Time to Protect Our Vulnerable Grid
Last October was the nation’s first-ever U.S. National Cyber Security Awareness month. And in November 2017 many of the nation’s electric utilities shifted their focus to an event known as GridEx, a training exercise that tackles potential cyber-security threats and vulnerabilities in the nation’s electric grid.
Conducted biennially, GridEx aims to ensure that electric utilities are prepared to thwart potential cyber or physical attacks on the grid and to communicate and recover should an attack occur. More than 6,000 individuals from more than 400 electric utility and government organizations in the U.S., Canada, and Mexico participated in GridEx IV.
GridEx 2017 took place against an increasingly complex and threatening backdrop. And while it is vitally important that the electric industry is focusing on looming cyber threats, the scope and nature of those threats demand greater federal leadership, particularly from the Federal Energy Regulatory Commission (FERC).
Late last year, the FBI and Department of Homeland Security issued a “joint Technical Alert,” confirming that our nation’s nuclear, energy, water, aviation, and critical manufacturing sectors, as well as some government entities, have been the targets of repeated cyberattacks. Some succeeded. And according to recent survey data from Accenture, 52 percent of North American utility executives reported there is a moderate risk that a cyberattack could affect the electric grid within the next five years, while 24 percent said there is a significant likelihood of a cyberattack. The survey also noted the significant increase in politically motivated threats from nation-state actors and from profit-driven cyber-criminals or organized hackers.
Make no mistake, a successful cyber or physical attack on the U.S. electrical grid would ripple across every sector of our society. No one would be spared and the costs would be enormous. For instance, the three-day blackout that affected the upper Midwest and Northeast in 2003 cost an estimated $50 billion. And that blackout was relatively easy to fix — the core problem was a software error, but the damage caused was isolated and largely repaired within days.
Today, the technology landscape has changed radically since 2003, and a blackout induced by a cyberattack has the potential to take out large sections of the national grid, and do so in a sophisticated, digital manner that could be very difficult to unravel and fix.
That our electric grid is highly vulnerable is not news. Every U.S. President since 1990 has acknowledged that U.S. infrastructure risks are high, that the threats are real, and each has pledged to promptly address the looming potential risks. Recent reports from the National Academy of Science have highlighted the issue, and the Massachusetts Institute of Technology found that in relation to the heightened risks now faced, “it is doubtful that the defense has improved at all. Attacks are still easy and cheap to launch and difficult and expensive to defend against.”
The issue is so widely-acknowledged that the Spy Museum in Washington, D.C., in the shadow of the U.S. Capitol, now has an exhibit titled “Weapons of Mass Disruption” that features “some of today's top experts on the new intelligence battlefield of cyberspace,” and allows visitors to “explore what would happen if a cyberattack hit the electrical grid.”
Many entities are working to make grid improvements. But therein lies a key part of the challenge — the myriad of entities, interests, and polices involved requires coordination at the national level. Such oversight is vital to ensuring that critical grid improvements are made in a timely manner, that the end result is a more sophisticated, resilient grid that can integrate a diverse array of electric generation sources without increasing vulnerabilities, and that consumers alone do not bear the full financial burden in their electric rates. Strengthening and protecting the grid is a national security matter, so federal funding must be part of the financial equation.
Improving the grid of the future also supports and ensures resilience in the other key infrastructure areas that we now know are being targeted by cyberattacks.
On the positive side, federal regulators have taken notice of the critical need to strengthen the grid against attacks, and FERC has proposed new cyber-security management controls aimed at enhancing grid resiliency. Importantly, FERC has the legal mandate and authority to take the lead on these critical issues.
As such, FERC is the logical agency to drive the establishment of a large-scale public-private partnership that brings together the necessary expertise — utilities, system operators and technology companies — and financing — Congress, regulators and the private markets — to focus on making the electric grid more robust and resilient in the near-term.
Developing that partnership, and creating a national grid enhancement program will require four components:
1. An independent and candid assessment of exactly where improvements and upgrades are needed, in order of priority, to be completed as soon as possible;
2. Development of a collective national plan, codified by Congress, with oversight from the relevant federal regulatory agencies, to drive short- and long-term improvements;
3. Regulatory reform, including development of improved, uniform practices for the North American bulk power system that rise to the level of detail and rigor required to meet the threats we face; and,
4. Identification of public and private funding mechanisms, including the potential use of tax-exempt government bonds, to raise the necessary financing in an equitable manner.
As a nation, we can no longer afford to put off until tomorrow that which our own self-interest says must begin today. The threats are increasing every day and the consequences of inaction are both devastating and unnecessary.
With regard to enhancing the grid, as the saying goes, failure is not an option.
Paul Feldman is a former Chairman of the Midcontinent ISO (MISO), and a former Independent Board member of the Western Electricity Coordinating Council (WECC). He serves on several energy-related Boards, and Advisory Boards, including Protect Our Power, a not-for-profit organization whose mission is to strengthen the reliability and resilience of the U.S. electric grid.