Electricity Delivery Is An Open Target For Cyber Threats
The electric grid often utilizes industrial control systems to automate generation, transmission and distribution. As utilities adopt digital technologies to keep up with electricity demand and consumption, cyber attack vulnerabilities increase and new entry points emerge. Many public utilities commissions (PUCs) have not required utilities to boost their cybersecurity, placing customer electricity access in jeopardy. Regulators need to incentivize and mandate cybersecurity standards for utilities.
Utilities operate the distribution part of the grid — the final stage where electricity is delivered to customers. Currently, mandatory cybersecurity standards only exist for the bulk power portion of the electric grid, but not the distribution system. The distribution system delivers electricity to pipelines, medical facilities, telecommunications, military bases and other critical infrastructure. If a successful cyber attack on the distribution system disrupts electricity, devastating economic and security consequences can result. Clearly, the distribution system also needs to be protected to prevent damage to the bulk power system.
A successful cyber attack on the U.S. electric grid is possible. Russia has a well-resourced central cyber command. It is widely believed that Moscow has already penetrated U.S. government organizations such as the State Department, Department of Defense and the White House. China is very active in cyber as well. Beijing utilizes viruses and botnets to access targets, but these efforts are likely aimed more at intellectual property theft and gathering intelligence to improve their own infrastructure. Iran also uses its cyber program against political enemies to collect intelligence, but is less sophisticated in comparison to Russia and China.
PUCs could play a significant role in motivating utilities to boost cybersecurity efforts. This is because they decide what percentage of profits utilities can keep and authorize which investment costs can be passed on to the consumer. Yet, PUCs have been slow to motivate utilities to enhance security from cyber threats. Funding cybersecurity efforts is costly and some PUCs are reluctant to gather information about utilities’ cybersecurity weaknesses. This is because they fear that they could then be held responsible if sensitive information is publicly disclosed. This attitude needs to change.
Boosting utilities’ cybersecurity efforts is expensive. Though the Department of Energy and the Department of Homeland Security offer grants to fund cybersecurity efforts, government funds are limited. Utilities should seek private investors to create revenue streams for funding such projects. Updating energy infrastructure could also result in savings that may then be applied to enhanced cybersecurity measures. Rates can also be reasonably increased to ensure delivery of electricity is secure. More utilities need to pursue such funding opportunities to protect electricity access for consumers.
PUCs should require utilities to conduct a risk analysis so they better understand cybersecurity weaknesses. This profile will allow for informed decision-making, identify steps to reduce threats and create clear cybersecurity goals. PUC commissioners then need to determine whether utilities are making sufficient investments in cybersecurity and whether those assets are properly prioritized.
Since utilities are decentralized, conducting a risk assessment for each will be challenging. For example, a utility may own multiple power plants and control centers in different states. In addition, utilities perform multiple functions such as distribution, power trading and customer service. While each site or department operates more or less independently, they also have different cyber access points and they tend to not share threat data.