Cyber standards proposed by the North American Electric Reliability Corp. are in limbo this summer, although the Federal Energy Regulatory Commission anticipates taking action on them soon. Once...
Security and the States
The regulator’s role in promoting cybersecurity for the smart grid.
No state regulator wants to wake up one day and learn that hackers have brought down the power grid in his or her state. At the same time, many state regulators want to encourage modernization of the electric grid. They realize that making the grid smarter could make it more vulnerable to cyber attacks. But state regulators struggle to define their role in promoting cybersecurity.
State commissions face several dilemmas. Even the largest states must work with tight budgets and limited expertise. Nor are individual electric utilities well prepared to handle the novel and complex challenges of cybersecurity. Cybersecurity standards at the federal and industry level are slow to be adopted. And it isn’t clear how regulation, state or federal, can be effective in producing desired results.
State regulators have confronted IT and security issues for many years, of course. In the months leading up to Y2K, it was hard to find a consultant available to help a state make sure its utilities were prepared. The sudden emergence of that computer code problem was a wake-up call. And we all remember where we were in September 2001 when we learned that the United States had been attacked by terrorists. The 9/11 attacks gave state regulators a crash course in the need to protect critical infrastructure, including the computer networks that support it. At first, we tended to think in terms of protecting buildings and equipment, rather than countering cyber threats. But questions about cybersecurity have emerged in recent years. And the advent of the smart grid has forced regulators to focus on the security of our utilities’ interconnected cyber assets. (See Fortnightly’s recent coverage of this issue ).
Smart grid technology bumps up the threat potential significantly, by interconnecting previously stand-alone components of the grid, collecting unprecedented amounts of information, and linking parts of the grid to the Internet. The risks aren’t only that valuable information will be stolen, but that hackers can corrupt the operations of the grid. The success of the Stuxnet worm in setting back the Iranian nuclear program woke us all up to the risk of adversaries hacking into system controls— e.g., SCADA systems. Recent reports that the United States and Israel used such malware to slow down nuclear bomb development in Iran have raised concerns about possible cyber retaliation. The need for utility cybersecurity has reached the urgent stage.
State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to self-regulate. Another approach is to leave this job to the federal government. The industry and the federal government, however, so far haven’t developed and implemented adequate standards for securing the