Critical infrastructure policymakers are advocating the foundation of a new entity, the Institute for Electric Grid Cybersecurity, along with a new set of guidelines, to better protect the North American electric grid from cyber-attacks and determine how to respond if the grid is ever compromised.
The initiative was described in a new report (.PDF) issued by the Bipartisan Policy Center. The report was authored by a handful of officials from across the industry, including former National Security Agency and C.I.A. Director Gen. Michael Hayden.
Hayden appeared on a panel last Friday to discuss the paper at the Bipartisan Policy Center in Washington, D.C. where the rest of the report’s authors discussed their recommendations. The group is largely encouraging government agencies and private entities to strengthen the system that’s in place before it’s inevitably attacked.
Calling it a domain that favors the attacker, Hayden called the threats “almost self-evident,” before going on to reference the adversaries who want to “degrade, disrupt, deny, destroy” networks and the hackers out there responsible for “recreational espionage.”
Hayden was joined by Curt Hébert, a partner at Mississippi law firm Brunini, Grantham, Grower & Hewes, Paul Stockton, a Managing Director at economic advisory firm Sonecon, and Scott Aaronson, the Senior Director of National Security Policy for the Edison Electric Institute.
Throughout Friday’s panel, the men made several references to the staggering $6 billion costs that were attributed to the 2003 Northeast blackout of August 2003. While that blackout was ultimately blamed on an errant tree branch, that idea, the concept of a multiday outage, is a spectre that still looms over the electrical grid.
Hébert, who formerly chaired the Federal Energy Regulatory Commission, at one point called electricity “the most critical of the infrastructures,” mentioning the blackout and the difficulties associated with restoring sectors like telecom and healthcare. Hébert insisted that the industry has to do a better job understanding the need for mandatory standards, adding that while the NERC has done a good job working with the federal regulatory commission, there are still risks that need to be mitigated.
Hébert described the new organization, claiming it would need to be independent and tackle security from a holistic angle to ensure that everything “from the burner tip all the way down to the point that the kilowatt is actually given to the consumer” is protected.
The industry organization, tentatively titled the Institute for Electric Grid Cybersecurity is only mentioned twice in the 76-page report but the group claims that it could be loosely modeled on the Institute of Nuclear Power Operations, a group started in the wake of the accident at Three Mile Island in 1979 and involve “power sector participants” from across North America.
Those participants would ideally include local distribution utilities – there are 3,200 nationwide that delivery electricity – large generators and state utility regulators.
Still though Hayden acknowledged that to get a change to come, everyone would have to assume responsibility, most importantly the government.
“This cannot be done with just good will and executive action; it’s going to require Congress to actually face these issues and make some decisions that provide some legislative structure in terms of protection and responsibility that makes this more possible than it is today,” Hayden said.
The case for congressional action is clearly laid out in the report with one part recommending the Department of Energy allocate funds “to fully evaluate and understand systemic cyber risks” and “help regulators better evaluate the potential impacts of cyber attacks and provide needed context for weighing the benefits of utility investments in cybersecurity.”
“What permeates the report is that you can’t win this just defending the perimeter, you can’t win this with just prevention and defense ,” Hayden said.
“It’s the concept of resilience, what happens after things start to go wrong?”
As Matthew Wald, an energy reporter with the New York Times who moderated Friday’s panel reminded the audience, that’s exactly whats happening.
Things are going wrong.
Wald noted in the panel’s introduction that of the 250+ incidents reported to the Department of Homeland Security last year, two-thirds of them targeted the energy sector and grid.
One of the bigger problems with the grid came last year when two engineers Adam Crain and Chris Sistrunk discovered a vulnerability in an electrical communication protocol that’s widely used across the country. That vulnerability opened the floodgates and later led to a 20-page report “replete with vulnerabilities in 16 different system vendors.” According to a New York Times article from an October briefing the vulnerabilities, they affect a number of supervisory control and data acquisition systems (SCADA) and if used at a single, unmanned power substation, the vulnerabilities could result in “a widespread power outage.”