Think Tank Calls for New Nonprofit to Protect Electric Grids from Cyber Attacks

CYBERSECURITY

Think Tank Calls for New Nonprofit to Protect Electric Grids from Cyber Attacks

2/28/2014
By Stew Magnuson

Calling an attack that takes down an electric grid in the United States a near certainty, a think tank Feb. 28 recommended the establishment of an organization tasked solely with preventing and mitigating the risk involved in such a scenario.

The Bipartisan Policy Center released a report,“Cybersecurity and the North American Electric Grid: New Policy Approaches to Address an Evolving Threat,”which said an industry led group “could substantially advance cyber security risk-management practices across the industry and, in doing so, serve as a valuable complement to existing … standards.”

Actions are needed, said retired Air Force Gen. Michael Hayden, because agents have already infiltrated computer systems that control the nation’s power grids.

The supervisory control and data acquisition (SCADA) computer programs that run power plants do not contain trade secrets or information of interest to a cyber spy, he pointed out at a Washington, D.C., panel discussion discussing the report. Infiltration could only be for two purposes: a recreational hacker in there just for the challenge; or some agent who wants to conduct what the military calls, IPB — intelligence preparation of the battlespace.

“I’ve played offense too as director of the CIA and [National Security Agency], this is quite easy. This is a domain that favors the attacker,” said Hayden, who co-chaired the committee that wrote the report, and is now a principal at The Chertoff Group consultancy.
There has never been a cyber attack on the electric grid, although there have been blackouts and loss of power because of natural disasters, which have shown just how economically devastating an attack could be.
“Ten years ago we would have this conversation and say, ‘what if?’ Today … I think the question is, ‘When?’” said Curt Hebert, former chair of the Federal Energy Regulatory Commission, and co-chair of the committee.

Current efforts to provide for electric grid cyber security are dispersed and involve numerous federal, state, and local agencies, the report said.

“Urgent priorities include strengthening existing protections for the distribution system as well as the bulk power system; enhancing coordination at all levels; and accelerating the development of robust protocols for response and recovery in the event of a successful attack,” the report said.

The industry-led body would comprise power sector participants across North America and be modeled on the nuclear power industry’s Institute of Nuclear Power Operations (INPO).

“Based on experience with INPO, we believe such an organization could substantially advance cyber security risk-management practices across the industry and, in doing so, serve as a valuable complement to existing [North American Electric Reliability Corp.] standards. NERC is a nonprofit that enforces reliability standards, monitors the flow of electricity, and trains and certifies personnel.

There is an Electricity Sector Information Sharing and Analysis Center, which is housed within NERC. It must have strict firewalls between the two organizations in order to protect the privacy of participants, the report said. NERC has the authority to fine the utilities for regulatory noncompliance. Operating where there is a fear of triggering non-compliance actions is not conducive to the free flow of information, the report said.

These privacy fears, along with a reluctance on the part of the government to share what it knows about cyber threats, are the two biggest impediments to creating a robust organization, the report said.
Further, Congress needs to pass legislation to give companies that in good faith share information, protection against lawsuits. The government should also streamline security clearances for power sector employees.

The proposed organization would go beyond information sharing and develop cyber security performance criteria, conduct detailed evaluations of security systems and provide technical assistance when necessary, the report recommended.

Topics: Cyber, Cybersecurity, Homeland Security

Comments (0)

Name *

Email *

Comment *

Please enter the text displayed in the image.

Characters *

Legal Notice *

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.

I have read the legal notice.

Find an Article VIEW ALL ARTICLES