Grid threats increase daily - from foreign foes, terrorists, criminals and hackers. Utilities are tasked with guarding against a rising tide of potentially disruptive intrusions into their power grid and electronic networks. What will it take to keep the power system secure - who will orchestrate the effort, what will it cost and who pays?
Join us noon EDT on Thursday for a path breaking webcast on the future of grid security featuring:
- Patricia A. Hoffman, assistant Secretary of Energy, Office of Electricity Delivery and Energy Reliability
- Alan T. Crane, senior scientist, National Research Council
- Seán McGurk, Global Managing Principal, Critical Infrastructure Protection and Industrial Control Systems Cybersecurity, Verizon
To key up our conversation, I asked the panelists to briefly respond in writing to an opening round of questions. Their answers follow.
Patricia Hoffman
1. Are utilities as prepared as they can be when it comes to securing America’s power grid from cyber and physical assaults?
Utilities are facing cyber threats that continue to change and increase in sophistication. It is a challenge that doesn't have a simple answer, but one that we are working very hard to address. Public-private partnerships have had a large impact on the approach to this problem and have resulted in a lot of successes such as the Department of Energy's Electricity Sector Cybersecurity Capability Maturity Model. We are looking forward to continued public-private collaboration.
2. How likely is it that a city or region will suffer an outage in the next few years as a result of a deliberate attack by a foreign nation, terrorists or criminals?
This is a topic that has received a great deal of attention in news media recently. We are working with utilities to increase their cyber capabilities. This is the area where the Department of Energy can have an impact by sharing actionable threat information with critical infrastructure/energy sector stakeholders.
3. Are the costs of providing the utmost security to our power grid fully understood?
As risk managers, infrastructure owners and operators wrestle with this question every day. The sector is highly regulated and does a good job complying with these regulations. In a dynamic threat environment, however, it is difficult for regulations to stay ahead of these threats. This is why having sound risk management programs in place can go a long way in addressing these threats and anticipating costs.
4.Will those costs be manageable or are they likely to have a significant impact on consumers, commercial power users and industry?
Our goal is to help utilities build the capabilities needed to protect their systems. DOE believes this can be done with manageable cost and will continue to work with utilities to provide tools that can be leveraged by utilities to build appropriate capabilities for reasonable costs.
Sean McGurk
1. Are utilities as prepared as they can be when it comes to securing America’s power grid from cyber and physical assaults?
The challenge we face is in the fact that the issues are evolving. The threats are not static as they constantly change their tools techniques and procedures. Subsequently companies must evolve and enhance their security while keeping operations at the forefront. The 2013 Data Breach Investigations Report has specific examples.
2. How likely is it that a city or region will suffer an outage in the next few years as a result of a deliberate attack by a foreign nation, terrorists or criminals?
The 'likelihood' is difficult to quantify. Given the rise of advanced cyber capability such as STUXNET, DuQu, Mahdi and Shamoon adversaries have increased their capability to deny, disrupt, disable and destroy systems. The cybersecurity focus is shifting from a traditional perimeter defense to a more defense in depth strategy.
3. Are the costs of providing the utmost security to our power grid fully understood?
The costs of implementing change are never fully understood. As we develop technology to combat the challenges in security we see the cost growing more and more. Recent Congressional Budget Office (CBO) estimates highlight the challenges with understanding the total cost associated with grid security.
4.Will those costs be manageable or are they likely to have a significant impact on consumers, commercial power users and industry?
As with all developing programs there will be a role for the government (Federal, State, Local, Tribal and Territorial) as well as the private industry to play a part in managing the cost to implement technology. The consumer will have a role to play as well in driving the market based on the requirements for service. Working in concert each of the partners can effect the change necessary to secure the grid and control cost
Alan Crane
1. Are utilities as prepared as they can be when it comes to securing America’s power grid from cyber and physical assault/
No, but they are improving. Organizations such as the North American Electric Reliability Council, and the Department of Energy and Homeland Security are working with them to reduce vulnerability.
2. How likely is it that a city or region will suffer an outage in the next few years as a result of a deliberate attack by a foreign nation, terrorists or criminals?
There is no way to accurately quantify the probability of an attack as that depends in part on the motivations of the potential attackers. The ability of terrorists to mount an attack that could result in a widespread blackout has been reduced, but it still could happen should they choose the electric system as their target. State sponsored sabotage is probably a greater threat now. A long-term blackout of a large part of the country would cause enormous disruption and economic damage and could, therefore, be an attractive option for a nation engaged in a war with the U.S. but otherwise unable to hit back at our homeland.
3. Are the costs of providing the utmost security to our power grid fully understood?
Depends on what you mean by “utmost”. The costs of modernization of the grid are fairly well understood, and modernization is key to enhanced security. Likewise, the cost of designing and possibly stockpiling large power transformers can be estimated. But the increase in security depends on how far you push these options. What is not well understood is the optimum balance of security vs. cost.
4. Will those costs be manageable or are they likely to have a significant impact on consumers, commercial power users and industry?
The costs of modernization and enhanced security will be manageable, but they will also be significant. Modernization will also have significant benefits such as improved reliability and reduced need for additional transmission lines. The problem with investments solely for enhanced security (e.g. physical security for substations) is that most utilities are at low risk of attack, and therefore cannot be expected to invest heavily. However, an attack anywhere will affect many other utilities.
