Think Tank Calls for New Nonprofit to Protect Electric Grids from Cyber Attacks
Calling an attack that takes down an electric grid in the United States a near certainty, a think tank Feb. 28 recommended the establishment of an organization tasked solely with preventing and mitigating the risk involved in such a scenario.
The Bipartisan Policy Center released a report,“Cybersecurity and the North American Electric Grid: New Policy Approaches to Address an Evolving Threat,”which said an industry led group “could substantially advance cyber security risk-management practices across the industry and, in doing so, serve as a valuable complement to existing … standards.”
Actions are needed, said retired Air Force Gen. Michael Hayden, because agents have already infiltrated computer systems that control the nation’s power grids.
The supervisory control and data acquisition (SCADA) computer programs that run power plants do not contain trade secrets or information of interest to a cyber spy, he pointed out at a Washington, D.C., panel discussion discussing the report. Infiltration could only be for two purposes: a recreational hacker in there just for the challenge; or some agent who wants to conduct what the military calls, IPB — intelligence preparation of the battlespace.
“I’ve played offense too as director of the CIA and [National Security Agency], this is quite easy. This is a domain that favors the attacker,” said Hayden, who co-chaired the committee that wrote the report, and is now a principal at The Chertoff Group consultancy.
There has never been a cyber attack on the electric grid, although there have been blackouts and loss of power because of natural disasters, which have shown just how economically devastating an attack could be.
“Ten years ago we would have this conversation and say, ‘what if?’ Today … I think the question is, ‘When?’” said Curt Hebert, former chair of the Federal Energy Regulatory Commission, and co-chair of the committee.
Current efforts to provide for electric grid cyber security are dispersed and involve numerous federal, state, and local agencies, the report said.
“Urgent priorities include strengthening existing protections for the distribution system as well as the bulk power system; enhancing coordination at all levels; and accelerating the development of robust protocols for response and recovery in the event of a successful attack,” the report said.
The industry-led body would comprise power sector participants across North America and be modeled on the nuclear power industry’s Institute of Nuclear Power Operations (INPO).
“Based on experience with INPO, we believe such an organization could substantially advance cyber security risk-management practices across the industry and, in doing so, serve as a valuable complement to existing [North American Electric Reliability Corp.] standards. NERC is a nonprofit that enforces reliability standards, monitors the flow of electricity, and trains and certifies personnel.
There is an Electricity Sector Information Sharing and Analysis Center, which is housed within NERC. It must have strict firewalls between the two organizations in order to protect the privacy of participants, the report said. NERC has the authority to fine the utilities for regulatory noncompliance. Operating where there is a fear of triggering non-compliance actions is not conducive to the free flow of information, the report said.
These privacy fears, along with a reluctance on the part of the government to share what it knows about cyber threats, are the two biggest impediments to creating a robust organization, the report said.
Further, Congress needs to pass legislation to give companies that in good faith share information, protection against lawsuits. The government should also streamline security clearances for power sector employees.
The proposed organization would go beyond information sharing and develop cyber security performance criteria, conduct detailed evaluations of security systems and provide technical assistance when necessary, the report recommended.