Judging Cyberthreat Against Power GridNot All Cyber-Attacks on Electric Industry are Equal
Not all cyber-attacks are equal.
A report issued earlier this week from Democratic members of the House Energy and Commerce Committee, Electric Grid Vulnerability: Industry Responses Reveal Security Gaps, contends America's electric utilities are under constant attack, with some providers reporting in excess of 10,000 digital assaults a day.
What good are voluntary standards if they're not being employed?
But the utility industry says those attacks are not putting the electrical distribution system in jeopardy. The committee held a hearing May 21 on cyberthreats and security solutions [see Cyber-Regulation Debate Heats Up]. Among the witnesses was Duane Highley, chief executive of Arkansas Electric Cooperative Corp., representing the National Rural Electric Cooperative Association. Responding to a question from Committee Vice Chair Marsha Blackburn, R.-Tenn., Highley said:
"The majority of those attacks, while large in number, are the same attacks every business receives to their Internet portal, and those are on the public facing sides of the business. They're all stopped at the gate. The supervisory control acquisition and data acquisition systems [which control the distribution of electricity] have mandatory enforceable standards for how you interface to those. We don't have significant problems with attacks to those today."
Vulnerability to Grid Seen as Real
A cyber-attack on a website where customers pay their electric bills obviously isn't as threatening to the nation's economy as one on the system that distributes electricity.
Still, there are those who feel the grid itself remains vulnerable to attack because, like the web portals, much of the electric grid is connected to the Internet. The British technology market intelligence firm ABI Research issued a report this week estimating that spending on securing the information critical infrastructure worldwide totals $2.9 billion. According to ABI Research, the restructuring of the power sector and the emergence of the smart grid has largely ignored the issue of cybersecurity. Industrial control systems have poor methods of authentication, little encryption and are not often capable of detecting intrusions, the research firm contends.
The Democratic report surfaces during the perennial debate over federal government regulation regarding cybersecurity. When it comes to imposing IT security regulations, Republicans without fail oppose them, contending they tend to be burdensome, costly and not as effective as self-regulation.
But the issue here is somewhat convoluted. The complaint of Democrats isn't that cybersecurity requirements from the regulatory body for utilities, the Federal Energy Regulatory Committee, aren't being enforced, but that voluntary standards established by an industry group, the North American Electric Reliability Corp., aren't always being followed.
As some may ask, what good are voluntary standards if they're not being employed? Of course, there's the dilemma: If the government requires industry to follow its own voluntary standards, then they become regulations. That's the slippery slope many opponents of even voluntary standards fear.
The Democratic study was an analysis of a questionnaire sent to utilities. One of its findings was that most utilities only comply with mandatory cybersecurity standards and have not implemented voluntary NERC recommendations. Here's an example cited by the report's authors:
NERC has established mandatory standards and voluntary measures to protect against the computer worm known as Stuxnet, known to have destroyed Iranian nuclear centrifuges. Of those that responded, 91 percent of investor-owned utilities, 83 percent of municipally or cooperatively owned utilities and 80 percent of federal entities that own major pieces of the bulk power system reported compliance with the Stuxnet mandatory standards. By contrast, of those that responded to a separate question regarding compliance with voluntary Stuxnet measures, only 21 percent of investor-owned utilities, 44 percent of municipally or cooperatively owned utilities, and 62.5 percent of federal entities reported compliance.
Pushing Utilities to Enlist All Measures
At the crux of this specific debate over protecting the electric grid is whether the industry itself will enforce its own standards. As one of the study's authors, Rep. Ed Markey of Massachusetts, said in releasing the study: "We need to push electric utilities to enlist all of the measures they can now."
Indeed, Markey and his colleague Henry Waxman of California conducted the study not to sway colleagues in Congress to enact new regulatory law but to push industry to adopt its own standards. In today's Congress, the minority can't get any significant legislation enacted (and in today's dysfunctional Congress even the majority can't always get what it wants). Here's how one congressional insider explains the motivation behind the report:
"If you believe that the entire industry should be regulated, all you can do is to hold people's feet to the fire, continually beat the drum about this, beat people over the head with letters, or call them to testify and ask them, 'Why aren't you doing that?' It's not some exercise of congressional superiority. This is the only way they can try to change a company's behavior in this day and age. They have to respond to us; we're Congress."
One congressional report or one committee hearing won't get industry to budge. But for Markey and Waxman, getting the electric distribution industry to strengthen its IT security standards is a quest that they'll relentlessly pursue in the coming months and years. It might be the only way they can get the industry to fortify the cybersecurity they believe the electric grid needs.