Stuxnet

State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach is to leave the job to the federal government. But sofar, neither the industry nor the federal government have developed and implemented adequate standards for securing the smart grid. States can play a constructive role—albeit perhaps not in the form of traditional regulation.

Amid focused attention on cybersecurity for T&D networks and power plants, one critical system is often overlooked: land-based radios. During an emergency, field crews rely on their ability to communicate with radios, making these systems highly vulnerable targets for malicious attackers. Securing them requires robust technologies and tools, as well as training and practices to ensure their availability when the grid goes down.

NERC’s critical infrastructure protection (CIP) standards set a minimum level of security performance—and only for high-voltage transmission systems, not the distribution grid. A compliance-checklist approach to security might lack the adaptability needed to combat evolving threats like the Stuxnet worm. A multi-layered, risk-based approach will provide better protection for the emerging smart grid.

In the wake of recent global-scale cyber intrusions, security concerns have expanded from being compliance and operational issues to fundamental risk management considerations. An integrated, enterprise-wide approach holds the greatest promise for securing critical utility infrastructure against increasing dangers in cyberspace.