State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
What Price, Security?
Grid reliability depends on ‘reasonable business judgment’
The word “security” no longer means what it used to mean. “Security” once referred to comfort, stability and a sense of well being. It was a chicken in the pot, a crackling log in the fireplace and a well-funded pension plan. It was Linus Van Pelt’s blue-flannel blanket.
Now, “security” means gates, guards and guns. It means protecting critical assets with a multi-layered cyber and physical perimeter. It means exercising vigilance and caution, and accepting inconvenience as a matter of routine.
The price of security has gone up since September 11, 2001, and it continues rising as America faces growing threats from a range of ideological and economic opponents. As National Security Adviser Stephen Hadley said in a recent press conference, “Welcome to the real world.”
In this context, industry leaders are putting forth an unprecedented effort to implement new security standards for the electric power grid. These standards inevitably will bring costs and compromises, but the industry’s leaders understand the importance of their mission—to secure what arguably has become the most critical piece of America’s infrastructure.
Utilities and their customers will pay a significant price for security in the real world of the 21st century. Whether that price proves to be too high (or not high enough) depends on how the industry responds to the challenge.
Know Thine Enemy
In The Art of War , ancient Chinese philosopher Sun Tzu counsels military commanders, “Know thine enemy.” This phrase has become something of a cliché, but for the U.S. utility industry, Sun Tzu’s advice appears more pertinent than ever. The nature of the cyber security threat is changing quickly—and the stakes are rising.
In the beginning, amateur hackers would claim nerdy bragging rights by planting evidence of their intrusion—the electronic equivalent of a “Kilgore was here” graffito. Sometimes they played tricks on companies, destroying data and corrupting systems. Then hackers became more devious and dangerous, seeking to extract personal data to use in bank fraud or identity theft. And now, they pose a serious threat to reliability and business operations.
The most obvious and disturbing examples are terrorists, intent on disrupting service and spreading chaos. Other dangerous opponents include criminal extortionists and nation states, hacking utility systems in pursuit of economic or political goals. Some cyber attackers have subtler aims—to manipulate power prices, impede a competitor’s market access, or even to influence political trends. An incumbent candidate might suffer at the polls, for example, if utility service in his or her voting district becomes unreliable.
All these threats represent a clear and present danger to the security of America’s critical infrastructure. An effective defense will require utilities to apply world-class strategic thinking, as well as state-of-the-art technology and organizational excellence. To defend the grid against such threats, utilities must first understand the enemies they face, as well as their goals and their tactics.
But perhaps the greatest threats of all don’t come from outside the industry, but from within it—in the