Cyber security initiatives ongoing, but ‘attackers will always be one step ahead’

After 15 years of hearing about risks that the electric grid faces, from solar storms to hackers, the reason the issue is still debated, from a policy perspective, is to figure out how to manage risk, according to Kelly Ziegler, senior specialist, Environment, Health & Safety, with Consolidated Edison’s (NYSE:ED) Consolidated Edison Company of New York.

Speaking at TransmissionHub’s TransForum East in Washington, D.C., on Oct. 30, Ziegler noted that the views she was presenting were based on her prior experience as a project manager for the joint effort of NERC and the U.S. Department of Energy (DOE) to look at high impact, low frequency event risk to the North American bulk power system.

She highlighted various matters, including the 1989 solar storm that caused the collapse of Hydro-Québec’s grid, the 2007 Aurora experiment by the Idaho National Lab that “proved that a remote cyber attacker could permanently damage equipment on the electric grid,” and the 2010 Stuxnet virus, which “was built by a sophisticated team widely believed to be U.S. government and Israeli government actors.”

Questions now involve how does the industry, and society, manage risk?

Furthermore, how does one decide how probable it is for a major cyber attack to occur on any given afternoon, and how does one ascertain the probability that a geomagnetic storm could occur? she asked.

“We have some ideas about how the sun’s weather works,” she said. “Do we know for sure what that’s going to cause here on our … planet? Not always.”

Last year, for instance, there was a lot of hype over a huge solar cycle that would cause significant amounts of damage, but in the end, nothing happened, she said.

The industry must determine how to protect assets against risks, which may or may not happen, and whose frequency and severity is unknown, Ziegler said.

Since the grid is interconnected, “it’s only as strong as its weakest link,” she noted.

There has been some improvement since the 2003 Northeast blackout, for instance, “the risk still is there, though, that we are very much interdependent on each other in this industry, so we talk about this enhancing protection beyond those levels that are prudently determined through a risk assessment by the asset owner,” she said.

That requires additional investment, and asset owners must determine how far they want to go with that, including deciding whether or not to “build a fence around” everything.

Regulators and society in general place a high priority on having reliable electric service available, but how much one is willing to pay for that is a matter of discussion, particularly from a national security perspective.

She added, “How do we weigh as a society where we want those responsibilities to fall and who benefits from them and who pays for them and to what level of protection are we willing to subject ratepayers to an adder on their bill for whatever that may cost?”

On cyber attacks, Ziegler noted that the attackers will always be one step ahead.

“There will always be vulnerabilities that we haven’t been able to mitigate because we didn’t know they were there,” she said.

There are various initiatives across the country working on such issues, however.

For instance, the National Institute of Standards and Technology (NIST) recently published its new framework under an executive order that basically centers on five things, including the need to identify the assets that have to be protected.

“Figure out how you’re going to detect when an asset has been compromised, figure out how you’re going to protect those assets, figure out how you’re going to respond to an event and how you’re going to repair and rebuild,” she added.

If there are standards that must be complied with as a registered entity under the NERC and FERC requirements, one must make sure to read those standards and comply with them, she said.

However, Ziegler said, it is key to make the smart decisions on a day-to-day basis as one is developing projects and working on facilities.

“As we’re acting in the role of asset owners [it is important] to think about this stuff, how can we do this better?” she said. “How can I educate myself about cyber risk?”

It is also important to figure out how to hire and retain individuals who will help keep systems safe, as well as to train all employees on safety practices, such as not opening potentially spam e-mail messages or sharing e-mail passwords.

“If you have a staff meeting, talk about these issues with your staff, get your IT department to come talk about these issues, develop that education, develop that awareness [and] develop the training,” she added.

Ziegler said her general advice for keeping systems as safe as possible is to be smart.

“[A]t the end of the day, it’s up to us,” she said.

About Corina Rivera-Linares 3203 Articles
Corina Rivera-Linares, chief editor for TransmissionHub, has covered the U.S. power industry for the past 15 years. Before joining TransmissionHub, Corina covered renewable energy and environmental issues, as well as transmission, generation, regulation, legislation and ISO/RTO matters at SNL Financial. She has also covered such topics as health, politics, and education for weekly newspapers and national magazines. She can be reached at