Electric industry says protecting electric grid from cyberattacks top priority
The electric industry is tackling cyber security threats to the nation’s electric grid by facilitating risk information sharing, deploying government technology that improves awareness and planning how best to coordinate responses to incidents.
The House Subcommittee on Energy held a hearing on Wednesday to examine the electricity sector’s efforts to respond to cyber threats and ensure the reliability of the nation’s transmission systems in light of the evolution of smart grid technology.
“Integration into the system of new technologies, especially digital technologies, that are essential to keeping up with the nation’s energy needs constantly adds new vulnerabilities,” Energy Subcommittee Chair Fred Upton (R-MI) said in opening remarks at the hearing. “Combine this with the rapid development of cyberattacks and safeguarding transmission systems becomes particularly challenging.”
The bulk power system in the United States and Canada is valued at $1 trillion. It is vast, encompassing more than 200,000 miles of transmission lines, and delivering electricity to more than 334 million people.
A major cyberattack in recent years highlights the urgency in securing the nation’s electric system. The December 2015 cyberattack on the Ukrainian power grid resulted in power outages that lasted for hours and impacted more than 225,000 customers. More recently in the United States, a million electronic devices were impacted by a sudden denial-of-service attack against internet service providers.
“There is not enough money in the world to protect against every threat in every location, but we are working to prevent incidents from having long-term or devastating impacts,” said Scott Aaronson, executive director of Security and Business Continuity at Edison Electric Institute (EEI), which represents all U.S. investor-owned electric companies.
Aaronson also testified to the subcommittee on behalf of the Electricity Subsector Coordinating Council (ESCC). Formed to serve as a liaison between the electric power sector and the federal government, the ESCC is one example of how public-private partnerships are working to improve the resiliency of the electric sector and cyber security.
Congress, government agencies and the private sector are working together to combat cyberattacks. Mandatory nationwide reliability and security standards were created and are enforced by the North American Electric Reliability Corp. (NERC).
Additionally, the Fixing America’s Surface Transportation (FAST) Act of 2015 expanded the Department of Energy’s authority to combat cyber threats and grid security emergencies. The act also encourages the sharing of critical infrastructure information between the private sector and the federal government.
“As flexible and risk based as our standards are, I firmly believe that we cannot win a cyber war with regulations and standards alone. Industry must be agile and continue to adapt to threats and to do that we need robust sharing of information regarding threats and vulnerabilities,” Gerry Cauley, president and CEO of NERC, told the subcommittee.
NERC operates the Electricity Information Sharing and Analysis Center, which serves as the main security communications path for the electricity industry. It takes threat and security data from the Department of Homeland Security, analyzes it and then shares that information.
Power companies know they must continuously monitor and detect suspicious activity, isolate malware and destroy it, Cauley said. Companies often use advanced third-party services to identify vulnerabilities and threats and to maintain security of the systems. The cyber assets used to operate the grid are separate and isolated from business systems, corporate systems and also from the public internet.
“To date there has not been a single cyber attack in North America that has resulted in a power outage to a customer,” Cauley said. “This is an exceptional record, however, we will never be complacent. We understand the risk is real.”
