April 27, 2011

How to Be Smart About Our Energy and Cyber Security Goals

America’s critical civilian infrastructure – including its
power, oil, and gas systems – is vulnerable. Today’s threat environment is
vastly different from nearly a century ago when some of the existing infrastructure
was being put in place, and yet the necessary improvements to meet the changing
times have by and large been lacking. As a consequence, according to one
industry expert who spoke with CNAS during an off-the-record meeting, the
electric sector today is where the IT sector was in the 1980s. So perhaps it is
not surprising that our brittle power grid and related systems are exploitable
and ill-prepared for cyberattacks. But many power companies are doubling down
on that vulnerability with smart grid technology, according to a recent report
from CSIS and McAfee. Power utilities “are
implementing ‘smart grid’ technologies that give their IT systems more control
over the delivery of power to individual consumers
– or even to individual
appliances in customers’ homes.”

Investment in smart grid technology has been, in part, an
investment in our energy security future. Indeed, the promise that smart grid
technology can help us better manage electrical loads so that energy production
and consumption are managed more efficiently (e.g., by ensuring that if a
community’s energy demand at one time is 20 Gigawatts (GW), the local power utility
is only producing 20 GW so that excess electricity is not lost), and allow
power generated from alternative energy sources such as biomass, wind and solar
to be put into the grid with power from conventional sources (i.e., fossil
fuels) are just some of the many areas ripe for better managing the nation’s
energy resources.

But experts are cautioning that smart grid technology may be
deployed with inadequate safety guards and security functions that would
otherwise help protect against cyberattacks that could bring down entire utilities,
or even just network intrusions that compromise sensitive data. But how does
the government get smart grid developers and utility companies to integrate
cutting edge security functions into their technology when, according to former
Director of Central Intelligence Jim Woolsey, “Ninety
to ninety-five percent of the people working on the smart grid are not
concerned about security
and only see it as a last box they have to
check”? 

Part of the solution comes from implementing and enforcing
standards that have to date been ill defined. For example, according to one
industry expert who spoke with CNAS researchers at an off-the-record
discussion, the Department of Energy’s initial smart grid grants did not ask
upfront about the cyber security architecture. But requiring smart grid
developers and utility companies to meet smart grid cyber security guidelines needs
to be mandated. (The National Institute for Standards and Technology [NIST] recently
completed an initial set of smart grid cyber security guidelines
.)

The challenge on the utility side, however, is that there is
no way to enforce cyber security compliance. The Federal Energy Regulatory
Commission is charged with overseeing interstate electricity sales, but when it
comes to cyber security for the electric sector its authority is limited. In a
response to a recent GAO report that chided FERC for not having a stronger
process for monitoring industry cyber security compliance, FERC Chairman Jon
Wellinghoff “pointedly noted that when Congress set up the process for creating
cybersecurity standards for the electric power industry in the 2005 Energy
Policy Act, it put the agency into a reactive stance: FERC
can approve or reject cyber standards developed through NERC's [North American
Electric Reliability Corp.] industry consensus process, but it cannot do more,

according to a recent report in ClimateWire.
As a consequence, FERC can recommend changes that would enhance utilities’
cyber security goals, but it can’t mandate them.

There has been some forward progress to move past the
jurisdictional roadblocks. Pending congressional legislation on cyber
protection policy would “give
FERC the authority over critical distribution networks that it has been seeking
,”
ClimateWire reported. “The proposed
language says the bill would cover the ‘generation, transmission, or
distribution of electric energy affecting interstate commerce’ that federal
authorities consider to be vital to U.S. security or national public health and
safety.” The Senate is scheduled to hold a hearing on the legislation in May.

To some, the nation’s energy and cyber security goals may seem
conflicted, but they’re not. They just need to be better aligned. Cyber
security experts have a reasonable concern with deploying smart grid technology
too soon if the systems could be rife with vulnerabilities.  But our energy and cyber security goals do not
have to work against each other.

The U.S. government needs to develop a coordinated path
forward that leverages cyber security expertise in the service of the nation’s
energy security goals. The United States has existing cyber security standards
for the IT and financial sectors, and as mentioned earlier, NIST already has
initial guidelines that would enable better cyber security for smart grid
technology. We do not need to recreate the wheel. The challenge perhaps is
getting cyber security experts and power industry and other energy experts to
work together to develop a way forward that maximizes both the cyber and energy
security benefits. Those benefits would be tremendous: a smart, secure electrical
grid that can better manage the nation’s energy production and demand in an era
when how we handle our energy resources will have repercussions for U.S.
economic and national security.