Safeguard: protecting the electricity grid

Hollywood movies may envision an attack that shuts down the U.S. electricity grid for an extended period, but in real life the possibility of such a disaster is very slim.

For many years, the U.S. electric utility industry has collaborated with the federal government to build a system of high reliability and quick recovery. The industry since 2005 has operated within mandatory federal reliability standards. Electricity is the only "critical infrastructure" sector in America working within such mandatory standards — including the industries of water supply, transportation, telecommunications and financial and security services, among others.

The Politico journalism service last fall interviewed six security experts who agreed that "electrical grid hacking scenarios mostly overlook the engineering expertise necessary to intentionally cause harm to the grid." While power suppliers take extremely seriously any conceivable threat and weakness, the system of generating and delivering bulk electricity is so complex, with many built-in security redundancies, that an attack which might affect a part of the system would not likely bring down the entire grid.

Protecting the grid involves coordination among a variety of federal agencies — including Homeland Security, Energy, and the Federal Energy Regulatory Commission (FERC) — as well as national laboratory and testing facilities, universities and, of course, the utilities involved in producing and delivering electricity. While private industry owns and operates nearly 90 percent of the nation's "critical infrastructure," the federal government is responsible for the rest and would consider an attack aimed at crippling any sector an act of war.

For the industry, grid security involves two main responsibilities: protecting the physical and operational integrity of the system and recovering from any form of assault, ranging from weather disasters and local vandalism to hacking into and disabling controls. In short, the first responsibility of electric utilities is to keep the lights on safely.

After a substation in California was damaged by gunfire in 2013, beefing up physical security standards kicked into high gear. Last November, FERC approved six requirements developed by the North American Electric Reliability Corporation (NERC), a non-profit organization certified by the federal government since 1968 for ensuring grid reliability. FERC then issued an order that requires utilities who own high-voltage power transmission systems to

• Conduct periodic assessments of aspects of the system that may be at risk
• Allow independent verification of those assessments
• Notify system operators of identified risks
• Evaluate possible threats and vulnerabilities
• Implement physical security plans for transmission stations and control centers
• Invite unaffiliated third-party review of the security plans and protect sensitive or confidential information from public disclosure

Meanwhile, electric utilities for years have strengthened and implemented best practices to prepare for and prevent attacks, as well as to respond and recover. They routinely work with law enforcement and security agencies to protect substations and other assets.

This spring, electric cooperatives supported federal legislation aimed at sharing information across government and business sectors as a means of remaining vigilant and responsive. North Carolina's senior Sen. Richard Burr was among the leaders who championed the legislation. "Cooperatives take seriously the responsibility to protect the security of the bulk power system," said Jo Ann Emerson, CEO of the National Rural Electric Cooperative Association. "Robust, voluntary information sharing between and among members of the electric sector and government agencies will be vital to electric utilities in the event of a cyber-attack. We are in full support of advancing the effort to enhance cyber security while protecting individual privacy."

With funding from the U.S. Department of Energy, NRECA is producing a prototype security appliance and system designed to identify threats very rapidly and decrease the amount of work and expertise needed to keep networks safe. The research team includes Pacific Northwest National Lab, Honeywell, and Carnegie Mellon University.

No critical infrastructure — even one as highly protected and monitored as the electricity grid — can be 100 percent safe from physical and cyber attacks. But as awareness of vulnerability to terrorism and sabotage rises, the electric utility industry has sharpened its own tested defense and response systems.