State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
Better Safe Than Compliant
Protecting the smart grid requires a broader strategy.
When Heather Adkins, Google’s incident response manager, told her fellow security managers last February 1 that “Compliance is the death of security,” she was reflecting the lessons learned by having one of the world’s largest bullseyes painted on her company’s back—and the burden of being accountable for maintaining the integrity of systems that handle several hundred million inquiries from more than 90 million different users every day.
This reality of today’s cyber-threat environment will become more apparent to utility security managers in coming months and years as the industry builds out a smart grid that will more closely resemble the larger, more complex Google network, or an advanced telecom system, than it does traditional in-house communications and control systems.
With the stakes of success measured in the reliable delivery of essential electric power rather than serving up an email message or music video, utility managers and regulators have good reason to feel both increased pressure to perform and heightened concern about their systems’ ability to provide reliable delivery and maintain cyber security.
More than 60 percent of respondents to a 2010 industry survey of utilities and energy companies by the Ponemon Institute reported being extremely or moderately concerned about the threats to their networks from hackers, employees and vendor errors; and 70 percent doubted their ability to apply NERC CIP security standards in their communications and IT networks.
Couple that industry self-analysis with the same survey’s finding that more than half of the country’s power plant and critical infrastructure computer networks have suffered sophisticated infiltrations. Then factor in that the DOE’s inspector general has concluded that FERC and its cooperating organizations might not be able to identify and mitigate cyber security vulnerabilities in the U.S. electric system. Conclusion: We have a problem.
The U.S. utility industry has a history of successfully addressing problems of this magnitude and greater, from harnessing the nation’s hydro power, to recovering from huge natural disasters such as Hurricane Katrina or the Joplin tornado, to moving past the Three Mile Island accident. This has been due in large part to the industry’s engineering skills, can-do attitude, and ability to organize and manage its resources in a hierarchical manner to define project objectives and create significant in-house capabilities for delivering solutions.
Over the decades, the consensus that reliability is the industry’s overarching objective has, in general, made sufficient resources available for the systems, staffing and infrastructure needed to surmount problems, accommodate growth and maintain standards. But the cyber security threat is entirely different, posing new potential risks to millions of individuals in a way that isn’t easy to combat centrally and resists easy risk-cost-reward valuation.
But here’s the rub.
The emphasis on cyber security for the North American bulk electric system takes the form of the NERC Critical Infrastructure Protection (CIP) standards. These standards really set a minimum level of security performance for the utilities to comply—and only for