The Bottom Line: Cybersecurity Awareness Month brings national attention to an issue that is always a top priority for competitive power suppliers, as it is directly tied to power system reliability in an increasingly electrified economy. Power suppliers combat cybersecurity challenges through partnerships with each other and government agencies, as well as collaboration with third parties focused on eliminating cyber threats at the source.
Cybersecurity is a constant priority for competitive power suppliers. Credit: iStock/piranka
Americans are using more electricity than ever. As more of our lives are conducted digitally and rely on services powered by electricity, there is also an increased push to move sectors like transportation and home heating and cooling to run on electricity. That makes the nation increasingly dependent on the security and reliability of the power system – which faces mounting threats from cyber breaches and attacks.
While October is National Cybersecurity Awareness Month, putting a spotlight on the risks cyber threats pose to the nation’s infrastructure, competitive power suppliers remain on guard against those vulnerabilities every minute of every day. Cybersecurity threats pose a risk to reliable electric service—and ultimately America’s homes and businesses—with the potential to disrupt everything from routine needs like turning the lights on and connecting to the internet to emergency and life-saving services.
Along with the rest of the electricity sector, competitive power suppliers are constantly on the watch to protect essential power generation resources against current and emerging cybersecurity breaches. But as would-be attackers continue to seek new ways to disrupt the nation’s power grid, new tools may be needed to enhance electric reliability and stay ahead of ever-evolving threats.
Here is a brief overview of the many ways competitive power suppliers – in partnership with government and the entire energy industry – works to protect their operations.
Working Together to Protect the System
The U.S. power grid is an interconnected system encompassing both the transmission and distribution networks, with utilities electrically tied together during normal system conditions to provide a synchronized transfer of power. There are seven regional transmission organizations (RTOs) and independent system operators (ISOs), which operate the region’s electricity grid, administer the region’s wholesale electricity markets, and provide reliability planning for the region’s bulk electricity system (BES). This integrated structure not only helps prevent the manipulation of the electric power supply but helps ensure a high level of oversight and continuity for both cyber and physical security.
Electric power suppliers are subject to an array of cyber and physical security regulatory regimes, overseen by the White House, federal agencies, the U.S. Congress, and others. This includes participating in the development of, and complying with, North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards, which work to ensure the appropriate security measures are in place to protect the entirety of the BES.
Partnership and Information Sharing
Partnership between competitive suppliers and government agencies responsible for cybersecurity exists at every stage of operations.
EPSA member company representatives, and EPSA’s president and CEO, sit on the Electricity Subsector Coordinating Council (ESCC), the principal liaison between leadership across multiple federal agencies and the electric power sector.
Companies also communicate and share information with the U.S. intelligence community via the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and its National Cybersecurity & Communications Integration Center (NCCIC) and are actively involved in the FBI InfraGard program. This provides a two-way channel to stay on top of threats and take all possible action to address them.
The communications channels are further enhanced by participating in the Electricity Information Sharing and Analysis Center (E-ISAC), which provides a portal for updates and information on cyber related threats. Competitive power suppliers also take part in events and training exercises including the NERC GridEx, which is the largest security exercise in North America, with industry, government, and others practicing how they would respond to potential threats.
Outside of these formal processes, competitive suppliers take voluntary steps to shore up their systems. Companies contract third party vendors to conduct cyber compromise assessments, and security subject matter personnel and officers attend an array of security conferences and seminars for education and to share information among similarly situated energy companies and across the electricity industry broadly.
EPSA continues to participate in efforts to keep the power system safe. Both FERC and CISA recently asked for public input on ways to enhance cybersecurity. FERC has issued a Notice of Proposed Rulemaking, which proposes incentives for utilities to invest in cybersecurity measures. CISA has asked for public input on how to implement incident reporting requirements signed into law by President Biden in March 2022. We will be submitting recommendations to enhance the success of these initiatives in the coming weeks.
Ensuring that all cyber and physical security considerations are fully addressed is central to the operation of the nation’s power generating resources and the delivery of electricity to consumers. Although cybersecurity is a constant concern, competitive power suppliers are devoted to doing what it takes to keep America’s grid safe and secure from being compromised.