Evidence collected by the US Department of Homeland Security (DHS) suggests that cyber-attacks on key energy infrastructure – and on the electricity system in particular – are increasing, both in frequency and sophistication. And worryingly, new research shows that the risk of a successful large-scale cyber-attack, or combined cyber and physical attack, on the electric power sector is “significant.”
“As previous grid failures, including the multiday Northeast blackout of 2003, have shown, any event that causes prolonged power outages over a large area would not only be extremely costly, it would wreak havoc on millions of people’s daily lives and could profoundly disrupt the delivery of essential services, including communications, food, water, health care and emergency response,” explained a report from the Bipartisan Policy Center’s (BPC) Electric Grid Cybersecurity Initiative, which was launched as a collaboration of BPC’s Energy and Homeland Security Projects in May 2013. Its goal is to develop policies – aimed at government agencies as well as private companies – for protecting the North American electric grid from cyber-attacks.
“Moreover, cyber threats, unlike traditional threats to electric grid reliability such as extreme weather, are less predictable in their timing and more difficult to anticipate and address,” it added. “A cyber-attack could come from many sources and—given the size and complexity of the North American electric grid—could target many potential vulnerabilities. For this reason, experts agree that the risk of a successful attack is significant, and that the system and its operators must be prepared to contain and minimize the consequences.”
To put the scope of the issue into perspective, the Industrial Control Systems Cyber Emergency Response Team (ICSCERT) reported responding to 198 cyber incidents in fiscal year 2012 across all critical infrastructure sectors. A full 41% of these incidents involved the energy sector, particularly electricity.
Current efforts to provide for electric grid cybersecurity are dispersed and involve numerous federal, state and local agencies, BPC noted. These include mandatory federal standards that apply to the bulk power system and nuclear power plants, and mechanisms to facilitate relevant information-sharing between the public and private sectors, and within the power sector itself.
“But given the complexity, fast-changing nature, and magnitude of potential cyber threats, it is also clear that more must be done to improve grid cybersecurity,” BPC said.
Urgent priorities include strengthening existing protections, for the distribution system as well as the bulk power system; enhancing coordination at all levels; and accelerating the development of robust protocols for response and recovery in the event of a successful attack.
One key policy challenge is that current “economic and institutional factors” are keeping power sector investments in cybersecurity – including investments in research and development – below where they should be.
“First, given the interconnected nature of the grid, the benefits of these investments are likely to extend beyond the footprint of an individual company,” BPC said. “Because the company making the investment is unlikely to be able to capture these spillover benefits, many companies may limit their investments to a level that is suboptimal from the perspective of the grid as a whole. Second, since the risks and consequences of a cyber-attack are difficult to estimate and quantify, individual companies may have a difficult time determining which investments to make beyond the minimum required for compliance with mandatory standards.”
While there’s no magic bullet given the nature of the evolving threat and barriers to sufficient investment, BPC is advocating a couple of new approaches. One is the establishment of an industry-wide organization, modeled on the Institute for Nuclear Power Operations (INPO), to advance cybersecurity practices across the industry.
“We expect that such an organization—coupled with appropriate incentives for participation such as insurance policies and liability protection—could do much to improve cybersecurity across the industry.”
Other approaches that it recommends rely on public-private partnerships that would mobilize the respective assets and expertise of industry and government agencies, and improve the flow of information between government and industry and across different companies. This echoes the federally developed Cybersecurity Framework recently released by the National Institute of Standards and Technology (NIST).
There is always work to do, and BPC laid out a roadmap for its efforts going forward. “In the coming months, BPC staff and Initiative co-chairs will reach out to policymakers and stakeholders to advance these and other recommendations,” said the group. “At the same time, BPC will work to address challenges that would remain even if all the recommendations in this report were adopted. For example, because privacy concerns continue to present a stumbling block for efforts to enhance information sharing between industry and government, additional ideas and compromises will be needed to break the current legislative logjam in this area.”