The energy industry's search for new sources of power will come to nothing if its delivery systems are vulnerable to attack and disruption.
Cyberattacks are eclipsing terrorism as the primary threat facing the United States. In fact, penetrations of North America's electric grid are growing, both in number and complexity. The cost and impact of such an event could be profound because of the connectivity between information systems and essential services, such as food, water, health and communication.
For example, in 2003, the Northeast Blackout cost an estimated $6 billion and affected an estimated 50 million people. During the course of 2013, over 256 cyber incidents were reported to the Department of Homeland Security across all critical infrastructure sectors – 151 of which targeted energy infrastructure in particular.
Defending North America's sprawling and complex grid from cyberattacks is difficult, with its near 476,000 miles of high-voltage transmission lines and thousands of power plant and substations. The cyber threats facing the electric grid are numerous and constantly evolving. Most attacks seek to disrupt grid operations, damage infrastructure or steal information.
Threats can come from other countries, terrorist organizations, private firms, hackers or even employees of system operators, power companies and vendors.
Combating power attacks through cybersecurity technologies developed to protect business IT computer systems and networks has its own dangers as it can inadvertently damage an energy-delivery control system. The computers and networks on our desk differ dramatically from those that control our power grid; such differences need to be taken into account when securing the control systems or the protective measures could create an unintended power disruption. And using smart grid technologies that connect appliance or home and the grid, such as the "internet of things", further complicates things, as these technologies create new potential pathways into utility systems for hackers.
Nevertheless, defensive measures must be taken to reduce both the opportunity and impact of attacks to the U.S. power grid. Our current policy and regulatory structure governing electric grid cybersecurity is complex with a vast number of federal, state and local agencies – along with government bodies in Canada and Mexico – involved.
If the U.S. power grid is to manage risks and recover from an attack, there needs to be effective coordination between utilities and government agencies. The sharing of information and intelligence needs to be improved. Those involved in power security need to resolve the differences between the frameworks that govern cyber attack response and traditional disaster response. We must establish a chain-of-command among federal agencies and clearly define the roles and responsibilities of different government agencies and the electric power industry itself.
For the U.S. power industry to be secure, there are a number of key challenges:
First, because companies cannot capture all of the benefits from their investments, many companies may limit their investments. Doing so may jeopardize not only a single company but the whole industry.
Second, there is little guidance for individual companies on which security systems to invest in beyond the minimum mandatory standard.
Third, current compliance and enforcement programs for bulk power system cybersecurity standards fail to reward – instead they potentially penalize – utilities that go beyond minimal compliance.
Finally, investing in cybersecurity may be particularly difficult for smaller entities with limited resources, including municipal utilities and rural electric cooperatives.
Difficult decisions will need to be made to ensure we are adequately protected against these serious threats to our evolving grid. We must seize the opportunity to better prepare for a crisis now – instead of in the midst of one.
General Michael Hayden is a former director of the Central Intelligence Agency and the National Security Agency and Curt Hébert is a former chairman of the Federal Energy Regulatory Commission. They, along with Susan Tierney, former assistant secretary of energy, are co-chairs of the Bipartisan Policy Center's Electric Grid Cybersecurity Initiative.