A panel of experts speaking on the topic of cybersecurity as it applies to the nation’s electrical infrastructure sounded some shared, if unusual, themes when addressing the NARUC Summer Committee Meetings in Denver, Colo., July 22.
The experts agreed that cyberthreats are both real and ever-changing, that meeting those threats will require robust sharing of information, that companies must focus first on security rather than compliance, and that research and development will be a permanent part of future operations.
“Cyberthreats have become part of the ‘new normal’,” Michael Daniel, special assistant to President Obama, told the group. “People are taking it seriously, which is a good thing.”
The magnitude of the threat, however, came as a surprise to many in the standing-room-only hotel ballroom, who were told the electric industry is the eighth-most targeted for cyberattacks.
“Broadly defined, we have 1.9 million attacks on our system every week [including] phishing e-mails, the sort of things we all get,” Ben Fowke, chairman, president & CEO of Xcel Energy (NYSE:XEL) said. “What is really sobering to me is that every day we have 16,000 attacks that we prevent that are specifically targeted to Xcel.”
Other experts agreed that the nature of cyberthreats has evolved.
“This is no longer e-mails where you get asked to help someone take care of $500 million that they’ve come into; that was a nuisance,” Ron Jibson, chairman, president and CEO of natural gas company Questar (NYSE:STR), said. “Today, these are directed attacks.”
Meeting such threats will require sharing information between organizations, and the panelists agreed that such sharing must originate with the affected companies and utilities.
“We have to coordinate, we have to share information,” Fowke said. “We have to be able to get information on a timely basis so we can react to it.”
The industry is working to coordinate sharing information and ensuring that other steps have been taken, including obtaining the necessary security clearances so the industry can get sensitive information it needs in a timely manner, he said.
Information-sharing will require a change in thinking on the part of regulators, according to one panelist, because information about cyberattacks and responses to them must be kept within the industry and not shared publicly.
“We need to start out on the same side before we move to the more traditional roles of regulator and utility,” Arthur House, chair of the Connecticut Public Utilities Regulatory Authority, said. “We start with our national security, and then we figure out our respective roles after that.”
While that approach runs counter to the principle of transparency, House said the industry and its regulators need to realize cybersecurity is unlike other operational areas.
“I think it’s critical that the utilities be able to work with the [public utility commissions] in confidence,” House said, adding, “We need protection from [Freedom of Information] requests. We’re dealing with intelligence here and the process needs to be secure.”
Focus on security and compliance will follow
Panelists agreed that security, not compliance, must be the industry’s top priority.
Although industry practice has been to approach compliance as a checklist of items to be followed or completed, the consensus of the panel of experts was that compliance will be an outgrowth, or a result of, the meeting of security needs.
“If we get too caught up on the compliance check-list, then we get too caught up on who’s going to be blamed if something goes wrong, and I think we’ll spend our time and our resources on the checklist,” Fowke said. “That’s a static thing, and I think we’d all agree that’s not where we want to be.”
Further, the panel members concurred that industry, not government, will need to take the lead in finding solutions.
Daniel said an Executive Order (EO) issued in February mandates that federal agencies collaborate with the private sector to develop a framework that is based on industry best practices and standards.
“It must be industry-led and frankly, if it’s not industry-led, it won’t work,” he said. “The technology and other things change so rapidly that … we have to enable our work in this space to be dynamic and responsive enough, and that means it has to be industry-led.”
While the industry must lead the effort, the federal government plays an important role, panel members agreed.
One role the government can play is that of an information consolidator and disseminator. Daniel envisions a model similar to the National Weather Service, where a government agency compiles information about the cyber landscape, then pushes that information out to industry.
The former chair of the U.S. House Defense Appropriations Committee concurred.
“The federal government should continue … to prioritize and improve our cyberdefense by sharing more threat information with civilian owners of critical infrastructure to allow them to close known vulnerabilities promptly as they are discovered,” Norm Dicks, former U.S. Representative from Washington state, said.
Daniel noted that 85% to 90% of security breaches exploit known vulnerabilities.
The federal government should also continue research and development of methods to protect the nation’s critical infrastructure from wide-spread cyberthreats.
The federal government could also employ the nation’s foreign policy strength to bring political pressure to bear when necessary.
“China or Russia may be deterred from launching a widespread cyberattack because our offensive cyber capabilities and our military capabilities are very powerful,” Dicks said. “In addition, economically, many countries are dependent on the [United States’] economic system functioning properly,” meaning a successful cyberattack against the U.S. could be damaging to the world’s economic system.
“Hopefully, deterrence can go a long way in restraining nation-state cyber actors from launching cyber events,” Dicks said.
Additional legislation could also prove beneficial, but Dicks isn’t optimistic.
“It is clear that we must address this critical issue, but it is not clear that Congress will agree on legislation in the near future,” he said. “Congress often reacts as opposed to being proactive,” noting that there has been no comprehensive cybersecurity legislation enacted since 2002.
The industry has come a long way on cybersecurity and, though it still has a long way to go and will be a permanent part of the utility landscape, Daniel cautioned against becoming discouraged.
“The fact that it’s actually taking a while and the fact that these issues are controversial, in my view, simply shows the depth and the importance of them and the need for us to get them right,” he said. “We shouldn’t be surprised that it’s taking a little while to do that.”
Finally, Daniel said, the industry must accept there will be times when its best efforts aren’t enough.
“You have to take [security] seriously but you will never be completely secure,” he said. “It goes with the job.”