As the backbone to modern life, the cyber and physical security of the electric grid is critical to ensuring reliable energy is available 24/7. While the nation’s electricity generating industry is only 7 percent of the nation’s GDP, it is the so-called “first 7 percent” because without it, the rest of the economy could not exist. Keeping that vital sector resistant against rising threats was a key point discussed by leaders at the Electric Power Supply Association’s second Competitive Power Summit.
On March 21, 2023, security experts convened at the summit to discuss Cyber and Physical Security for a Reliable Power System. The panel included:
- Manny Cancel, Senior Vice President and CEO of the E-ISAC, North American Electric Reliability Corporation
- Mara Winn, Deputy Director, Preparedness, Policy and Risk Analysis, Office of Cybersecurity, Energy Security, and Emergency Response, U.S. Department of Energy
- Richard S. Mroz, Senior Director, Archer Public Affairs & Advisor, Protect Our Power
- John J. Rovinski, Jr., Supervisory Special Agent, FBI Cyber Division,
- Moderator: Rich Heidorn, Jr., Editor-in-Chief and Co-Publisher, RTO Insider LLC
Rising Risks and Vulnerabilities
Energy generators and providers across the supply chain are under increasing threats in an interconnected world.
Panelists identified rising threats from malicious state and non-state actors as the largest threat to our grid. Panelists spoke of a rise in ransomware attacks, witnessing how cyber warfare is being used in the Russia-Ukraine war, seeing the growth in cyber capabilities in both state and non-state actors, and addressed recent attacks on substations in the U.S. by political and ideological extremists as rising threats to the grid.
Rovinski pointed out that “The grid itself is a natural target because it’s visible, it’s got a huge surface, it’s locally available – they [attackers] don’t have to travel far.”
Cancel added, “The capabilities that our adversaries possess are really quite remarkable. They’re persistent. They’re stealthy. They know what they want to go after. They’ve been conducting surveillance for years. That keeps me up at night.”
And Mroz put it simply, saying, “We are at war. They are using your infrastructure to conduct this war.”
Addressing Increasing Security Needs
The risks are not new, but the variety of disrupters, the means, and intensity are constantly changing even as grid operators’ responsibility to preserve energy reliability stays the same. The industry must retain its firewalls and physical walls to ensure security. But experts on the panel were adamant that these walls need to be smarter, rather than higher—addressing the most pressing and credible threats in the most efficient way.
Power generators are increasingly aware of the role that secure supply chains play in this equation. Competitive suppliers recognize the challenge of balancing enhanced security with costs, and have been working with state and industry actors to ensure security without incurring unjustifiable costs to ratepayers. The energy industry has collaborated for decades on cyber issues with federal and state regulators to try and find the right balance in a world of significant cyber threats and rising energy prices. Cancel concluded optimistically that “the grid is highly resilient across North America… [we’re] not declaring victory, but it’s important to note that we’re not ‘figuring it out’ – we’ve actually figured it out, we just need to improve on it.”
To protect industry investments, Winn stressed the need to plan in advance and make informed, calculated efforts to at the very least reduce the severity of a security breach. “Are you going to have a little ‘bad day’ because you’re able to fix it quickly, it doesn’t cause catastrophic failure, because you’ve thought about the design in advance, you’ve thought about what that impact is, and you’re able to recover quickly? … How much can you assume that something is going to go wrong and make sure it doesn’t go wrong very badly?” This approach is cost effective, and even the small tasks, like cutting back vegetation to have clear sightlines for camera systems, go a long way to ensure physical security and increased monitoring. Bolting on security measures, both physical and cyber, is costly and leaves systems exposed in the meantime.
And while ensuring security was paramount among the panelists, they all understood that “gold plating” the electrical system doesn’t work, and a degree of variation and baseline of standards were likely necessary to protect the system without adding costs arbitrarily. Rather, targeting cost-effective means to safeguard known, priority vulnerabilities can be a manageable way to shore up infrastructure. “You have to pick and choose where you’re going to put your money… where are the crown jewels? If you can’t protect them, you can hide them,” said Rovinski, pointing to maintaining fences and trimming vegetation around substations as an example of a relatively inexpensive means to increase security. By the end of the conversation, a consensus emerged that a discussion on standards was necessary and should bring everyone to the table to make sure individual operators’ situations, needs, and threat assessments are taken into consideration when designing new standards.
Collaboration Is Essential
All panelists pointed to the importance of continued dialogue, communication, information sharing, and collaboration among government and private sector partners to identify and understand emerging threats and how to best protect critical infrastructure.
“Collaboration works. It’s important to have a friend before you need a friend… that’s the only way that you’re going to provide the security that you actually need,” said Rovinski, pointing to an increased intra-government and private sector connection following Russian attacks on Ukraine’s power system.
EPSA is a member of the Electricity Information Sharing and Analysis Center, or E-ISAC, run by NERC with Cancel at the helm, which allows industry to rapidly share information and guidance on a 24/7 basis, as well as to participate in grid security exercises. In addition to the E-ISAC, EPSA member companies also participate in bi-directional information sharing with the U.S. intelligence community via the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and its National Cybersecurity & Communications Integration Center (NCCIC) and are actively involved in the FBI InfraGard program.
A Comprehensive, but Flexible Approach Is Needed
Panelists gave the industry high marks for being ahead of other sectors in their preparedness, but as the grid develops, and new and evolving physical and cyber threats increase, speakers emphasized that grid operators and energy suppliers needed a comprehensive but flexible approach to security.
EPSA’ Cybersecurity in the Electric Power Sector highlights this required balance between engagement and investment across the diversity of power providers, business models, and asset portfolios. It also details the many ways competitive power suppliers are working with all relevant parties to tackle cybersecurity risks. And through the continued collaboration between government partners and industry, it is possible to meet these challenges in the most cost-effective way, addressing the risks where they are, and anticipating where they might appear.