CYBERSECURITY IN THE POWER UTILITY SECTOR
WHAT MAKES THE UTILITIES SECTOR UNIQUE
Over the past decade, the bulk power system has seen improvements and increased investment in resiliency and cybersecurity. However, local power-distribution assets are not only more vulnerable to cyberattack but also more critical to national electricity delivery than previously contemplated.
MARKETPLACE INNOVATION IS LAGGING
While products to protect information technology infrastructure are readily available and mature, there are far fewer products in the marketplace that provide security for the highly connected operational technologies that control physical assets on the power grid.
To add complexity, many power utility executives struggle with the uncertainties associated with recovery of security-related costs and overhead on the basis of traditional state rate making procedures. Even if there were adequate funding by utilities to address their normal (i.e., “commercial”) cybersecurity risk, there will inevitably be a gap between vulnerabilities that can be cost-effectively mitigated and the residual risk posed by sophisticated nation-state powers seeking to disrupt the grid. Even utilities, dutybound by public-good considerations, are still private-sector businesses that are unlikely to invest far beyond the thresholds of normal commercial risk.
LIMITED INFORMATION TO INFORM CYBERSECURITY DECISIONS
Exacerbating the situation is how utility asset vendors sell closed-source devices and software solutions, which typically come bundled with significant contractual prohibitions against tampering or reverse engineering. This results in a difficult situation, preventing utilities from processes that might allow them to verify the integrity of hardware and software they purchase.
CHALLENGES FACING THE NEW ADMINISTRATION
A GRID THAT IS BECOMING INCREASINGLY DIFFICULT AND COSTLY TO DEFEND
For the past fifteen years, the electric power industry, with significant support from government, has invested heavily in making the distribution system smarter, more efficient, and more connected. Smart grid technologies have been incentivized and implemented with little regard for the increased cyber risk. Equally concerning is that utilities are sourcing advanced technologies and products from multiple vendors with little or no ability to properly assess supply-chain risks.
CREEPING POSSIBILITY OF A TERRORIST ATTACK
The possibility of terrorist attacks will grow. The level of sophistication required to effect widespread damage to the grid has typically suggested that only nation-states will be effective. However, a growing community of postnational actors are being contracted by states as an extension of their offensive capabilities, which is creating an international marketplace for sophisticated disruption capabilities.
ENHANCE INFORMATION SHARING BETWEEN UTILITIES AND THE FEDERAL GOVERNMENT
Greater federal government transparency in managing data will foster trust and confidence in relationship building and communication. The next president should instruct the existing utility industry sector coordinating council and the corresponding government coordinating council established under the National Infrastructure Protection Plan to engage on these information sharing issues and report back to the administration within three months on their plan to create greater clarity and transparency regarding information sharing within the sector, including any legislative adjustments that may be needed.
REFORM THE CLEARANCE ATTAINMENT PROCESS FOR PRIVATE SECTOR EXECUTIVES
Long processing times and an insufficient number of security clearances being made available are significantly hindering the utility industry’s ability to support the US cybersecurity mission. The next president should instruct DHS to coordinate among security clearance granting agencies and develop an expedited “TSA precheck” style system to enable already cleared individuals to maintain their clearances more easily and generally modernize the clearance process to include the use of transferable clearances from department to department.
ENSURE DOE REMAINS THE PRIMARY LIAISON BETWEEN UTILITIES AND THE FEDERAL GOVERNMENT
While DHS plays a critical role as utilities face cybersecurity challenges, the Department of Energy remains best suited as the main point of contact due to decades of working to provide meaningful, contextual, and actionable analysis. The next president and Congress should consider amending the Cybersecurity Act of 2015 to expand the benefits currently granted for sharing information with DHS to other appropriate agencies such as Energy.
CATALYZE AND ACCELERATE THE DEVELOPMENT OF THE PRIVATE CYBERSECURITY INSURANCE MARKET
Cybersecurity insurance is an undervalued tool and critical to the future safeguarding of utilities, but to date the market has focused on data-breach fallout. To expand coverage, the administration and Congress should replicate the success of the Terrorism Risk Insurance Act to create a similar reinsurance backstop for cyberattack-caused real-world damage to utilities and their customers.
PROMOTE INNOVATION THROUGH GOVERNMENT GRANTS
Initiatives such as Rapid Attack Detection, Isolation and Characterization Systems at DARPA and Cybersecurity for Energy Delivery Systems at Energy encourage investment in commercial products by appropriately reducing risk for potential vendors and helping bring together all relevant stakeholders. These programs should be continued and expanded.
INCREASE CYBERSECURITY FOCUS OF STATE-LEVEL REGULATORS AND LEGISLATURES
The federal government should pass a cybersecurity “states-must-consider” law so that states must demonstrate they have considered appropriate cost-effective cybersecurity standards for their electric utility ratemaking proceedings. Doing so will effectively increase the focus on distribution cybersecurity at the state level without imposing new regulations on distribution utilities.
ENCOURAGE PUBLIC-PRIVATE COLLABORATION TO MANAGE VENDOR RISKS
Vendors must play their part in the security of the grid. A new balance needs to be struck between the commercial needs of vendors, who would prefer not to reveal the workings of their products, and the needs of electric utilities to both ensure assets are not prepackaged with malware and understand better how assets would behave if they were to be controlled maliciously. Solving this requires a dialogue between utilities, vendors, and the government to evaluate possible solutions that cost-effectively increase confidence in US grid assets and help utilities prepare for cyberattacks. The Obama administration’s proposal for a National Center for Cybersecurity Resilience, where companies could test the security of systems under controlled conditions, is a good start in this direction. So is the Federal Energy Regulatory Commission’s proposed rule regarding supply-chain risk management. The government and utilities themselves could play a valuable role in incentivizing vendors to adopt the Underwriter’s Laboratories model—this would ensure that all vendor products are rigorously and transparently inspected to ensure they meet baseline cybersecurity standards.