Technology can heighten grid resilience, leaders tell Icons of Infrastructure Washington conference.
EGrid Security: Identify, Detect, Respond and Recover
Cyber and physical security of the power grid is a collaborative effort
The threat of an attack on our nation’s power grid is the “new normal,” according to Caitlin Durkovich, formerly Assistant Secretary for Infrastructure Protection. “It’s not a matter of if, but when. We have to continue to get smarter and better about what we are doing.”
Regulations put in place in wake of the 2003 blackout in the northeast United States have shut the barn door for that horse, but the nation’s grid remains vulnerable.
This was the message from experts in the concluding panel discussion on securing America’s energy infrastructure for the 21st century at an Icons of Infrastructure conference in Washington, Advancing the Electrical Grid.
“The current level of activity is insufficient to prevent risks going forward,” said Paul Feldman, technical director of Protect Our Power and former director of MISO, the Midcontinent Independent System Operator.
“No CIO believes they are sufficient,” he said at the conference late last week.
Protect Our Power and the Bipartisan Policy Center sponsored the half-day conference at the National Press Club.
Feldman’s nonprofit focuses on best practices that go beyond just strict compliance. They pin their hopes on vendors to conduct the basic research and development for new security products. “Utilities only do things that have a guaranteed return,” he said. But the 700 or so vendors who sell to utilities have an incentive to develop new products.
If an outage appears inevitable, then the critical issue is how quickly power can be restored, and this is another focus of the nonprofit. “We are looking for ways to make the grid more resilient,” Feldman said. “We examine anything that could take the grid down and then how to reboot or reassemble to restore power quickly.”
This is why it is important to secure the supply chain for the infrastructure, both hardware and software, said Caitlin Durkovich, a consultant with Toffler Associates and former assistant secretary for infrastructure security in the Department of Homeland Security.
Outsourcing for many products and services has increased vulnerability on this score, as has the increase in hostile actors. There needs to be a proactive approach to securing the supply chain, she said. “It goes back to design,” Durkovich said. “You have ensure the provenance of your supply.”
Better design for security is a top priority, she said. This becomes more urgent with the massive electrification of society – from smart buildings to electric cars – along with decentralization and digitalization. “As things grow more interconnected, they become more interdependent,” she noted. The Internet of Things and 5G connectivity are ways this interconnection is increasing, and it will increase vulnerability of the grid.
The grid as it exists has developed haphazardly, but now it is time to step back and rethink things from the point of view of security, panelists said. Security needs to be “engineered from the get-go,” Durkovich said, from transmission to storage. The convergence of information technology and operations technology simplifies the goal – systems need both cybersecurity and physical security.
Redundancy, as is common in IT, must become a feature of all infrastructure. Communications networks, for instance, should have space infrastructure as well as terrestrial. “There should be no single point of failure,” Durkovich said.
Resiliency is the focus of FERC commissioner Neil Chatterjee, his technical adviser Eric Vandenberg said. Chatterjee was due to speak but was detained at the last minute. For the commissioner, the question of storage is vital to increasing this resilience, reinforcing the role of micro-grids and solving some of the transmission issues, Vandenberg said.
FERC currently is legally barred from making any rules for the distribution system, which lies in the province of the states. It would take a change of the Federal Power Act to give the agency more supervision over the grid itself, Vandenberg said.
But rules may be part of the problem, suggested Durkovich. There is so much focus on compliance with legalistic details that utilities resist any other efforts to require security measures. “We need to rethink entire grid with a risk-based approach,” she said. A change of approach might lead to more openness on the part of the industry.
Although natural catastrophe or human error remain major risks, the fastest-growing threat is a cyberattack. The 2015 cyberattack on the Ukraine power grid showed how effective and dangerous this type of attack can be. Attackers were able to “brick” several systems, Feldman explained. That is, they could overwrite the firmware to disrupt the operation of hardware in substations.
Speaking of efforts to ward off cyberassaults:
“No CIO believes they are sufficient,”
says Paul Feldman, of Protect Our Power.
Cyberattacks and electromagnetic pulses are two of the top threats preoccupying FERC, Vandenberg said. In addition, physical attacks on substations remain a threat. “We take a holistic view of the risk,” said Vandenberg, including everything from storage and transmission through micro-grids.
Durkovich cautioned that the rise of micro-grids and distributed energy means the government must expand its field of supervision to include these new entrants into the market. They increase the “attack surfaces” for bad actors.
Nor should the human factor be overlooked, she said. For one thing, there is a shortage of qualified staff and the gap is growing. Utilities are now competing with Silicon Valley for engineers. By 2020, she said, there will be shortfall of some 1.5 million security experts. The contract economy, which results in employees transferring often to another company, only exacerbates this problem.
But there is also a threat in failure to properly vet people with bad intentions. Durkovich said. The insider threat is increasing as companies scramble for staff and the gig economy leads to frequent transfers.
“We need to raise the awareness of how important the infrastructure is,” she said. Working at a utility should have as much appeal as working at Apple. It is important, she stressed, to keep the interface between human and machine.
“Don’t engineer the human out,” she warned.
Sources: Eric Vandenberg, technical advisor to Commissioner Neil Chatterjee, FERC
Caitlin Durkovich, Strategist and Infrastructure Security Expert, Toffler Associates
Paul Feldman, Technical Director, Protect Our Power