It's Time to Take Cybersecurity Seriously
The White House sent to Capitol Hill on May 12 a proposal that would increase cybersecurity requirements for U.S. networks vulnerable to attacks. The White House is pushing for a consensus on how to protect against attacks that could, among other things, prevent massive blackouts.
The White House sent to Capitol Hill on May 12 a proposal that would increase cybersecurity requirements for U.S. networks vulnerable to attacks. The White House is pushing for a consensus on how to protect against attacks that could, among other things, prevent massive blackouts. One key provision would require electric utilities to disclose measures they are taking to protect their networks. Another provision would give legal immunity to utilities and other companies that notify the government about cyber threats and intrusions against them. This provision is designed to encourage companies that have been reluctant to report such occurrences because they feared lawsuits to do so.
Some cybersecurity experts have criticized the proposal, saying it’s too weak. Others believe, however, that even a little additional regulation is better than the status-quo.
I recently attended ABB’s Automation and Power World event in Orlando where I visited with Joe Hogan, ABB’s CEO. We discussed opportunities and challenges utilities face. Hogan stressed that identifying and addressing cybersecurity needs is a major challenge for utilities. He said industry, including electric utilities, are “sleeping on a huge minefield” when it comes to automated systems’ vulnerability. He said the biggest threat comes not from external hackers and terrorists trying to bring down the power grid, but from employees on the inside. Hogan said when most systems were put into place, cyber threats were never imagined. He believes cybersecurity is a critically important and urgent issue that has not been adequately addressed.
A recent report from Q1 Labs, a Waltham, Mass.-based company that provides security intelligence products, validates some of Hogan’s concerns. Q1 Labs commissioned in April a survey regarding critical infrastructure in energy organizations. Q1 Labs issued a release saying the survey found that the utilities surveyed are underprepared to face attack. The survey found that 77 percent of the global energy organizations surveyed said that compliance (with government regulations) is not a priority. This could mean that the stepped up cybersecurity requirements President Obama hopes are created might not garner the results he expects unless measures are put into place to police and enforce the requirements.
Seventy-one percent of survey participants reported that C-level utility executives do not understand or appreciate security. And, perhaps the most alarming statistic in the press release was that 76 percent of the global energy organizations surveyed have suffered one or more data breaches over the course of the last 12 months.
Tom Turner, Q1 Labs’ vice president of marketing and channels, said in the press release, “Gone are the days when the only security concern was attack by land, air or sea. Today with cybersecurity requirements, such as FISMA (Federal Information Security Management Act) and demand for continuous monitoring, our critical infrastructures need the ability to ensure compliance with IT security policies, establish new benchmarks and generate continuous, real time reporting to protect themselves against an attack.”
My conversation with Joe Hogan and the information presented in this report have convinced me that cybersecurity is an important issue for electric utilities and it is past time to put regulations in place and begin enforcing them.
Look for updates on cybersecurity legislation and regulation in future issues of POWERGRID International and on our website. It is a subject that we will take seriously.
I enjoyed your editorial on the need for the power industry to remake its image in order to be able to convince customers that they are not being manipulated by their utility.
Utilities seem to have an “if we build it they’ll come” attitude toward the relationship between smart grid and the consumer. I get the impression after several years of reading about the smart grid that the utilities believes if they give consumers the tools to reduce their peak consumption consumers will happily change their behavior and comply to help the utility avoid the need to build new power generating sources and infrastructure.
The consumer wants to come home, turn on the lights, cook dinner and do a load of laundry or two if needed and not be concerned about the time of day and the coincident electric rate. Consumers do not want to change their behaviors so that when they come home they must go to sleep so they can get up at 2 a.m., when energy is affordable, to cook dinner and do a load or two of laundry. If they expect to reduce peak consumption, utilities must force the latter on consumers by raising peak energy rates. The smart grid will enable them to do this. The cost of peak power must be incrementally raised until the utility realizes its energy goals by leveraging consumption into a more acceptable segment of the load curve.
Consumers are right to be leery of our industry and smart grid; they just aren’t using the right facts to support their fears.
Jonathan Skinner, Power System Operator
Chugach Electric Assn.
Power Engineerng Issue Archives
View Power Generation Articles on PennEnergy.com