State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
A Fine Mess
CIP audits show utilities are just getting started with securing the grid.
to compromise the latest equipment you’ve deployed, just the weakest link in the chain.”
Paying the Price
The industry has met the security challenge with much gnashing of teeth, largely because of the added expense at a time of rising cap-ex and fuel costs.
“Let’s not kid ourselves, this is one of the most capital-constrained industries in the world,” says Ahern. “I spoke to one utility that estimates it will cost $30 to $40 million over the next three years to become compliant with the NERC CIP standards. Where’s the money coming from?”
The key might be finding a financial upside in security investments. This would require utilities to view security as more than solely a compliance issue, and to put pressure on security vendors.
“One executive asked me, ‘how are you going to make this pay for itself?’” Sill recalls. “So we added a number of troubleshooting features. Since we see all the data and encrypt it, we also can do problem analysis. Then they don’t have to roll a truck to a substation to find out what’s going wrong. There’s an easily identifiable cost benefit to having this technology in place.”
There’s also a business case in being the best in class. After all, investor-owned utilities that look the sharpest on security also will look good to investors on Wall Street, because they are hedging against downside risk. In an industry moving toward greater interoperability, demonstrable security could prove a competitive advantage.
“Utilities take issues of operational stability very seriously,” Highfill says. “They’re proud of their track record, in terms of up time and level of service. If they can make some claims and guarantees on that, that’s a fantastic motivator in our industry. You want to be perceived as the rock.”