else we watch the event unfold on the news when it is too late.
Having been responsible for the operation of several major utility systems, I was always fearful of how vulnerable they were to physical attack at critical locations. All it takes to disable a significant portion of a utility-sized region is some rudimentary knowledge of the lay out of the supply and delivery system, and the intent to inflict malicious damage for whatever reason. Short of an all-encompassing surveillance system and extensive guard deployment, the only practical way to defend against this, then and now, is to build redundancy into the system so that the loss of a critical component can be compensated for to maintain service.
Of course, now the threat to utility systems from outside agents is even more pronounced because of the digital age we function in and the threat of cyber attacks. I, too, do not agree with NSA's Rogers that the entire country's electric system could be brought down by such action, not only because of the complexity of the systems involved, but also because segments of the nation's grid are loosely connected.
Nevertheless, the problems created by cyber security issues are still a serious challenge to the integrity of the U.S. electric network, as well as any in the developed world, and must be addressed. In approaching this, there needs to be a combined effort including government, the utility industry and the scientific community to put us ahead in developing protocols, systems and methods for protection against cyber attacks. In the end, it comes down to our nerds against theirs, and who gets there first.
To join the cyber security discussion, please comment in the box below.