Preventing cyber sabotage
By Jo Ann Emerson
Security of the nation's electric grid has received a lot of attention lately. Reports of high-profile hacking attempts on electrical facilities by parties foreign and domestic, mischievous and nefarious, keep making front-page news. In fact, according to the U.S. Department of Homeland Security, the energy sector was the target of more than 40 percent of all reported cyber attacks last year.
In today's heightened political landscape, some have suggested that government mandates — as opposed to our existing system that provides flexibility to meet ever-evolving threats — are necessary to protect the electric grid from cyber assaults. But it's not certain more regulations will make us safer. Consider these points:
- Government mandates can't keep pace with innovation. Utilities, including electric co-ops, are always deploying new technology — and so are cyber criminals and terrorists. Top-down mandates, by their very nature, will only address known dangers; such a command-and-control approach means we'll always be fighting yesterday's battle.
- "Gold plated" cyber security measures are not the answer. It's possible to build a car that will survive any crash. But the cost of such a vehicle would be astronomical. Utilities need the latitude to balance risk and cost for the good of the consumer.
- Compliance is not a deterrent. For some, federal rules create a false sense of well-being. The reasoning goes like this: "If I'm following all of the cyber security regulations that apply to me, then my system must be secure." However, bureaucracy can't promulgate processes that address every contingency. And any complacency opens the door to a possible cyber strike.
Fortunately, America's electric cooperatives have taken a lead role on this issue. Electric cooperatives have spent thousands of hours helping to write Critical Infrastructure Protection standards for the North American Electric Reliability Corporation (NERC), the nation's grid watchdog. Also, the Cooperative Research Network (CRN) — the research and development arm of the National Rural Electric Cooperative Association — has developed the "Guide to Developing a Cyber Security and Risk Mitigation Plan." This document, touted by the U.S. Department of Energy as a prime example for other utilities to follow (and endorsed by the head of grid security at IBM), provides a set of scalable, online tools that can help electric co-ops strengthen their cyber security posture.
As perhaps the first approach to advancing cyber security at the distribution level, the "Guide to Developing a Cyber Security and Risk Mitigation Plan" ties into the innate co-op sense of member responsibility and commitment to continuous improvement. While no one suggests it will prevent every possible act of cyber sabotage, any step at mitigation means a significant leap toward bolstered cyber security.
The bottom line is that over the past few years, the North American electric grid has become more secure because of industry efforts. On the executive-branch level, NRECA has discussed co-op leadership and concerns surrounding this subject in meetings with President Obama and U.S. Energy Secretary Ernest Moniz.
The perils posed by cyber attacks are real. But thanks to CRN and standards fashioned by electric utilities under the current voluntary, collaborative NERC framework, electric cooperatives will be better armed to defend against any cyber menace.