Is utility cybersecurity getting lost in compliance red tape?
The possibility of cyberattacks turning off the lights and knocking pipelines offline is getting a lot of attention on Capitol Hill this summer, and that has some experts in the field worried.
While the threat of malevolent hackers is certainly something to take seriously, addressing the problem in a regulatory fashion with rulemaking, congressional hearings, and stacks of reports and recommendations might fit nicely with the Beltway’s Byzantine method of doing things, but not necessarily with the actual day-to-day operation of the power grid.
“The utilities are really trying to address cyber pragmatically and be proactive about it,” said Jon Stanford, Global Principal for Industrial Security and IoT Solutions at Cisco.
In an interview with Daily Energy insider, Stanford proposed that developing a detailed compliance strategy for protecting the grid could turn into an unnecessary headwind for the utilities that will have to carry it out. “We (utilities) want to do the right thing, but we also now have to invest in compliance, and that can sometimes drain your resources,” he said. “Private industry is struggling with compliance.”
A federal law passed in 2015 designated the Department of Energy as the lead agency on utility infrastructure security. But Stanford contends that the DOE’s latest plan issued in March to secure the grid was an example of being more focused on utilities all landing neatly on the same page rather than on the cutting edge.
“The core issue is that they are basically proposing an approach that is based on how the federal government addresses IT security,” he said. “It doesn’t recognize that the electric grid does not address security that way.”
“The two approaches need to go hand-in-hand, and that’s not occurring,” said Stanford.
Standard IT security is generally an effort to keep viruses, malware, or other digital weapons out of an individual computer system and prevent these bugs from causing havoc with a company’s data. An attack on a utility, however, has a physical component in the form of causing equipment such as power transformers or pumps to shut down or even suffer actual damage. “There is so much focus on the cyber part of this, but if destruction is your motive, you have to cause something to physically happen,” Stanford said.
Washington has also handed a level of influence and authority over critical infrastructure to the Department of Homeland Security (DHS), which issued the National Infrastructure Protection Plan back in 2013.
Stanford cautioned that the DHS’s involvement focuses a share of attention and resources on discussions of who the hostile nations might be and what their nefarious intentions are. “One of the core barriers regarding DHS is they are very heavily focused on anti-terrorism,” he said. “But when it comes to critical infrastructure, it becomes fragmented.”
“There is a lot of discussion taking place on threats, and it’s good to understand the threats and who the different actors are, but the conversation really needs to center on the physical risks,” Stanford said, citing the targeting of high-voltage transformers with malware that disrupts monitoring and control, and eventually lead to instability in the flow of electricity.
A better course, according to Stanford, is the recognition that threats are constantly evolving, and the power system is by nature vulnerable to attack. But utilities can minimize the effects of an intrusion and quickly get back on line, if necessary, by having their staff trained and transformers and other spare equipment stockpiled for rapid deployment.
Washington can then leave more of the planning for recovery to the utilities and private sector. Stanford predicted that would eliminate any vagaries in the compliance process and take advantage of the commonalities in the designs and terminologies of power grids and other industrial systems. The result would be a clearer path for utilities in terms of cybersecurity planning and investment.
“There is a lot of information and material that can be drawn on right now,” Stanford said. “We could use that as a starting point and not have to start from Ground Zero.”
