Cyber Security: Revisiting a Critical Issue

Three previous blog posts have mentioned or addressed in detail this critical issue which I believe represents a major vulnerability of U.S. electrical power and other industrial systems:
– ‘Grids, Smart Grids and More Grids: What’s Coming’,
July 7, 2014
– ‘The Vulnerability of Our Electric Utility System to
Cyber Attacks’, January 28, 2015
– ‘Returning to an Important Subject: The Vulnerability of
the U.S. Electrical Grid’, August 31, 2015

I mention this history because today (January 6, 2017) the Washington Post published the following article on the same subject, reporting on the results of the Quadrennial Energy Review just published by the U.S. Department of Energy. It focuses much needed attention on this growing vulnerability.

New Obama report warns of changing ‘threat environment’ for the electricity grid
By Chris Mooney

At a time of heightened focus on U.S. cybersecurity risks, the Energy Department released a comprehensive report on the nation’s rapidly changing electrical grid Friday that calls for new action to protect against evolving threats.

The agency urged policymakers to grant regulators new emergency powers should threats become imminent, among other recommendations.

The document notes the sprawling scale of U.S. electric infrastructure: The nation has 7,700 power plants (ranging from coal-fired to nuclear) and 55,800 substations. Some 707,000 miles of high-voltage transmission lines link the two, and then 6.5 million additional miles of local lines spread out from the substations.

Dramatic change is sweeping over the sector. For instance, so-called smart meters are being added to bring more online control to the electrical grid. And more and more households are adding solar systems to their rooftops, providing new connecting points. A “rapidly evolving system” is in major need of modernization and upgrades to keep pace, the report says.

“There’s the weak-link issue for the whole system,” Energy Secretary Ernest Moniz said in an interview to highlight the report. “The reality is, for a lot of rural, smaller utilities, it’s a very difficult job to have the kind of expertise that will be needed in terms of cyber, so we suggest for example, grant programs to help with training, to help with analytical capacity in these situations.”

“The economy would just take an enormous hit” from a successful grid attack, he said.

The document is the second installment of the Quadrennial Energy Review, a series of wide-ranging reports surveying the entire U.S. energy system that the department began after President Obama announced new climate change policies in 2013. The first installment dealt broadly with the entirety of the nation’s energy infrastructure, which goes far beyond electricity to encompass natural gas and oil pipelines, storage infrastructure, and other facets. This one zooms in on electricity.

It highlights not only cyberattacks on electric infrastructure in Ukraine in late December of 2015 — in which three Ukrainian utilities were hit by synchronized cyberattacks, leading to power losses for 225,000 customers — but also the Oct. 21, 2016, event that used in-home Internet-connected devices, collectively, to lead a large denial-of-service attack.

“We know that this is not just a theoretical concern,” Moniz said.

The report calls for utilities to take engage in “deliberate risk management activities” as the electric power sector becomes increasingly interconnected with global communications networks.

“The threat environment is also changing — decision makers must make the case for investments that mitigate catastrophic, high-impact, low-probability events,” the report notes.

Cyberthreats are not the only challenge facing the grid. The report warns that extreme weather events triggered by human-caused climate change also makes the system vulnerable.

On grid security, the report contains myriad recommendations, including amending the Federal Power Act to give the Energy Department the ability to issue a “grid-security emergency order,” and also giving the Federal Energy Regulatory Commission new powers to bolster reliability standards that affect electricity-sector operators “if it finds that expeditious action is needed to protect national security in the face of fast-developing new threats to the grid.”

In the interview, Moniz said he hoped that under the next administration, the Quadrennial Energy Review process would continue, noting that the last installment of the report has already triggered major action. Of its 63 recommendations, the DOE has found, 21 are already “fully or partially reflected in Federal law.”

“We think that the second volume hopefully is going to have the same kind of track record,” Moniz said. “That’s the basis upon which I certainly hope, and will certainly recommend, presumably to [Energy secretary nominee Rick Perry], that the new administration take ownership of this, and keep it going.”

The DOE press release announcing the report can be found at
https://energy/gov/articles/administration-releases-second-installment-quadrennial-energy-review and the full report with related analyses can be found at energy.gov/QER.