Author: Bill Zuretti, Director of Regulatory Affairs & Counsel, EPSA
National Cybersecurity Awareness Month brings renewed focus to how cyber and physical threats pose an ongoing challenge to power system reliability – and daily life. Competitive power suppliers work every day to secure operations and guard against attacks.
Credit: Electric Power Supply Association
The reliability of America’s electric grid continues to be top of mind for Congress, regulators, grid operators, and the public. Providing reliable power generation is and always has been the top priority for EPSA and our member companies – and the 20th anniversary of National Cybersecurity Awareness Month this October puts the spotlight on a core element of securing reliable operations.
Americans are using more electricity than ever, with dependence on the grid only expected to grow as the economy electrifies, requiring more watts to power electric vehicles, home appliances, and the data centers that enable our digital life. Power outages can cripple society, upending the ability to do business, heat and cool our homes, and provide lifesaving emergency services. But as the power sector takes on challenges like rising demand, extreme weather, and pressures to decarbonize, cyber threats continue to evolve and present an ever-present risk. That risk is compounded by an uptick in physical attacks and vandalism that resulted in widespread power outages across the U.S. over the past two years – increasing the probability of a coordinated attack.
What you can do:
This year’s Cybersecurity Awareness Month theme is “Securing Our World,” shining a light on how even individual actions can help secure not just our personal digital property – but also the systems we rely on, including the power sector. The Cybersecurity & Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance have provided a helpful guide for what you can do right now to protect yourself and others. Simple steps include:
- Recognize and report phishing
- Use strong passwords
- Turn on multifactor authentication
- Update software
Securing the Grid
While citizens have a key role to play, EPSA and competitive power suppliers have been and continue to work diligently to secure power generation operations from cyber and physical threats. As would-be attackers continue to seek new ways to disrupt the nation’s power grid, new tools and increased investment may be needed to enhance electric reliability and stay ahead of ever-evolving threats.
Here are some examples of the actions we take to combat our adversaries and keep the lights on.
Working Together to Protect the System
The U.S. power grid is an interconnected system encompassing both the transmission and distribution networks, with utilities electrically tied together during normal system conditions to provide a synchronized transfer of power. There are seven regional transmission organizations (RTOs) and independent system operators (ISOs), which operate the region’s electricity grid, administer the region’s wholesale electricity markets, and provide reliability planning for the region’s bulk electricity system (BES). This integrated structure not only helps prevent the manipulation of the electric power supply but helps ensure a high level of oversight and continuity for both cyber and physical security.
Electric power suppliers are subject to an array of cyber and physical security regulatory regimes, overseen by the White House, federal agencies, the U.S. Congress, and others. This includes participating in the development of, and complying with, North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards, which work to ensure the appropriate security measures are in place to protect the entirety of the BES.
Partnership and Information Sharing
Partnership between competitive suppliers and government agencies responsible for cybersecurity exists at every stage of operations.
EPSA member company representatives, and EPSA’s president and CEO, sit on the Electricity Subsector Coordinating Council (ESCC), the principal liaison between leadership across multiple federal agencies and the electric power sector.
Companies also communicate and share information with the U.S. intelligence community via the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and its National Cybersecurity & Communications Integration Center (NCCIC) and are actively involved in the FBI InfraGard program. This provides a two-way channel to stay on top of threats and take all possible action to address them.
The communications channels are further enhanced by participating in the Electricity Information Sharing and Analysis Center (E-ISAC), which provides a portal for updates and information on cyber related threats. Competitive power suppliers also take part in events and training exercises including the NERC GridEx, which is the largest security exercise in North America, with industry, government, and others practicing how they would respond to potential threats.
Going Beyond
Outside of these formal processes, competitive suppliers take voluntary steps to shore up their systems. Companies contract third party vendors to conduct cyber compromise assessments, and security subject matter personnel and officers attend an array of security conferences and seminars for education and to share information among similarly situated energy companies and across the electricity industry broadly.
Staying Vigilant
EPSA continues to participate in efforts to keep the power system safe. We recently submitted feedback to the Federal Energy Regulatory Commission (FERC) and NERC on ways to enable power generators’ ability to secure their systems, highlighting the critical importance of information sharing programs and the need to allow flexibility companies to address the particular security matters they face in light of their diverse situations and needs.
Both FERC and CISA recently asked for public input on ways to enhance cybersecurity. FERC has issued a Notice of Proposed Rulemaking, which proposes incentives for utilities to invest in cybersecurity measures. CISA has asked for public input on how to implement incident reporting requirements signed into law by President Biden in March 2022. We will be submitting recommendations to enhance the success of these initiatives in the coming weeks.
Ensuring that all cyber and physical security considerations are fully addressed is central to the operation of the nation’s power generating resources and the delivery of electricity to consumers. Although cybersecurity is a constant concern, competitive power suppliers are devoted to doing what it takes to keep America’s grid safe and secure from being compromised.
