At the beginning of this year, the Trump administration accused Russia of a two-year cyberattack campaign against the U.S. electric grid.
This was the first time the US openly accused Moscow of threatening America’s energy security. Although Trump has claimed that all cyber-attacks on the US by Russia have stopped, FBI Director Chris Wray completely disagrees, and regardless of the current state of play, the mere fact that an attack like this can take place has highlighted the critical need for improved grid security on a global level.
In March this year, US Department of Energy Secretary Rick Perry announced a new Office of Cybersecurity, Energy Security and Emergency Response, indicating that the administration is taking grid cyber threats seriously, and President Donald Trump’s Fiscal Year 2019 budget allocated $96 million for this center.
Whilst this is a step in the right direction and hopefully a sign of more support to come, Utilities themselves must look to do similar. There is no “one-size-fits-all” solution for all utilities as each will have its own cyber-security strengths and weaknesses, however, there are some steps power companies can take to protect information and critical operations from cyber-attacks.
US utilities are predicted to spend over $7 billion on grid cybersecurity by 2020, but in order to implement solutions effectively, utilities first need to understand the interconnectedness of their systems, the relative strengths and vulnerabilities of the systems in use, and then evaluate the solutions on offer.
A suggestion by the Lexington Institute’s Vice President Constance Douris has been that utilities should create a detailed register of identified risks, the severity of exposure and possible solutions – with these registers being updated regularly.
This will serve as a common document to motivate internal thinking and discussions about organizational cyber risks. It would also provide a tool to inform the board, management, and key stakeholders about cyber vulnerabilities, helping prioritize financial resources for protection.
The market’s getting crowded, and confused
There is an increasing number of “more or less similar” cybersecurity solutions available on the market, and besides creating a certain level of market noise, they arguably do little to truly help utilities evaluate their options.
US Congressional representatives Bob Latta and Jerry McNerney introduced the Cyber Sense Act to create a program that will identify, test, and report on cybersecurity product effectiveness for the bulk-power market.
By being able to assess available solutions, utilities will be best able to ensure their continued operational success. Regulatory authorities could also assist by requiring a minimum level of cybersecurity, although says Douris, it is crucial that any such requirements be outcome-based, so that objectives can be achieved within a more flexible framework.
Utilities, meanwhile, should be equipped with the freedom to tailor cyber solutions to their specific needs, thereby helping utilities factor differences in size, structure and resources. Cyber threats to the electric grid are increasing in scale and severity. No single organisation can counter cyber threats alone; grid operators, policymakers, and the private sector will have to work together.