November 24, 2020

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

Technological advancements in the energy sector have dramatically changed energy production, transmission, and consumption to be more efficient and cost-effective.

However, these exciting innovations == products of the digital age are inconsistent with the long-standing economics of the energy industry. Energy companies need to adapt to this changing landscape to remain viable, resulting in increased adoption of high-tech “smart grid” solutions. However, these same innovations are bringing significant cybersecurity challenges for the sector.

Once again, the economics of the digital age are running into the nearly irresistible drivers of digital services.

An increasing number of homes and businesses are now equipped with Internet of Things devices which are linked to the electric grid, and more devices are being employed every year to manage the grid. Monitoring such a massive network requires extensive resources and advanced technology which are often not economically viable for many companies. Thus, the interconnected nature of the smart grid will continue to offer significant advantages to producers and consumers but will also pose a significant challenge for utilities and other companies for the foreseeable future.

Another newer challenge which has been introduced with the advent of the smart grid is the challenge of securing customer data. Traditionally, data protection has been focused on protecting a few closed systems with minimal touchpoints. However, with the increasing use of devices, like smart power meters, collecting and transmitting massive amounts of data, the issue of data protection has been brought to the forefront of the cybersecurity discussion in the energy sector.

While this data is valuable to producers and consumers alike, securing this data presents formidable obstacles both technologically and financially. The energy sector must now not only be concerned about attacks aimed at crippling the smart grid, but they must also prioritize the security of large amounts of customer data.

Unfortunately, the economics of cybersecurity in the energy sector are less favorable for utilities than for other companies. The evolution of the energy market in the United States has started to strain many utilities financially as increased competition and changing consumer preferences reduce revenues. At the same time, new technology like virtual cloud utilization, have required extensive investment by many in the energy sector.  This increased investment in technology coupled with aged physical assets and legacy systems have left many utilities in a difficult financial position.

Although the implications of successful cyberattacks on the grid are dire, to date the United States grid has been relatively unscathed in the eyes of many. Utilities responding to the economic pressures of a changing commercial landscape are more likely to focus their limited resources on maximizing revenues instead of investing more heavily in expensive cybersecurity technology or personnel. 

For many utilities, it’s difficult to justify the costs.  of heavy investment in cybersecurity on a commercial basis. On the other hand, the systemic risks inherent in a significant systemic attack on the grid are, from a national security perspective massive.

Private companies invest in security at an economic level that makes commercial sense. Thus, expecting all of the more than 3,000 interconnected utilities to expend the resources necessary to completely secure their systems against sophisticated cyberattacks from nation states is unsustainable and unrealistic as the cost to do so cannot be managed on a long term basis on the rate-payers back and lacking economic justification share-holder investment is liable to dry up.

Economics are at the heart of the challenges the smart grid faces. The potential “payoff” for a cybercriminal or nation-state targeting the United States grid is quite high, while the chances of prosecution and costs of launching an attack can be relatively low. Unlike many other types of cyberattacks, an attack against the grid would likely be politically motivated as opposed to financially motivated. 

The National Infrastructure Protection Plan, crafted in the Bush Administration, and then embraced by the Obama and Trump Administrations state clearly that private companies reasonably are expected to invest in security on a commercial basis.  However, the national security implications of a possible systemic attack on the evolving SMART electric grid are unlikely to be supported based on commercial spending levels and demanding the private companies spend at a national security level is liable to seriously diminish private investment required to provide normal and needed public service.

Coming to grips with the economics of securing our critical infrastructure in the face of increasingly likely serious cyber-attacks is a major public policy imperative.

However, the political and strategic payoff of crippling part of America’s power grid for a rival nation would be massive. Attacks on the power grid are prime examples of the sorts of the growing systemic cyber risk we can expect to see in the future. Yet again, the economics provide a demonstrable advantage to the attacker and a disadvantage to the defender.