Regulators, others vow to stay diligent on cybersecurity threats, grid vulnerabilities

State and federal regulators, the utility sector and government agencies are doing a good job on sharing information on cybersecurity protections, but that work is a continuous process requiring constant attention, and more needs to be done to protect power grid reliability, panelists said at a Washington, D.C., conference Feb. 14 and Feb. 15.

The panels were part of the winter committee meetings of the National Association of Regulatory Utility Commissioners (NARUC), where cybersecurity measures were discussed by FERC Chairman Norman Bay, FERC Commissioner Cheryl LaFleur, officials from the U.S. Department of Energy (DOE), the Edison Electric Institute (EEI), NERC and others.

The critical infrastructure protection (CIP) reliability standards developed by NERC and approved by FERC are updated frequently, but they are a minimum and FERC cannot update them quickly enough to address the cybersecurity threats posed by anyone looking to do harm to the power grid, LaFleur said during a Feb. 14 panel on cybersecurity.

“These threats continue to evolve rapidly,” so state and federal regulators “have to be nimble,” in how they help the power industry address cybersecurity threats when regulations and NERC standards take a comparatively long time to approve, LaFleur said.

“We get attempts at intrusions in our systems every day,” and as a utility in today’s environment, “it’s part of doing business,” Nick Akins, chairman, president and CEO of American Electric Power (NYSE:AEP) (AEP), said during a Feb. 15 panel on grid security.

“We need to be on constant alert” protecting the grid from physical and cyber threats, because while the utility grid is resilient to begin with, “we’ll never be through” addressing the threats and scenarios that pose challenges to reliability, Akins said.

FERC is helping share information on bulk power grid reliability threats with state regulators, including a classified briefing to be held Feb. 17, and “we really need to partner together” to protect the grid, Bay said during a Feb. 15 “Q&A” session. That partnership is needed because although distribution network reliability is the responsibility of state regulators and FERC’s authority is limited to the bulk power grid at the wholesale level, the networks are connected and cooperation is important for success, Bay said.

The Electricity Information Sharing and Analysis Center is helpful for keeping the industry and government agencies informed of the evolving cyber threats, but the risks seem to be increasing and more needs to be done, according to Bob Kolasky, deputy assistant secretary for infrastructure protection at the U.S. Department of Homeland Security (DHS).   

“We’re not satisfied with where the current risk is,” following a December 2015 power grid intrusion in the Ukraine that prompted an alert from NERC to ensure the U.S. grid is not vulnerable to something similar, Kolaksy said.

The NERC alert following that Ukraine incident was designed to ensure that utilities and others look for efforts similar to what happened in the Ukraine, Marcus Sachs, senior vice president and chief security officer at NERC, said during the Feb. 15 grid security panel. Months ahead of that incident, an outside entity obtained credentials through phishing to masquerade as a utility employee, and thus the grid intrusion from a remote location was not detected right away in December because it looked like an employee to grid monitors, Sachs said.

The U.S. grid is more secure and resilient than Ukraine’s, and it does no good to “jump to conclusions” that what happened in the Ukraine could happen in North America, but there are lessons to be learned from such incidents, Sachs said. While some of the information about the Ukraine incident is classified, plenty is not and the unclassified information should be shared among industry and regulators, Sachs said.

Utilities routinely share information on cyber threats and they are doing “a heck of a lot more” than complying with the CIP standards from NERC, Jim Fama, vice president of the energy delivery group at EEI, said during the Feb. 14 cybersecurity panel .

Because the power grid is so vital to the U.S. economy and so many different government agencies have a hand in cybersecurity protection, such as FERC, DHS, DOE, the Federal Bureau of Investigation, the Department of Defense and the National Security Agency, “there are a lot of cooks in this kitchen,” Fama said.

“We all have a role to play,” but the different agencies all have the same goal to protect the power grid from intrusions, Patricia Hoffman, assistant secretary at DOE, said during the Feb. 14 cybersecurity panel.  DOE is performing research and demonstration of grid monitoring tools and software to improve grid security, Hoffman said.

Cybersecurity can seem daunting for an individual agency or a single state to tackle on their own, but “we need to stop admiring the problem and start thinking about solutions,” Hoffman said.

Fama agreed, noting that utilities have a long history of with providing mutual assistance to fellow utilities in different parts of the country in response to weather events and power outages. EEI and others are looking to take that experience one step further to provide “cyber mutual assistance,” but “we need some big improvement” to reach the level of success following Hurricane Sandy, Fama said.

Utility solutions should include grid recovery efforts in case physical assets are harmed, and AEP is one of several companies that is part of Grid Assurance LLC, Akins said during the Feb. 15 grid security session. “We need access to spare equipment” beyond what is available through the EEI Spare Equipment Transformer Program, and Grid Assurance can help, he said.

Grid security is about both physical and cyber security and Grid Assurance would address the physical need to have critical infrastructure available at strategic locations, he said.

As TransmissionHub has reported, the Grid Assurance business plan involves having utilities voluntarily sign up and pay for grid resiliency services that include procurement and storage of spare transformers and other critical grid equipment at strategically located warehouses to cut down on the time power outages would last, aiding power restoration in case of catastrophic events such as physical or cyber attacks, geomagnetic disturbances, solar storms, wildfires or severe weather. The group has a petition pending at FERC.

NERC’s Grid Exercise III showed how government and the utility sector can work together to stay diligent about the evolving cyber threats, Akins and others noted at the NARUC meetings.