Electric grid security
Electric grid security refers to the activities that utilities, regulators, and other stakeholders play in securing the national electricity grid. The American electrical grid is going through one of the largest changes in its history, which is the move to smart grid technology. The smart grid allows energy customers and energy providers to more efficiently manage and generate electricity. Similar to other new technologies, the smart grid also introduces new concerns about security.
Utility owners and operators typically are responsible for implementing system improvements with regards to cybersecurity. Executives in the utilities industry are beginning to recognize the business impact of cybersecurity.
The electric utility industry in the U.S. leads a number of initiatives to help protect the national electric grid from threats. The industry partners with the federal government, particularly the National Institute of Standards and Technology, the North American Electric Reliability Corporation, and federal intelligence and law enforcement agencies.
Electric grids can be targets of military or terrorist activity. When American military leaders created their first air war plan against the Axis in 1941, Germany's electric grid was at the top of the target list.
Issue overview
The North American electrical power grid is a highly connected system. The ongoing modernization of the grid is generally referred to as the "smart grid". Reliability and efficiency are two key drivers of the development of the smart grid. Another example is the ability for the electrical system to incorporate renewable energy sources such as wind power and geothermal power. One of the key issues for electric grid security is that these ongoing improvements and modernizations have created more risk to the system. As an example, one risk specifically comes from the integration of digital communications and computer infrastructure with the existing physical infrastructure of the power grid.According to the academic journal IEEE Security & Privacy Magazine, "The smart grid... uses intelligent transmission and distribution networks to deliver electricity. This approach aims to improve the electric system's reliability, security, and efficiency through two-way communication of consumption data and dynamic optimization of electric-system operations, maintenance, and planning."
Government oversight
In the U.S., the Federal Energy Regulatory Commission is in charge of the cybersecurity standards for the bulk power system. The system includes systems necessary for operating the interconnected grid.Investor-owned utilities operate under a different authority, state public utility commissions. This falls outside of FERC's jurisdiction.
Cybersecurity
In 2016, members of the Russian hacker organization "Grizzly Steppe" infiltrated the computer system of a Vermont utility company, Burlington Electric, exposing the vulnerability of the nation's electric grid to attacks. The hackers did not disrupt the state's electric grid, however. Burlington Electric discovered malware code in a computer system that was not connected to the grid.As of 2018, two evolutions are taking place in the power economic sector. These evolutions could make it harder for utilities to defend from a cyber threat. First, hackers have become more sophisticated in their attempts to disrupt electric grids. "Attacks are more targeted, including spear phishing efforts aimed at individuals, and are shifting from corporate networks to include industrial control systems." Second, the grid is becoming more and more distributed and connected. The growing "Internet of Things" world could make it so that every device could be a potential vulnerability.
Terrorist attack risk
As of 2006, over 200,000 miles of transmission lines that are 230 kV or higher existed in the United States. The main problem is that it is impossible to secure the whole system from terrorist attacks. The scenario of such a terrorist attack, however, would be minimal because it would only disrupt a small portion of the overall grid. For example, an attack that destroys a regional transmission tower would only have a temporary impact. The modern-day electric grid system is capable of restoring equipment that is damaged by natural disasters such as tornadoes, hurricanes, ice storms, and earthquakes in a generally short period of time. This is due to the resiliency of the national grid to such events. "It would be difficult for even a well-organized large group of terrorists to cause the physical damage of a small- to moderate-scale tornado."Potential solutions
Today the utility industry is advancing cybersecurity with a series of initiatives. They are partnering with federal agencies. The goal is to improve sector-wide resilience to both physical and cyber threats. The industry is also working with National Institute of Standards and Technology, the North American Electric Reliability Corporation, and federal intelligence and law enforcement agencies.In 2017, electric companies spent $57.2 billion on grid security.
In September 2018, Brien Sheahan, chairman and CEO of the Illinois Commerce Commission and a member of the U.S. Department of Energy Nuclear Energy Advisory Committee, and Robert Powelson, a former Federal Energy Regulatory Commission commissioner, wrote in a published piece in Utility Dive that cyberthreats to the national power system require stronger national standards and more collaboration between levels of government. Recent to their article, the U.S. Department of Homeland Security confirmed that Russian hackers targeted the control room's of American public utilities. The electric distribution system has become more and more networked together and interconnected. Critical public services depend on the system: water delivery, financial institutions, hospitals, and public safety. To prevent disruption to the network, Sheahan and Powelson recommended national standards and collaboration between federal and state energy regulators.
Some utility companies have cybersecurity-specific practices or teams. Baltimore Gas and Electric conducts regular drills with its employees. It also shares cyber-threat related information with industry and government partners. Duke Energy put together a corporate incident response team that is devoted to cybersecurity 24 hours a day. The unit works closely with government emergency management and law enforcement.
Some states have cybersecurity procedures and practices:
- New Jersey: Utilities are required to put together comprehensive cybersecurity plans.
- Pennsylvania: Utilities must keep physical and cybersecurity, emergency response and business continuity plans. They also have to report severe cyberattacks.
- Texas: The state's public utility commission conducts annual security audits.
In March 2019, Donald Trump issued an executive order that directed federal agencies to prepare for attacks involving an electromagnetic pulse. In May 2020, he issued an executive order that bans the use of grid equipment manufactured by a foreign adversary.