Infrastructure protectionExperts call for a new organization to oversee grid’s cybersecurity

Power industry-led group should be auditing grid security // Source: pnnl.gov

In 2013, U.S. critical infrastructure companies reported about 260 cyberattacks on their facilities to the federal government. Of these attacks, 59 percent occurred in the energy sector.

A new report, co-authored by former CIA and NSA director, Gen. (Ret.) Michael Hayden, proposes that energy companies should create an industry-led organization to deflect cyber threats to the electric grid. The organization would extend membership to power companies across North America, including large generators as well as local distribution utilities. Modeled after the nuclear industry’s Institute of Nuclear Power Operations, the proposed organization, to be called the Institute for Electric Grid Cybersecurity, would oversee all the energy industry players that could compromise the electric grid if they came under a cyberattack.

“We believe such an organization could substantially advance cybersecurity risk-management practices across the industry,” the authors write. The report, released last week by the Bipartisan Policy Center, also evaluates current initiatives aimed at protecting the North American electric grid from cyberattacks.

Critical infrastructure companies are increasingly concerned about cyberattacks, but NextGov reports that the energy sector has already made important strides in protecting the electric grid because it is subject to mandatory cybersecurity standards enforced by the U.S. government. These standards mainly focus on high-voltage transmission facilities and large generators, and often excludes distribution vendors which deliver power to residents and businesses. Distribution level cyberattacks, however, could disrupt power lines that affect critical utilities like telecommunications, water systems, and oil pipelines.

“In some cases, cyberattacks on distribution system facilities could have consequences that extend beyond that system,” the report’s authors write. “Simultaneous attacks on multiple distribution utilities, or an attack on a single utility’s distribution operations in multiple locations, could have broader ramifications for the bulk power system.”

The 2003 Northeast blackout cost $6 billion in economic loss, and while that incident was blamed on a tree branch in Ohio, a cyberattack combined with a physical attack could lead to greater losses.

The proposed organization would not interfere with the industry standard-setting organization, the North American Electric Reliability Corporation (NERC), or the government agency that enforces industry standards, the Federal Energy Regulatory Commission (FERC). The authors of the report also assure that “at present, we do not believe that there is a sufficient case for expanding FERC’s jurisdiction to encompass cybersecurity at the level of the distribution system.”

Similar to the cybersecurity framework issued by the National Institute of Standards and Technology (NIST), participation in the proposed organization would be optional, but the federal government would persuade companies to join by equating “participation in the institute — and satisfactory performance evaluations — as equivalent to adopting the cybersecurity framework to the extent adoption of the framework is required to be eligible for particular government programs or incentives going forward,” the authors write.

Other incentives for joining the organization include better insurance options against economic losses caused by cyberattacks. The federal government would initially guarantee coverage. “A federal backstop would increase carriers’ willingness to offer cyber insurance and lower the cost of doing so,” the authors write. “In addition, a federal backstop would give carriers time to gather and review data about cyber incidents as they seek to develop policies that appropriately share risk.”