High-profile data breaches like the most recent one at Equifax offer a stark reminder of the serious cyber threats posed by antagonists to our personal privacy as well as to our national and economic security. While data breaches represent one type of cyber threat, a cyber attack on critical infrastructure, such as the energy grid, represents an entirely different and more serious matter.
With October being National Cyber Security Awareness month, I want to highlight ways that America’s electric companies, as owners and operators of this critical infrastructure, are working to keep our energy grid secure. The electric power industry understands that a safe and reliable flow of electricity is paramount not only to our nation’s security but also to the well-being of all Americans.
Protecting the energy grid and its most critical assets is the electric power industry’s top priority. In fact, U.S. electric companies invested more than $52 billion last year in transmission and distribution systems. This level of spending is more than twice what it was a decade ago and helps to make the energy grid stronger, more resilient, and more secure.
Because the energy grid is so complex and interconnected, managing it requires constant diligence, planning and coordination. Complicating matters, cyber threats to the grid are not static. They evolve — and so must the industry’s efforts to prepare.
There is no single solution that can make the energy grid completely safe and secure. That’s why electric companies continuously evaluate the different threats they face and the potential damages that can occur from them in order to manage these risks effectively. Given the range of potential incidents, the electric power industry takes a risk-based, holistic approach to grid protection. This approach is four-pronged.
First, the electric power industry is subject to mandatory reliability standards developed by the North American Electric Reliability Corp. NERC is an independent, government-certified, standards-setting body that develops and enforces critical infrastructure protection standards for the grid, all under the oversight of the Federal Energy Regulatory Commission.
As threats to the grid evolve, so do the standards. This ensures that the energy grid operates reliably across all segments of the industry, including the grid facilities of investor-owned electric companies, electric cooperatives and public power utilities. The electric power industry is the only critical infrastructure industry subject to mandatory and enforceable cyber and physical security standards. To comply with these standards, users, owners and operators of the nation’s energy grid implement risk and security training, background checks, and site-specific security and incident-response plans to protect against an attack.
Second, the electric power industry takes a comprehensive “defense-in-depth” approach to protecting its most critical assets and networks. This involves enhancing resiliency, redundancy and the ability to recover should an extraordinary event occur.
As part of this effort, electric companies across the industry work to maintain both the cyber and physical security of the substations, transformers and other assets that help companies make, move and deliver a reliable supply of energy. The industry also routinely exercises its incident-response plans against a variety of threat scenarios. Not only does this approach enhance grid resiliency, it also strengthens the industry’s ability to return more quickly to normal operations if an attack occurs.
Third, the federal government is an essential partner in securing the energy grid from cyber attacks. The electric power industry, through the Electricity Subsector Coordinating Council (ESCC), coordinates closely with the government to prepare and respond to national-level incidents affecting critical infrastructure. Led by electric power industry CEOs, the ESCC and its government partners at the White House, the departments of Energy and Homeland Security, FERC and the FBI are working together to identify and respond to potential threats and to improve the overall security posture of the industry.
The ESCC focuses on several key areas, including planning and exercising coordinated responses to any attacks on the energy grid; making sure that information about threats is communicated quickly among government and industry stakeholders; deploying government-developed advanced technologies on energy systems that improve situational awareness of threats to the grid; and working closely with other interdependent critical industries (communications, financial services, transportation, water and downstream natural gas) to prepare for major incidents. This helps all parties better understand threats, protect mutual dependencies, and share information.
The industry also works closely with the Electric Power Research Institute, NERC, and the government, including the National Laboratories, to enhance resiliency and to mitigate threats from geomagnetic disturbances and electromagnetic pulses.
Finally, the industry believes critical infrastructure protection is a responsibility shared by all electric companies. Working with the ESCC, the Edison Electric Institute developed the cyber mutual assistance program. Industry cybersecurity experts from more than 120 companies are part of the program and can be deployed in the event of a regional or national cyber incident.
Since November 2015, the electric power industry has conducted five national-level exercises, including NERC’s GridEx III, which brought together more than 360 organizations and 4,400 participants from industry, state and federal agencies, and partners in Canada and Mexico. GridEx IV is planned for November of this year and will exercise cyber mutual assistance.
The level of coordination among regulators, electric companies, the government, and the ESCC is unprecedented. It has been cited as a model for other critical infrastructure industries by the National Infrastructure Advisory Council, a group created after 9/11 to inform the president on critical infrastructure issues.
A robust energy grid is essential to the American way of life and to the nation’s economic and national security. At the end of the day, though, we know there is no silver bullet that will protect every single grid asset from Mother Nature’s fury or from malicious cyber and physical attacks. The challenges the electric power industry faces are diverse and dynamic.
While October might be the month dedicated to cyber security awareness, know that in the face of these threats and these challenges, our industry works year-round to continue to ensure preparedness, to make investments, and to take actions that make the energy grid stronger, more reliable, and more resilient — in the face of any threat.