Cybersecurity Special Feature
Brien J. Sheahan is a commissioner for the Illinois Commerce Commission. He also serves on the NARUC Board of Directors.
Dramatic changes occurring in the realm of cybersecurity and new focus on resiliency coupled with the need for regulators to develop greater understanding of utility preparedness, potential consequences, and costs necessitates an expanded dialogue regarding the protection of critical infrastructure and how we pay for it.
At the turn of the twenty-first century, concern over the millennium bug was fading and the internet entering adolescence, stories involving cybercrime began to creep into the public conscious. By the second half of the first decade of the new millennium serious attacks of government digital information networks were a known and growing threat along with concern for the destructive potential for this nascent technology.
According to the Center for Strategic and International Studies, the Central Intelligence Agency was aware of four incidents overseas where hackers were able to disrupt, or threaten to disrupt, the power supply of four foreign cities, and where Chinese supply chains were already being compromised. In a first, the Wall Street Journal reported in 2009 that "cyberspies [had] penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system," but this vulnerability remained largely theoretical.
In the subsequent ten years the cadence of significant reported cyberattacks quickened at a pace of more than one a week, including some of the largest in U.S. history, and the first reported attacks on industrial control systems presaged the emergence of cyber-physical attacks. Two decades of evolution of cyber threats culminated in the unprecedented 2015 Russian attack on the Ukrainian power grid which, while having relatively minor impact, was likely intended to cause permanent damage and blackouts lasting weeks or months.
No longer theoretical, the reality of cyber-physical attack has reached U.S. shores. In March of this year according to the U.S. Department of Energy unknown hackers successfully executed a "denial of service" attack against Cisco equipment resulting in the loss of visibility into supervisory control and data acquisition (SCADA) systems at a Western U.S. utility.
Brien Sheahan: Confronting and dealing with the asymmetry and sensitivity of cybersecurity information available to regulators, the costs, and consequences of this new landscape will be an abiding aspect of the regulation of utilities for years to come.
While there were no outages, the loss of visibility into the relatively limited power infrastructure of today raises troubling prospects for a future where millions of distributed energy resources and grid connected appliances, from electric vehicles, batteries, rooftop solar, and networked heating and air-conditioning units will exponentially expand the number of attack vectors.
The seriousness of the problem resulted in the July passage of legislation by the U.S. Senate requiring the U.S. Department of Energy to study grid vulnerabilities and the feasibility of operating the grid manually with analog and nondigital control systems. Earlier in the year the Department of Energy created a new Office of Cybersecurity, Energy Security, and Emergency Response.
What recent history has shown is that the cyber threat has evolved from one that was theoretical to one where state-actors, and perhaps others, have demonstrated the ability to effectuate real world cyber-physical consequences with potentially catastrophic effects for hundreds of millions of people. The reality that the grid is vulnerable and brittle, and the enormity of the consequences we face from the potential of medium and long-term disruptions is the world we live in today.
What does this mean for state utility regulators? The intent of this special cyber edition of Public Utilities Fortnightly is to begin a conversation among state regulators, distribution utilities, and other stakeholders around the unique challenges posed by cybersecurity threats, the need for resilience, and their confluence with the profound transformation occurring in the generation, delivery, and consumption of electricity by what will be millions of new grid connected devices and electrification of transportation.
To begin to address these challenges, this magazine explores issues faced by a variety of participants including utility executives, regulators, and outside experts examining their perspectives on cyber-defense, preparedness, and digital resilience.
Confronting and dealing with the asymmetry and sensitivity of cybersecurity information available to regulators, the costs, and consequences of this new landscape will be an abiding aspect of the regulation of utilities for years to come.
Cybersecurity Special Feature conversations:
- Brian Harrell, Assistant Director at Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security
- Bruce Walker, Assistant Secretary, Office of Electricity, U.S. Department of Energy
- Tom Fanning, CEO, Southern Company
- Bill Spence, CEO, PPL Corporation
- Connie Lau, CEO, Hawaiian Electric Industries
- Chair Gladys Dutrieuille, Pennsylvania PUC
- Paul Stockton, Managing Director, Sonecon
- Ray Rothrock, CEO, RedSeal
Lead image: © Can Stock Photo / maxkabakov
