Experts: U.S. more prepared for cyber attack on paper than in reality

A discussion panel of cyber security and electrical industry stakeholders on Sunday examined what can be done to protect public utilities in the U.S. and other countries from cyber attacks, as well as what steps can be taken to mitigate the effects on the grid during a high-risk event.

The panel was part of the annual summer meeting of the National Association of Utility Commissioners (NARUC).

“Simply put, it really is critical to our collective national interests that hometown security preparedness equals national preparedness and security,” Matt Duncan, program manager for the U.S. Department of Energy (DoE), said. “One thing that has shown promise in helping these issues are our DoE regional coordinators in each of the 10 Federal Emergency Management Agency (FEMA) regions that work with first responders during the event of a natural disaster or a terrorist attack.”

Duncan pointed to the Energy Emergency Assurance Coordinators Agreement signed by Secretary of Energy Ernest Moniz in February, which would use one or more state-designated individuals as points of contact to share information with the DoE and states in the event of an energy supply disruption, as an important step. The program would serve to improve information sharing and communication during lower response times.

Duncan added that preparedness exercises held by federal agencies and the private sector are critical to ensuring the safety of both the electrical grid and first responders. The exercises also include annual studies on the risks and hazards that might affect the energy sector.

Despite such preparedness efforts, however, U.S. cyber security is not nearly as prepared as it appears, Arthur House, commissioner for the state of Connecticut Public Utilities Regulatory Authority, warned.

“The thing to remember about cyber security, we are far better on paper to take care of things than we are operationally,” House said. “It’s not as if the president could turn to the secretary of energy in the event of a grid cyber attack and say ‘turn it back on.’”

The ongoing conflict in Ukraine can be used to learn how an attack would take place, according to Paul Stockton, managing director of Sonecon, LLC, and previously the assistant secretary of defense for homeland security affairs, told the panel.

”I think we’re getting good and understanding ways on cyber penetration to the networks, specifically to the power grid and water sectors,” Stockton said. “What I think we need to focus on is if the adversary breaks into (our cyber infrastructure) during restoration efforts after a disaster, those restoration efforts themselves will be targeted as well.”

Stockton expressed concern about the possibility of cross-sector attacks during a disaster, such as a financial cyber attack coupled with an attack on the electric grid, telling the panel that a similar attack in Ukraine in 2014 hindered any sort of impactful coordinated response.

The panelists agreed that best practices for cyber security protection include layered defenses, regulatory oversight, external third party assessments and internal governance.