Bill Zuretti is director of regulatory affairs and counsel at EPSA.
In the wake of the SolarWinds Supply Chain Attack, business and government leaders across the globe are charting a path forward. While EPSA and its member companies do not believe they were impacted by this breach, we are proactively working to understand the scope of the incident and gird IT and electric infrastructure against future intrusions.
As part of their mission to provide reliable power to Americans and protect customers, EPSA member companies take very seriously the cyber and physical security of their operations and the electric grid.
The Electric Industry and Government Are Working Together to Respond
Protecting America’s power grid from security threats is a team effort across the energy industry and government. Along with our utility, public power, and co-operative industry partners, competitive power suppliers are a key player in shielding against, preparing for and responding to incidents.
EPSA’s CEO sits on the Steering Committee of the CEO-led Electricity Subsector Coordinating Council (ESCC). The ESCC serves as the principal liaison between the federal government and the electric power industry on efforts to prepare for, and respond to, national-level disasters or threats to critical infrastructure. Through the ESCC, we are working closely with our counterparts from other segments of the electric industry and with government partners, which includes senior administration officials from the White House, cabinet agencies, federal law enforcement, and national security organizations.
Immediately following news of the SolarWinds breach, the ESCC sprang into action and conducted a situational awareness call with its members. In the days after this call, the ESCC stood up a “Tiger Team” to continue to address this incident. This “Tiger Team” is comprised of security experts from across the electric sector and includes EPSA staff and representatives from our member companies. The team has been sharing information, best practices, and recovery tools to aid each other in response to the breach. This team is also working to stage a series of webinars and compile best practices and response tactics. Our aim is to emulate our sectors’ preparation for and response to the COVID-19 pandemic, which helped keep the lights on and protect energy workers throughout the crisis – and has been widely praised by industry and government.
EPSA Member Companies Already Had Extensive Cyber and Physical Security Measures in Place
Beyond our collaboration with the ESCC and other government agencies, competitive suppliers also continue to share information with industry stakeholders on security data gathering and analysis, incident management coordination and communicating mitigation strategies.
Information Sharing and Coordination: EPSA is a member of the Electricity Information Sharing and Analysis Center (E-ISAC), which is the primary security communications and collaboration channel for the electricity industry and enhances its ability to prepare for and respond to cyber and physical threats, vulnerabilities, and incidents with the U.S. Department of Energy and the ESCC. The E-ISAC also gathers, analyzes, and shares security information provided by members and partners; coordinates incident management; enables member- to- member sharing; and communicates mitigation strategies with stakeholders across interdependent sectors and with government partners.
Preparedness Events: In addition to information sharing, EPSA members participate in regular trainings and simulation events. GridEx, for example, is a distributed play tabletop grid exercise that allows participants to engage remotely. The exercise simulates a cyber and physical attack on the North American electricity grid and other critical infrastructure.
Risk Assessments: Competitive suppliers also contract with third party vendors to conduct regular, proactive cyber compromise assessments. In addition, as the world and the grid continue to evolve to accommodate new energy resources, EPSA members conduct risk assessments on all new technologies that are brought into their systems.
Protective Measures: Further, both as part of NERC’s Critical Infrastructure Protection (CIP) regime and through their broader information security protocols, EPSA members have already implemented robust processes to protect cyber and company data related to limited product development or source code in compliance with NERC reliability standards in the least. In addition to these measures, EPSA members utilize protocols – which can include Sanctions Act validations – in order to ensure that they are protecting sensitive or critical data.
A New World May Require a New Market Paradigm
In order to enhance reliability and protect against cyber threats while providing least cost electricity to customers, new market design tools may be needed.
Competitive suppliers recover costs through multiple organized wholesale markets. But currently, markets come with parameters for which costs can and cannot be included in supplier bids. Accordingly, should additional unforeseen costs be imposed upon competitive suppliers in order to protect the electric system broadly or to address new risks, it may be reasonable that these costs be recovered on a regional or system-wide basis.
This will allow the competitive power markets to continue their intended purpose: to bring reliable electricity at the least cost to meet America’s needs.
The Path Forward
As the SolarWinds breach shows, while cyber and physical security issues can arise from individual decisions or errors, these issues can affect much broader swaths of the economy. For this reason, all participants in the supply chain must continue to focus on threats to the system as a whole, in addition to the individual parts under their control.
Any day with a service disruption is a day that a competitive power supplier is not able to provide reliable, least cost, cleaner electricity to customers – interrupting Americans’ ability to go about daily life, conduct business and keep critical emergency services online.
On both the cyber and physical fronts, EPSA member companies remain deeply committed to producing safe, secure and reliable energy to customers across the country and support our nation’s economic vitality.
Learn more about EPSA’s Cybersecurity Efforts.
