New study examines current state of grid cybersecurity efforts

Published on April 22, 2019 by Scott Sowers

© Shutterstock

A new study by the Vermont Law School’s Institute for Energy and the Environment lays out the challenges of protecting the electric grid from cyberattacks and provides some methods that may hold the keys to future success.

The “Improving the Cybersecurity of the Electric Distribution Grid” study, funded by Florida-based nonprofit Protect Our Power, includes case studies of several states that detail ongoing challenges while also examining best practices for how state electric utility commissions and their regulated utilities can increase investments to enhance grid security.

“It is clear that action is needed to reduce the likelihood and impact of a cyberattack on the nation’s distribution grid, and this report provides concrete steps towards ensuring a more resilient grid,” said Mark James, project lead and assistant professor with the Vermont Law School. “Our research identifies pathways for utilities and utilities commissions to reduce existing barriers to investment and increase system resilience.”

The legally complex area of sharing sensitive data about cyber security between government, regulators and the utilities is also examined. The case studies include efforts underway in California, Connecticut, Michigan, Florida, New York, Kentucky, Illinois and Delaware. Regulatory and technological obstacles are also explored.

Some of the key findings include:

Pacific Gas and Electric Co. (PG&E), San Diego Gas & Electric Co. (SDG&E), and Southern California Edison formed a partnership with Lawrence Livermore National Laboratory (LLNL) and Idaho National Laboratory for a project focused on modeling and simulating cyber threats and possible responses. The program also sought to create physical test bed sites to evaluate the impacts of cyber threats on substation equipment.

Politics and budgeting narrowed the scope of the project that primarily focused its research on a Machine-to-Machine Automated Threat Response system. Much of the data that was generated was considered classified and inaccessible to the commission and its staff without security clearances.

Part of the state’s Comprehensive Energy Strategy includes the major utilities meeting with the Connecticut Public Utilities Regulatory Authority every year. The utilities are expected to report on their cyber defense programs, registered attacks on their systems, and corrective measures they will undertake in the following year.

The utilities chose a Department of Homeland Security-style Cybersecurity Capability Maturity Model reporting methodology. The utilities prefer this method to enhance communication over legislation, executive order, or regulatory mandate. To protect this information, the content of the meetings are confidential, with limited note taking and the information included in the annual report curated to reduce utility exposure.

Cybersecurity was of keen interest to former Michigan Gov. Rick Snyder and his policies brought representatives from the utilities together in informal meetings. In 2014 the Michigan Public Service Commission (MPSC) instructed the two largest investor-owned utilities (IOUs) in the state, Consumers Energy and DTE Electric, to provide MPSC staff with annual reports addressing the utilities’ cybersecurity programs and attack prevention.

Following this move, the MPSC opened cases to address statewide annual reporting. From those cases, the Commission updated the Technical Standards for Electric Service to require annual written or oral reports from all IOUs and electric co-ops.

The reports must include details on cybersecurity operations and management, as well as an “overview of major investments in cybersecurity during the previous calendar year and plans and rationale for major investments in cybersecurity anticipated for the next calendar year.