In Illinois, utility regulators are playing bigger role in smart-grid cybersecurity
Photo ByDepartment of Defense
- Apr 1, 2019 4:00 pm GMT
- 401 views
Written By David Thill
Internet-connected sensors and software are helping utilities better manage loads, but they also create new vulnerabilities.
Growing exposure to smart-grid-related cybersecurity risks is forcing state regulators to play a bigger role in preparing utilities for potential threats.
The nation’s increasingly networked electric grid is helping utilities to more efficiently manage loads, including from variable renewables. As data-collecting, internet-connected meters and sensors become ubiquitous, though, they’re also creating new vulnerabilities: countless entry points to be exploited by hackers.
The Illinois Commerce Commission opened its Office of Cybersecurity and Risk Management two years ago. It remains a unique example of how utility commissions are approaching cybersecurity.
In late 2017 and 2018, the office brought electric, telecommunications, gas and water utility officials together into one room to practice responding to a fictional, but realistic, emergency. The tabletop exercises are part of the office’s larger goal of facilitating cross-sector collaboration so utilities can learn from each other.
“There are some big utilities in Illinois, and we got them together,” said Dominic Saebeler, the ICC’s director of cybersecurity and risk management. Utilities practice emergency protocols on their own, he said, but the goal of the exercises was to get them all in the same space, dealing with specific obstacles. For example, Saebeler said, “How would you respond to a weather event that also has a cyber part to it?” He was hesitant to give exact details to avoid tipping off hackers to potential risks, he said.
Planning for the first exercise, held in December 2017, began the summer before, when Saebeler and colleagues discussed the possibility of hosting the event with Illinois’ utilities. Once he knew utilities were receptive, he took the next three months to develop a Monopoly-like game board depicting a fictitious Illinois city resembling the service territory of any of the state’s utilities. To decide on the emergency scenarios, he used subject matter experts from the utilities, who told him whether specific situations were realistic.
He also approached emergency management officials — for example, the Illinois Emergency Management Agency, first responders and hospital officials — to gather feedback about what they’d ask of utilities in potential cyber-related emergencies. When Saebeler began planning for the second exercise, held this past December, he used the same game board with minor tweaks and new scenarios.