Cohesive Cybersecurity Policy Needed For Electric Grid
Securing the electric grid is one of the key components of preventing terrorist attacks in the United States and increasing the country’s resilience and recovery from such events. A secure electric grid is one that is protected from errors, contingencies or assaults on computer systems and networks.
There is no shortage of government policies for protecting critical infrastructure sectors from network vulnerabilities. What is missing is a focused comprehensive cybersecurity policy for the electricity sector.
Smart-grid technology, which may rely on computer networks to intelligently manage electricity, makes this all the more important.
But electric grid security is a topic that transcends smart-grid applications and reliability standards to issues of national security and international diplomacy. President Obama’s June 2011 “Policy Framework for the 21st Century Grid” by the National Science and Technology Council noted that ensuring that the electric grid can recover from cyber-attacks is “vital to national security and economic well-being.”
A comprehensive cybersecurity policy for the industry is essential for this sector to work with the government to create and deploy technologies necessary to increase grid security and resilience.
Current protection of the critical electric infrastructure sector is fragmented. The quasi-government North American Electric Reliability Corp. (NERC) coordinates information sharing and creates mandatory cybersecurity reliability standards. These are valuable, but cannot replace a cohesive policy. A cybersecurity strategy must include at least six components: improving information sharing; clarifying the role of industry players in responding to different types of cyber-incidents; ensuring awareness of domestic and international law implications beyond the reliability standards; implementing long-term planning; evaluating other countries’ cybersecurity systems; and providing government funding.
In the United States, private companies own and operate most critical infrastructure assets such as power lines and substations. While some may perceive defense against cyber-attacks as purely a government function, given the private ownership, a public-private partnership is necessary. Two elements of the government/electric industry partnership are the Information Sharing and Analysis Center (ISAC) and the cybersecurity reliability standards. To improve the partnership, NERC should use ISAC’s information sharing function and NERC should assist the industry with determining the scope of cybersecurity protection to be applied by the private industry.
ISAC issues advisories and reliability or security threat alerts. NERC has been the coordinator of the electricity sector since 1998. Often private companies do not have the resources or expertise to conduct extensive evaluations. NERC addresses this need by monitoring private industry information and analyzing it for suspicious activity patterns and potential threats. In turn, the government can benefit from industry expertise and the private sector’s ability to implement certain technologies more rapidly. The long established use of the ISAC as a security information clearinghouse makes it an ideal platform for cooperation.
The industry’s public-private partnership involves mandatory reliability standards created by NERC, the noncompliance of which can result in fines of up to $1 million per day. But simply complying with standards is inadequate to create an electric system resistant to and capable of rapid recovery from terrorist attacks. While the standards address perimeter access, anti-virus, security event monitoring and remote access controls, they do not address the range of appropriate responses in the continuum of cybersecurity events. Security problems range from minor employee mistakes and internal program malfunctions, to Internet viruses and worms and, in the worst-case scenario, to organized attacks by a sovereign state or a terrorist group to take down the entire grid.
Government guidance can help industry better evaluate and plan security measures. Many companies may not have the financial resources or may not be able to justify the extra expense involved in defending against low-probability but high impact events such as an organized cyber-attack. While industry cannot implement a security system on par with the U.S. military, it can explore security upgrades that complement the existing system.
The existing public-private partnership encourages the electric industry and the government to cooperate in creating guidance on the appropriate responses to different cyber-events.
Other concerns involve the legal implications outside of NERC reliability standards. Depending on whether the electric industry utilizes passive or active defenses, such actions may trigger different laws. These include domestic laws and even the international law of armed conflict. By being sensitive to these nuances, the electric industry protects itself from liability, unanticipated consequences, and improves its effectiveness in advancing the national interest of preventing and recovering from terrorist attacks.
Passive defense measures include strengthening the system via encryption and firewalls, facilitating recovery in the event of a successful attack, and educating users to behave properly during a threat. In contrast, active defense involves neutralizing a perpetrator’s ability to attack such as sending back destructive viruses.
On the domestic front, certain responses to cyber-events may be illegal. The Computer Fraud and Abuse Act (CFAA) and the Electronic Communications Protection Act prohibit victims from initiating investigations of their own. If a utility uses an active defense, then it should be aware that the CFAA forbids private companies from intentionally causing damage in excess of $5,000 without authorization. Limited relief however is available under some circumstances for actions taken in defense of property. Unfortunately, no government based institutional structure exists to provide the private sector with immediate relief if they are under a cyber-attack. Reporting to law enforcement authorities will only initiate investigations and allow for arrests later on, not permission to immediately launch an active defense to counter or neutralize a network penetration.
On the international front, cybersecurity self defense could be illegal if it rises to the level of “use of force” or “armed attack” pursuant to the United Nations Charter and customary international law. The fact that a private company may be more likely to use active defense than sovereign states means its action can be mistakenly interpreted as hostile activity by the U.S. government.
Domestic and international law implications add complexities. Utilities can create cybersecurity programs that manage the variety of events if they consider the potential liabilities and consequences of domestic and international laws. Such an understanding can do much to prevent negative diplomatic side effects. Furthermore, effective industry cybersecurity programs will advance the national interest of preventing and recovering from terrorist attacks. In the public-private partnership of cybersecurity protection, utilities can benefit greatly from government legal expertise.
The North American Electric Reliability Corp. has been actively addressing cybersecurity challenges. In 2009, it informed the electric industry that it must improve identification of critical assets because it was discovered that fewer than 63 percent of transmission owners identified at least one critical asset. This basic critical asset identification problem must be resolved before critical cyber-assets can be identified because if there are none, then the reliability standards are useless. NERC has created a variety of pilot programs that assess the power companies’ abilities to resist cyber-attacks and simulate war games.
In addition, a comprehensive policy should include long-term planning, evaluation of other sovereign state cybersecurity protection measures, and federal funding assistance. A strategic plan may include a framework where the industry will analyze certain characteristics to determine when federal government or military involvement is required. It can also include technical goals. Many computers in the electric grid network systems are not connected to the Internet for security reasons. With the implementation of the smart grid, new connections are being made, which requires new Internet security strategies.
The next task for the government is to study the computer networks and Internet systems abroad to determine which tactics may work for the electric grid or for national cybersecurity. For instance, the Chinese government uses the Great Firewall to scan for subversive material, but it can also be used to disconnect Chinese networks from the Internet. Similarly, the Chinese power grid can be disconnected from the net. It is worthwhile to evaluate how these tactics may work in the United States.
Finally, the policy should contain a funding mechanism to close the gap between basic security measures to ensure daily functions and measures for defending against cyber-attacks and warfare in the most extreme circumstances.
Zhen Zhang is an attorney specializing in energy and environmental law. She is a global energy fellow at the Institute for Energy and Environment at Vermont Law School.