Report summary: securing the electric grid
- August 24, 2014
- 339 views
By Max Angerholzer, Frank Cilluffo, and Dan Mahaffee
The electrical grid is often described as the “most critical of critical infrastructure.” Given its importance to modern society and our way of life, it is an obvious target for a wide range of actors who would seek to do harm to the United States. Over the past year, the Center for the Study of the Presidency & Congress—with the support of the Smith Richardson Foundation—convened eight roundtables—in Washington, D.C., New York City, Los Angeles, and San Francisco—of experts from government, the policy community, and the private sector to discuss the threats to the grid, it’s impact as an economic, physical, and national security issue, and developed recommendations for grid security.
Given the breadth of the grid and the number of operators, regulators, and government agencies responsible for ensuring secure and reliable generation, transmission, and distribution of electric power, securing the grid requires continuing communication and trust between government and the private sector. With the wide variety of threat actors who would seek to disrupt the grid, the government and private sector must work closely to counter groups ranging from individuals to foreign criminal syndicates, from terrorist groups to nations like Russia and China. Unlike sectors where cyber intruders would seek to steal financial information or intellectual property, intrusions into the grid are of particular concern, as they are likely intelligence preparations seeking weaknesses in critical infrastructure for computer network attacks.
One of the key recommendations in this area is the need for legislation supporting two-way cybersecurity information sharing between the government and the private sector. While the Obama Administration has taken laudable steps on cybersecurity and critical infrastructure protection through Executive Order 13636, it must also work with Congress to advance the legislative proposals for cybersecurity information sharing. Legislation such as Cyber Intelligence Sharing and Protection Act (CISPA), Cyber Information Sharing Act (CISA), and the Critical Infrastructure Protection Act which passed the House of Representatives this week, provide those necessary tools—including needed liability protections—but it faces significant opposition from privacy groups.
The utility sector—along with other key verticals in the private sector—can play a vital role in this debate by encouraging Congress to pass these legislative proposals by explaining the importance of information sharing for securing grid systems from cyber threats.
The improvements made by the Department of Homeland Security—especially through the creation of the National Cybersecurity and Communications Integration Center (NCCIC)—are key to grid and critical infrastructure. The various tools and avenues for communication provided by the Department of Energy—as the Sector-Specific Agency for grid security—are also essential to encouraging continued communication and trust between utilities and the federal government.
Improved communication between the federal government, state and local governments, and the utility industry can also help to ensure that the distribution grid is secured from physical and cyber threats. Another primary recommendation of the project was to examine how new technologies can improve and automate the so-called “tear line” process that allows information to be shared with utilities and local authorities, while also protecting intelligence sources and methods and/or personally identifiable information. Such a process would simultaneously address the concerns of the intelligence community, law enforcement, and civil liberties advocates. An improved process would also provide utilities with timely and actionable information concerning potential cyber or physical attacks.
Additionally, there is a once-in-a-generation opportunity to further advance the conversation about grid security due to the rapid development and implementation of new technologies. Most significant of these trends are the implementation of Smart Grid technology, the increased use of renewable and/or distributed generation, and the increased linkage of various appliances and physical equipment to networked grid systems.
Beyond legislative action, another key recommendation is to better leverage the insurance underwriting process to evaluate both physical and cyber threats, as well as to leverage the information gathered by insurance companies as they evaluate and model risk. As Smart Grid technology allows for increased amounts of data from grid operations, utilities and the insurance industry can work together to analyze this information and build more detailed models that can detect threatening activity. Insurance premiums can also incentivize the adoption of new security tools, especially as business models change due to distributed generation or microgrid technology.
As the grid “moves from the Edison Era to the Google Era” there are both major opportunities and challenges for grid security. While Smart Grid technologies will allow for not only increased efficiency but also improved responses to outages or other security threats, the proliferation of devices connected to the grid will require a broader discussion about grid security.
As evidenced by the spam botnet that infected smart refrigerators, the so-called “Internet of things” is an attractive target for cyber threat actors. As appliance manufacturers, car companies, and a wide range of other sectors develop devices that connect to the grid, it will be important to include them in standards and policies for ensuring grid security. As a result, it will be important to look at structures and incentives that can rapidly adjust to changing technological standards, rather than slower regulatory processes that will find it difficult to match the pace of innovation—by both technology companies and the various actors who would seek to attack the grid.
While the grid is changing and political processes seem deadlocked, there are opportunities for addressing these challenges. Continued dialogue between the utility industry, security experts, and Washington will be needed.
Max Angerholzer, Frank Cilluffo and Dan Mahaffee are the authors of “Securing the U.S. Electrical Grid,” a paper by the Center for the Study of the Presidency and Congress written with the support of the Smith Richardson Foundation. Learn more here.