It’s Time for Electric Utilities to Re-Energize Their Cybersecurity Efforts
A cyber attack on the North American electric grid could have crippling effects on our nation. Fortunately, private and public agencies are working to update protective measures. Here, in the third article in our series for National Critical Infrastructure Security and Resilience Month (November), FTI Cybersecurity comments on the state of the issue.
From power plants to service stations to private homes, all aspects of the U.S. energy sector are being transformed by the rise of interconnectivity. While the benefits have already proven vast and the future holds great promise, there is reason for concern. Like other interconnected industries, with great connectivity comes increased threats of cyber attacks.
For the U.S. energy sector in particular, a cyber attack can have far-reaching consequences. A chilling precedent can be seen in the 2015 incident involving Ukrenergo, Ukraine’s national grid operator. After hackers planted malware in the network, they gained the ability to control circuit breakers. The result was a blackout that left 225,000 people without power. To add insult to injury, these hackers flooded Ukrenergo's customer service phone lines with fake calls, preventing customers affected by the blackout from reaching the grid operator.
The incident is considered the first successful cyber attack of a utility. It also serves as a serious wake-up call for U.S. energy companies.
Energy Sector Gets a Jolt of New Tech
The introduction of new technologies across the North American electric grid is completely transforming how the sector operates and altering the way in which energy is distributed and utilized in the United States.
Most of the innovation is occurring on the distribution side of the industry (i.e., delivery of electricity by utilities sourced from generators to the homes and businesses they serve), yet all depend on digital interconnectivity to the power grid, to customers and to system operators.
Here are a few of the technologies that utilities are studying and installing:
- Energy storage alternatives, similar to how batteries operate
- Smart meters, which allow for real-time monitoring of customers’ consumption
- Distributed Energy Resources (DERs), which are small-scale generation assets and often renewable
Increasing connectedness creates benefits. Customers can better manage their energy consumption. DERs can reduce emissions and create reliability. Batteries allow energy to be stored during low-demand periods. The availability of vast quantities of electricity supply and demand data gives operators new insight into their systems.
Not Quite Ready for Prime Time
While these changes are taking place industry-wide, the rate of implementation is lagging due to a lack of common oversight. Because electric utilities are regulated by the states in which they operate, new approaches are driven by state policies, not federal policies. Some states have proactively modernized their power grids by implementing operating models and smart technology, while other have remained idle.
This inconsistency is a major speed bump on the road to safe and effective operation across the grid. It also places the sector in a precarious position. Digital interconnectivity creates additional points of access for malicious actors to infiltrate, presenting more opportunities to compromise a power grid. It’s not surprising, then, that half of all utility CEOs say a cyber attack on their organization is “inevitable.”1
Although there is inconsistency, the regulatory framework is evolving in an attempt to keep pace with the growing risk of cyber attacks.
At the national level, the Federal Energy Regulatory Commission (FERC), working in conjunction with the North American Electric Reliability Corporation (NERC), has made securing the interstate energy network a major priority. Evidence can be seen with the implementation of Critical Infrastructure Protection (CIP) standards, which establish a set of minimum requirements related to security, reporting and related issues for the bulk power grid.
States are taking action by reviewing cybersecurity practices at the utilities they regulate. Remedial activities and penalties for companies that fail to meet certain standards have gone into effect. One example is the requirement that offices be staffed with employees who have sufficient cybersecurity technical expertise. To that end, the Illinois Commerce Commission created the Office of Cybersecurity and Risk Management in 2017. One year later, the Pennsylvania Public Utilities Commission followed suit with the creation of its Office of Cybersecurity Compliance and Oversight.
Energy companies are also taking proactive steps — sometimes beyond what regulators are doing — to tackle cybersecurity threats by responding through collaboratives. These include sharing best practices, cyber response plans and incident response mutual aid plans.2
Business leaders are responsible for managing every type of risk at their organizations, including mitigating cyber risk. In January, the World Economic Forum (WEF) published a report titled “Cyber Resilience in the Electricity Ecosystem: Principles and Guidance for Boards.” An excerpt from the preface explains the importance of leaders being front and center:
We, as board members and chief executives, must take it upon ourselves to build a robust and pervasive cyber resilience culture and ensure it is instilled in every person within our organizations, from top to bottom. In addition, cyber risk should be centrally managed similar to other risks; however, it is often delegated to our information technology teams. A key aim of this report is to highlight the need for this to evolve.
In today’s interconnected world, all employees should understand how they, in their specific roles, can work to prevent a cyber incident from occurring, and to recognize when essential systems may be compromised or at risk of an attack.
How can utilities achieve this level of readiness? By introducing continual cyber awareness training to supplement technological protective measures, users will be informed about threats and educated about phishing emails, suspicious links and other sources of malware, for instance.
For energy infrastructure, taking these important steps to protect interconnected grids from cyber attacks will ultimately help their customers keep their lights on and prevent significant and widespread damages.
Senior Managing Director