State public service commissions are insisting that utilities adopt risk management programs, and are allowing less pass-through for those that don't.
Charles W. Thurston is a freelance writer in New York who covers energy issues, and is a frequent contributor to Public Utilities Fortnightly.
Many electric utilities have been on high alert since Sept. 11 to protect the assets within their systems from cyber and physical attack. Months later, signs are that the warning lights will stay on for years to come as utilities refine their capabilities for attack prevention, mitigation, and recovery, both individually, and as a nation.
The Y2K fear forced virtually every utility in the country to reassess and reinforce the capabilities of their information technology systems, and this exercise helped to prepare the industry against cyber attack today. Expanding security attention from data to physical assets, many utilities were aware of the aging nature of their protection system technology prior to the events of 9/11, and began taking steps to replace and upgrade critical components, consultants agree. The new level of threat that utilities now face means that both procedures and technology must be enhanced in a dynamic way to permit utilities to react to the latest type of threat and still mitigate the potential for disruption or disaster.
Given the geographic spread of all the electric utility sites in the country, it is not feasible to protect all physical assets in the same way, thus prioritization of security efforts is a critical prerequisite to implementing the most feasible solution. Still, generators, distributors, and transmission companies alike are pursuing heightened security capability now.