Keeping the Lights On: Cybersecurity and the Grid

By William Arthur Conklin, Associate Professor, Information and Logistics Technology

Most Americans take for granted the national electric grid, one of the most important components of the U.S. infrastructure system, expecting it to reliably provide adequate power when and where it is needed.

Of all the critical infrastructure elements, the national electrical grid is one of the most important.  Its reliability and ability to provide adequate power when and where needed is something most Americans take for granted.  We assume the electric companies are properly prepared and that government oversight and regulation will protect us. Electric grids have been targets during conflicts since we became dependent upon them, and they are frequently first on bombing lists. Today, it doesn’t take bombs to disrupt electrical service; this can be done via computer hacks.

The national electricity grid is now a valid target, one to be concerned about and protected. This is no joke. Before Christmas, a cyberattack shut down transformers of two Ukrainian electricity utilities, temporarily leaving 80,000 customers in the dark. Cybersecurity of the grid has become an issue demanding increased attention, and in my opinion, a fresh view on policy and regulatory options. In January I testified about one subset of cyber-related issues to the commissioners of the Federal Energy Reliability Commission (FERC). What follows is summary of my comments and further thoughts.

The FERC is a federal agency that oversees several energy related issues, including reliability of the nation’s electrical grid. It performs in an oversight role over the North American Electric Reliability Corporation (NERC). NERC is the regulatory authority that for the North American bulk electric power grid.  These distinctions are important, for they address the core question of who is minding our grid. In simple terms, FERC is limited to interstate bulk power, and then only by oversight of NERC. NERC passes regulations by a vote of its membership (hint – the regulated, so it is to some degree a self-regulating body) and is also limited in scope to bulk power system.

Our grid is more than just the bulk delivery system; local distribution is where it matters most, for this is where it connects to customers. This portion of our electric grid regulation and compliance is via the Public Utility Commissions in each state.

In prepping for my testimony, it became apparent that although FERC plays a role, it is very limited, and in many ways a prisoner to whims of the collection of utilities that it ostensibly oversees and regulates. All the while, the majority of the grid equipment and all of the customer connections are regulated by separate entities and separate schemes.

While formal testimony on the topic was safe or even staid, the unofficial discussion was lively and centered on a couple of major themes. First was an argument by each utility that they were already doing enough in the area of compliance and that further regulation was unnecessary and a waste of money.  The second thrust was that the utilities felt or believed they are sufficiently secure. This was obvious as they were within regulatory compliance. The agreed upon goal then became to stonewall any further regulations.

What does this all mean? I think everyone would agree the electric grid is important. We all depend on it every day. We also all assume that the government has it properly regulated and has contingency plans in place to protect us. Upon examination, the regulatory framework is a patchwork of different agencies with differing responsibilities and legal authorities – in the end, each can adeptly point their finger to another with a statement of, “not my responsibility,” or “outside our legal authority.” The firms involved in the grid themselves have moved from high reliability and redundancy to efficiency, as the era of deregulation made profit more important than reliability. If this sounds worrisome, it is.

But wait. Our grid hasn’t gone down – why worry? Isn’t this just a case of the boy who cried wolf?

In the last couple of years we have had cyber-attacks on grids across the globe, control centers locked out of their systems, ransomware attacks forcing utilities to pay ransom to get back their control. This last December, malware was used as part of a cyberattack to block operators’ ability to control the grid in Ukraine. The result was a major blackout. Here in the U.S. as well as elsewhere, malicious malware has been found, waiting for a signal to cause damage. Our electric grid is now interconnected to the Internet, and all of the problems and issues we see with cyber criminals and cyber spies applies to the reliability of our grid. The same attack used in Ukraine would not be stopped by our regulations, and it would be much harder for us to recover because of our greater dependency on interconnected automation.

I am not saying that the industry isn’t doing anything – they have come a long way in the past decade to address these challenges. But when walking or running on train tracks, one must outpace the train – and it has been coming up behind us fast.

As an academic, I see this as an example of a “commons problem” – we all share in the need, use and resourcing for electrical energy. But our method of paying the true costs are stilted by a broken and incomplete regulatory framework. We should not expect our utilities to change on their own accord, for they have to remain competitive. But we should expect the regulatory environment to move to one that protects our national interests. We need attention to align the regulatory schema to our desired security objectives – there should be effective oversight, without the blinders of “not in our legal authority” from the federal level. And this level should dovetail with NERC and the state Public Utility Commissions, so that when a problem occurs, a unified comprehensive response can be delivered.

One of the takeaways I got from visiting the commission is everyone is doing their job to the best of their ability; it’s just that no one has engineered all the jobs to do what is necessary. For more information, I recommend Ted Koppel’s new book (yes, the Nightline Ted Koppel), “Lights Out.”  Koppel asks insightful questions and isn’t satisfied with the answers provided by government and industry. We shouldn’t be either.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s