The smart grid is starting to grow up. People are talking less about what it is and more about how to put it in place. The president has made the smart grid a priority, and suddenly the industry is moving in a gear it never knew it had.
However, sometimes growth is accompanied by growing pains. With the smart grid comes the need for cyber security; yet it remains to be seen how the industry will adapt and move forward. A singular authoritative voice might be essential in a domain where the weakest link breaks the chain.
Nevertheless, utilities, manufacturers, system integrators and others continue to find a way to get the job done through leadership, perseverance, and creativity.
While the government and industry choose a single voice, the chorus will carry the day. The successor might even find all the parts written, leaving only the need to lead the show.
Setting the Stage
The need for cyber security has become increasingly apparent over the course of the past year. Mounting political pressures, threatening adversaries, and escalating public anxieties have placed further demands on already accelerated efforts and primed the theater for a smart-grid security authority. The contenders are a disparate lot—from experienced players to savvy newcomers to industry naturals. Regardless, the stakes are high as the coming years will determine who is responsible for ensuring the appropriate level of security is built into the smart grid.
Whoever acquires this responsibility will have no shortage of issues to answer. A recent spate of eyebrow-raising publicity has managed to amplify an already elevated commotion around the importance of security for the smart grid. So who will ascend to this position as an industry prepares to spend untold fortunes on its next generation?
Both houses of the U.S. Congress are considering legislation to address critical cyber vulnerabilities in the electric power grid.
• The Critical Electric Infrastructure Protection Act of 2009 (HR. 2195/S. 946), sponsored by House Homeland Security Committee Chairman Bennie Thompson (D-Mo.), ranking member Peter King (R-N.Y.) and Senator Joseph Lieberman (I-Conn.), would give the Federal Energy Regulatory Commission (FERC) and the Department of Homeland Security (DHS) additional authorities to deal with cyber intrusions and attacks that could have a crippling impact on the operation of the grid. The legislation allows FERC to address immediately an existing problem impacting control systems known as the Aurora vulnerability. The Aurora test, a demonstration by DOE’s Idaho National Laboratory, showed that bad actors could remotely destroy costly equipment, including large generators that aren’t easily replaced and without which the electric grid cannot function (see “Aurora Attack: Lessons Learned,” Fortnightly, January 2008). The bill would give FERC the authority to require utility companies to take protective action against cyber threats identified by national security agencies. The legislation also would give FERC the authority to issue rules or orders to protect critical elements of the electricity infrastructure. The commission would be able to issue emergency rules or orders without prior notice if a threat is imminent.
• The Bulk Power System Protection Act of 2009 (HR. 2165) sponsored by Congressmen John Barrow (D-Ga.), Ed Markey (D-Mass.) and Energy and Commerce Chairman Henry Waxman (D-Calif.), also deals with known cyber-security threats to the bulk power system and provides FERC with emergency authority to deal with future threats to that system. This legislation is spurred on by media reports revealing hackers breaking into the grid and the disclosure of cyber-security vulnerabilities. In addition, U.S. intelligence agencies have sounded alarms about what a determined adversary could do to information systems operating critical infrastructure in the United States.
• The Cyber Security Act of 2009 (S. 773) introduced by Senators Rockefeller (D-W.Va.) and Snowe (R-Maine), proposes substantial changes in the federal government’s cyber-security policy. In 2008, The Commission on Cyber Security for the 44th president conducted the most comprehensive review of cyber-security issues since the release of the national strategy to secure cyberspace in February 2003. The proposed legislation is based on the commission’s recommendations for a comprehensive strategy for organizing and prioritizing efforts to secure America’s computer networks and critical infrastructure. The bill gives the president the ability to declare a cyber-security emergency and shut down or limit Internet traffic in any critical information network in the interest of national security. It also grants the secretary of commerce access to all relevant data concerning networks without regard to privacy laws.
• The United States Information and Communications Enhancement Act of 2009 (S. 921), sponsored by Senator Tom Carper (D-Del.), focuses primarily on strengthening the security of governmental information systems by amending the Federal Information Security Management Act (FISMA). Pressure to upgrade FISMA has been mounting for several years, especially in light of media reports highlighting the vulnerabilities of government information systems. The Wall Street Journal reported that computer hackers had penetrated systems containing designs for a new Air Force fighter jet and had stolen massive amounts of information. The bill would introduce necessary steps to adjust security to compliance as a security exercise. Commercial-off-the-shelf products and services would be required to be standardized according to the federal desktop core configuration, including using products and services with secure baseline configurations consist with standards and guidelines developed by NIST.
—DRH & VS
Several federal organizations are active in this space. Legislative bodies have discussed the concept of overarching authority (see sidebar, Congress Seizes Cyber-Sec) . The White House just announced a cyber czar position on May 29, 2009. Yet as of this writing, much of the responsibility lies in the hands of the states—specifically with the individual utility commissions. Will the industry find a way to self-regulate? Will a choice be made by a federal agency? Congress? The White House? It remains to be seen who, how, and even whether, the decision will be made with significant, long-term consequences on the line.
Meanwhile, utilities are leading the process. An uncertain outcome provides no excuse for stasis. The work still must be done, and the utility community is driving work forward to secure the smart grid.
Vulnerabilities
In the middle of March
