Americans do not simply rely on electric power — it is required for our existence as much as our modern way of life. In context, the recent news of a cyber attack at a Vermont utility understandably caused significant alarm. Although authorities later corrected the report and stated their belief that the compromised computer in question was not linked to the electric grid, the Grizzly Steppe incident highlighted a greater issue: the continued vulnerability of America’s electrical grids.
A successful cyber attack on the electric grid could cause extensive blackouts that disrupt the economy, put lives at risk and impair our national defense capabilities. A cyber attack on Ukraine’s electric grid, for example, put up to 225,000 consumers in the dark for several hours in December 2015.
A fundamental responsibility of government is to protect the country’s infrastructure, but policymakers must be measured in their approach to the issue. The hysteria of the moment ought not dictate cybersecurity policies. This real threat also must not be used, knee-jerk, as justification for new federal regulations that may ultimately do more harm than good by both reducing state sovereignty and impeding innovation in the cybersecurity sector.
Thankfully, political leadership recognizes the need for a considered approach to cyber attack risk management that starts with research. A bipartisan group of U.S. senators including Jim Risch, R-Idaho, Mike Crapo, R-Idaho, Susan Collins, R-Maine, Martin Heinrich, D-New Mexico, and Angus King, I-Maine, take this perspective in the “Securing Energy Infrastructure Act,” legislation they recently re-introduced.
In the present instance, the Vermont grid was not, in fact, breached and other states have reported no suspicious activity. The cyber attack focused on one of the utility’s business operations computers. The business operation computers are separate from the system that controls the grid. The initial, overblown reports focused on reports the computer was transmitting data to certain internet addresses.
During the investigation, utility and federal authorities determined the computer was infected with a common hacking toolkit. Initial reports were wrong because people jumped to conclusions rather than taking a measured approach.
To the extent vulnerabilities exist in critical infrastructure systems, industry and the government should promptly identify and address them. States need smart, adaptable industry solutions that leverage private-sector innovation, work at the state and local level, and support the capabilities available in cybersecurity today along with talent acquisition and training policies that will ensure cybersecurity technology remains cutting edge. If states prepare to the best of their abilities now, the public and policymakers are less likely to enter into a complete panic if, one day, hackers do breach the grid.
Policymakers must devote themselves to understanding the ever-evolving cyber attack threat to critical infrastructure, what it will cost to protect against it, and which technological innovations are required to keep America safe. This understanding should inform approaches to grid modernization efforts, which must adjust to the reality that more tools from toasters to microgrids are becoming digitally interconnected. Policies will need to be updated — or, in some cases, scrapped altogether — to allow technology to innovate enough to address the national security related vulnerabilities existing in what is known in the vernacular as “the Internet of Things.”
The U.S. power grid is not a singular system. As more internet-based devices are entered into these grids — otherwise innocuous devices that allow for remote viewing, entry and access of systems and that maintain their own inherent security gaps — the overall resilience across all systems could be compromised if America does not prepare.
Looking at a long-term horizon, improving both education and policy environments to encourage innovation entrepreneurship will incentivize entrepreneurs and young people to enter the cybersecurity field. This will provide our nation with a bench of ready, capable experts who will create new jobs and remain on the cutting edge of the latest technology. There is already a general shortage of much needed cyber security talent, further underscoring America’s need to focus on cultivating the next generation of “white hats,” the hackers who work to protect us from the hackers who seek to do us harm.
The electrical grid may be vulnerable to cyber attack, but that doesn’t mean it must remain that way. It also does not mean that dozens of new regulations are needed to protect the grid. The electricity sector is one of the only industries presently required by federal law to protect against, and prepare for, cyber attack. Avoiding new regulations inspired by hysterical over-reaction rather than measured response to the true need, engaging in thoughtful conversations about the “Internet of Things” and its potential to increase grid vulnerability, and providing educational and economic opportunity to the next generation of cybersecurity innovators are just a few of the solutions policymakers can foster to ensure critical infrastructure systems remain safe from this dangerous cyber threat.