Cyber attacks are an increasing risk for the US electric sector and have eclipsed terrorism as the primary threat, according to the Federal Bureau of Investigation. The Industrial Control Systems Cyber Emergency Response Team responded to 256 incidents that targeted critical infrastructure sectors in fiscal year 2013, and 59 percent of those incidents involved the energy sector. A large-scale cyber attack or combined cyber and physical attack could lead to enormous costs, potentially triggering sustained power outages over large portions of the electric grid and prolonged disruptions in communications, food and water supplies, and health care delivery. Moreover, cyber threats are more difficult to anticipate and address than traditional threats to electric grid reliability, such as extreme weather. A cyber attack could come from many sources and—given the size and complexity of the North American electric grid—could target multiple vulnerabilities. Advanced grid technologies provide new efficiencies and other benefits but also increase cybersecurity challenges, because the transition from analog to digital controls creates new potential pathways into utility systems.
It is probably impossible to protect the electric grid from all cyber attacks, particularly given the rapid pace at which cyber threats evolve. Therefore, industry and policymakers must consider how to most effectively manage the risks, taking steps to reduce the likelihood of cyber attacks and to limit the impacts of a successful attack. With this goal in mind, the Bipartisan Policy Center launched the Electric Grid Cybersecurity Initiative in May 2013 as a collaborative effort between the center’s Energy and Homeland Security Projects. The initiative was co-chaired by General Michael Hayden, former director of the CIA and NSA; Curt Hébert, former FERC chairman; and Susan Tierney, former assistant secretary for policy at the Energy Department. On February 28, 2014, the co-chairs released a report that provides recommendations in four key policy areas: standards and best practices, information sharing, responding to a cyber attack, and paying for investments in cybersecurity.
Beyond mandatory standards. In many ways, the electric power sector is in a stronger position than other critical infrastructure sectors to address cyber threats, because it already has mandatory, federally enforceable standards: The North American Electric Reliability Corporation, with oversight from the Federal Energy Regulatory Commission, develops and enforces standards that apply to the bulk power system (generally, generation and transmission), and the Nuclear Regulatory Commission develops and enforces standards for nuclear power plants. However, while these standards provide a useful baseline level of cybersecurity, they do not create incentives for the continual improvement and adaptation needed to respond effectively to rapidly evolving cyber threats. Furthermore, focus on compliance with standards may draw attention and resources away from comprehensive security. Finally, mandatory standards do not reach electric distribution systems, which operate outside of federal jurisdiction. For these reasons, there is a clear need for a vehicle to advance cybersecurity excellence across the entire sector.
To meet this need, the report’s three co-authors recommended the creation of a new, industry-supported body modeled on the Institute for Nuclear Power Operations (INPO). INPO was formed in response to the 1979 accident at Three Mile Island. A commission appointed to investigate the accident found that “merely meeting the requirements of a government regulation does not guarantee safety. Therefore, the industry must also set and police its own standards of excellence to ensure the effective management and safe operation of nuclear power plants.” INPO’s mission is “to promote the highest levels of safety and reliability—to promote excellence—in the operation of commercial nuclear power plants.” INPO’s president has testified that “the distinction of promoting excellence, rather than regulatory compliance, is fundamental to INPO’s role in raising nuclear power safety performance.”
INPO performs four primary activities: facility and corporate evaluations, professional training and accreditation, event analysis, and technical and management assistance. Approximately every two years, INPO teams conduct comprehensive evaluations of nuclear plants and produce detailed reports that assess the knowledge and performance of personnel, the condition of systems and equipment, the quality of programs and procedures, and the effectiveness of plant management—identifying both strengths and weaknesses in the process. INPO also assigns each facility a numerical rating and briefs company leadership on results. In addition, INPO holds an annual CEO meeting at which individual facility ratings are discussed, creating performance pressure at the highest levels of member companies. INPO’s evaluation process is a critical part of the group’s effectiveness; evaluation results carry significant weight within the industry.
Benefits and challenges. An INPO-like organization focused on electric grid cybersecurity could do much to advance risk-management practices across the industry, serving as a valuable complement to existing standards. In particular, the introduction of comprehensive peer-to-peer and expert evaluations, similar to those conducted by INPO, combined with actionable reports to utility leadership, could lead to meaningful improvements in utility practices. Like INPO, this new organization could engage in event analysis, disseminate lessons learned, provide technical assistance, and offer training and accreditation for industry professionals.
Effective engagement from chief executives is a key reason for INPO’s success, along with the group’s focus on safety and accountability, and its operational independence from industry and regulators. A cybersecurity-focused organization should aspire to achieve a similar level of industry engagement, support, accountability, and independence in order to ensure effectiveness.
Finally, to have maximum impact, this new organization should include the full range of generation, transmission, and distribution providers and market operators in the North American power sector, including municipal utilities and electric cooperatives. Effectively engaging more than 3,200 diverse entities will be a challenge. While achieving industry buy-in was similarly challenging in the early days of INPO, its potential membership was much smaller. The large number of power-sector entities could impede efforts to establish common best practices, limit the organization’s ability to encourage meaningful changes to performance, and potentially create difficulties for information security. Careful consideration must therefore be given to the structure and governance of this new organization, so that conflicts and resource inequities that might arise within such a large and diverse group can be managed effectively. Given both the extent and the rapid evolution of cyber threats, the Electric Grid Cybersecurity Initiative report urges the industry to address these organizational challenges now, before a costly and damaging cyber attack on the grid occurs.