Even before the EMP Commission report, utilities have been trying to harden their infrastructure against the multitude of threats they face. EMP attacks, cyber threats, and even physical attacks like the one in Metcalf, California in 2014 are situations that power stations must prepare for. But at The National Interest, Constance Douris writes that power utilities have left a gaping hole in their defenses against cyber threats.
Utilities operate the distribution part of the grid — the final stage where electricity is delivered to customers. Currently, mandatory cybersecurity standards only exist for the bulk power portion of the electric grid, but not the distribution system. The distribution system delivers electricity to pipelines, medical facilities, telecommunications, military bases and other critical infrastructure. If a successful cyber attack on the distribution system disrupts electricity, devastating economic and security consequences can result. Clearly, the distribution system also needs to be protected to prevent damage to the bulk power system.
A successful cyber attack on the U.S. electric grid is possible. Russia has a well-resourced central cyber command. It is widely believed that Moscow has already penetrated U.S. government organizations such as the State Department, Department of Defense and the White House. China is very active in cyber as well. Beijing utilizes viruses and botnets to access targets, but these efforts are likely aimed more at intellectual property theft and gathering intelligence to improve their own infrastructure. Iran also uses its cyber program against political enemies to collect intelligence, but is less sophisticated in comparison to Russia and China.
PUCs could play a significant role in motivating utilities to boost cybersecurity efforts. This is because they decide what percentage of profits utilities can keep and authorize which investment costs can be passed on to the consumer. Yet, PUCs have been slow to motivate utilities to enhance security from cyber threats. Funding cybersecurity efforts is costly and some PUCs are reluctant to gather information about utilities’ cybersecurity weaknesses. This is because they fear that they could then be held responsible if sensitive information is publicly disclosed. This attitude needs to change.
Boosting utilities’ cybersecurity efforts is expensive. Though the Department of Energy and the Department of Homeland Security offer grants to fund cybersecurity efforts, government funds are limited. Utilities should seek private investors to create revenue streams for funding such projects. Updating energy infrastructure could also result in savings that may then be applied to enhanced cybersecurity measures. Rates can also be reasonably increased to ensure delivery of electricity is secure. More utilities need to pursue such funding opportunities to protect electricity access for consumers.
PUCs should require utilities to conduct a risk analysis so they better understand cybersecurity weaknesses. This profile will allow for informed decision-making, identify steps to reduce threats and create clear cybersecurity goals. PUC commissioners then need to determine whether utilities are making sufficient investments in cybersecurity and whether those assets are properly prioritized.
Read more here.