From: Heritage Foundation
Over the past decade, the U.S. has witnessed unprecedented transformation of the control systems that the electric sector uses to make, manage, and move power. Over the same period, legislators and regulators have become increasingly concerned that utility executives are not doing enough to improve defenses against increasingly numerous and capable cyber adversaries.
While there are things that the government can do to promote cybersecurity in the electric grid, adding more regulations to an already highly regulated industry is not one of them. The U.S. should instead pursue reforms that incentivize additional cybersecurity investments by electric companies. Additionally, collaboration with and education of grid leaders should not be overlooked, as they form the bedrock of many other reforms and investments.
Grid Cybersecurity Improvements Needed
The U.S. electric grid is a complex combination of thousands of different power generators, including coal and natural gas, as well as nuclear, hydroelectric, wind, and solar power, among others. It is owned and operated by around 3,500 electric utility companies, which manage everything from vast spans of high-voltage transmission lines to local substations, transformers, and distribution lines. Since at least 2005, emphasis on the Smart Grid—new technologies that make the grid more efficient—has made the grid increasingly interconnected. The Smart Grid certainly has its business and technological advantages, but it also brings new cybersecurity risks.
Even before the move toward the Smart Grid began, cyber risks to the electric grid were apparent. This was most clearly seen in the 2003 Northeast blackout that left millions of people from Ontario to Massachusetts to Ohio without power for days. At fault was an overloaded transmission line and a tree branch in Ohio that led to a cascading failure in the Northeast electric grid. But partial blame also goes to a software bug that hampered communications to grid supervisors who might have responded more quickly. Though the grid’s cyber acumen has progressed by leaps and bounds since then, so have the capabilities of cyber attackers hailing from terrorist groups, hostile nation-states, and other sources.
These worrying realities have manifested themselves in multiple attempts to pass legislation that would mandate new cybersecurity requirements beyond the North American Electric Reliability Corporation’s critical infrastructure protection standards. In early 2013, the White House issued an executive order that directed the National Institute of Standards and Technology to work with industry to create a new cybersecurity framework for critical infrastructure, including the electric sector. While this framework is to be composed of voluntary standards, many are concerned that these standards will eventually become mandatory.
Leave a Reply