Cyber Security of Energy Systems:  Institutional Challenges

Introduction

To promote energy security, efficiency, and sustainability, many national and local governments continue to advance adoption of smart technologies for energy systems.  These smart systems rely more heavily on interconnected IT networks than traditional energy systems.  This reliance poses new challenges from increased risk of natural and human-induced disruptions, as well as wider-ranging and more severe impacts of such disruptions.

These expanded technological vulnerabilities highlight the importance of cyber security for resilience of these smart energy systems.  The December 2015 “BlackEnergy” malware attack on Ukraine’s power grid demonstrates these vulnerabilities and the need to address them.  The attack destroyed computers and control systems, causing blackouts for hundreds of thousands of people.

Addressing Challenges to Cyber Security of Energy Systems

Recognizing these challenges and risks to energy system resilience, governing bodies at all levels—local to international—have made efforts to catalog and address them.  The United States is considered a global leader on these efforts.  The U.S. General Accountability Office (GAO) has identified protection of the electricity grid as a government-wide high-risk sector since 2003.[1]  Since 2004, the Department of Energy (DOE) has been working with asset owners, operators, government agencies, and other stakeholders to develop roadmaps to address cyber security threats.  Examples include building a Supervisory Control and Data Acquisition (SCADA) Test Bed to help identify vulnerabilities, developing the Cybersecurity for Energy Delivery Systems program, and providing funding for projects through the Smart Grid Demonstration program (SGDP).[2]  In 2008, the Federal Energy Regulatory Commission (FERC) approved critical infrastructure protection standards developed by the North American Electric Reliability Corporation (NERC).[3]  The same year, a Congressional commission provided Congressional testimony and a report formally assessing the threat of an electromagnetic pulse (EMP) attack on the nation’s electricity grid.[4]  DOE also leads an interagency team to develop smart grid cyber security requirements, which produced cyber security guidelines published by the National Institute of Science and Technology (NIST) in 2010.  In 2011, DOE released the Roadmap to Achieve Energy Delivery Systems Cybersecurity, a 10-year plan engaging government, industry, and academia.[5]  The same year, an SGDP project managed by the National Rural Electric Cooperative Association (NRECA) released guides for utilities to utilize in developing cyber security plans.[6]  The guidelines developed by both the interagency team and NRECA were updated in 2014.  NIST also developed a cyber security framework for critical infrastructure, and the Department of Homeland Security (DHS) and DOE are working with the electricity industry to implement it.

And yet, despite this awareness of the risks of cyber attacks on energy systems and efforts to address them, effective protection against them remains elusive, even in the United States.  A recent CNN article quotes a U.S. government official as stating that safeguards for U.S. systems are no better than those protecting the breached systems in Ukraine.[7]

Before the watershed event in Ukraine, numerous pieces of legislation emerged and died in both the House and Senate for more than a decade.  In 2011, reports by the GAO and the International Energy Agency (IEA) both identified six major ongoing challenges impeding resolution of power grid vulnerabilities on national and global scales:

• Inadequate information provided to consumers about the benefits, costs and risks associated with smart grid systems.
• Inconsistent implementation of sufficient security features built into smart grid systems.
• Lack of an effective mechanism for the electricity industry to share information on cyber security.
• Absence of electricity industry metrics for evaluating cyber security.
• An electricity system regulatory environment that could inhibit cyber security of smart grid systems.
• Utilities’ focus on regulatory compliance instead of comprehensive security.[8]

The GAO report also identified a related problem: an uncoordinated approach to monitoring of industry compliance with voluntary standards.  Testimony by the GAO before the Senate Committee on Energy and Natural Resources in 2012 reiterated these challenges.[9]  A CRS report from the same year identified similar problems, including utilities’ right to self-identify critical assets subject to standards for infrastructure protection, ambiguous federal leadership on cyber security, and standards driven by the minimum needed to achieve compliance.[10]

The Role of Institutional Relationships

All of these challenges reflect underlying problems in the institutional relationships that govern and operate our electricity grid.  These problems in relationships between policymakers, regulators, utility companies and consumers comprise four broad categories:

• Unclear leadership on and responsibility for cyber security of energy systems;
• Divergent views on cyber security protection and priorities;
• Discrepancies in risk perceptions;
• Poor communication and transparency of data and policies; and
• Tension over liability.

Understanding these problems will enable more effective cyber security solutions to address vulnerabilities of traditional and smart grids.  While numerous studies examine the technological requirements for cyber security of traditional and smart energy systems, none analyze these crucial institutional factors.

In the United States, overlapping responsibilities for oversight of cyber security measures to protect the power grid frame the other challenges.  At the federal level, regulatory and policy jurisdiction is split across the Department of Homeland Security (DHS), the Federal Emergency Management Agency (FEMA), the Federal Energy Regulatory Commission (FERC), the Department of Energy (DOE), and NIST.  This allocation of responsibility requires close cooperation, communication, and alignment of risk perceptions.  State regulators’ roles add to this oversight complexity.  The 2011 CRS report noted overlapping claims of power grid cyber security leadership across DHS, DOE and FERC.[11]  In testimony at a 2015 hearing before the House Subcommittees on Energy and Research and Technology, the GAO mentioned FERC’s lack of coordination with other regulators on monitoring of industry compliance with voluntary standards.  The GAO’s 2015 testimony also reiterated the continued need for clear delineation of responsibility for cyber security of energy systems, noting that the introduction of smart grid in energy systems further complicates federal versus state jurisdiction.[12]  Unclear responsibility and leadership for cyber security of energy systems can contribute to delays in introduction and implementation of cyber security initiatives, as well as delays in responses to cyber attacks.

The operational structure also complicates implementation of cyber security measures for the power grid.  In the United States, electricity providers operating in different regions include publicly owned utilities, investor-owned utilities, cooperatives, federal power agencies and power marketers.  These complex policy, regulatory and industry structures have contributed to unclear delineation of responsibility and leadership, divergent risk perceptions, lack of transparency, and liability concerns.  Industry organizations such as the Edison Electric Institute (EEI) have asserted a need to limit federal authority over cyber security of electricity assets, while highlighting the need for coordination on cyber protection of the electricity sector and interrelated sectors such as telecommunications, water and transportation.[13]

Effective protection against cyber attacks on the electricity sector requires consistency in priorities and risk perceptions across these government agencies, electricity providers and consumers.  These groups’ continued disagreement on the likelihood and severity of potential cyber attacks inhibits development and implementation of cyber security measures.  Historically, DHS has focused on risks associated with natural disasters, rather than cyber attacks.  FERC asserts that cyber attacks pose a real threat to U.S. electricity infrastructure.  FEMA has struggled to overcome internal disagreement over the potential for and consequences of a cyber attack on the U.S. power grid.  Broadly, the utilities operating power plants have asserted that adequate cyber security measures are in place.  In contrast, U.S. consumers tend to distrust unfamiliar and complex technologies, and books such as Ted Koppel’s Lights Out have informed and heightened public perceptions of the risks associated with cyber attacks on energy systems.[14]  Transparency of information and the policy process serves as an important factor that can foster coordination of risk perceptions across these groups.

And yet, several of the problems identified by the GAO and the IEA reflect transparency problems between the government, the utilities and the public.  For instance, failure to provide sufficient smart grid cost, benefit and risk information to consumers represents a lack of transparency that limits public understanding of cyber hazards of smart grid systems, perpetuates divergent risk perceptions, and limits governmental and private sector efforts to engage the public in cyber security measures.  The electricity industry’s lack of an effective mechanism for sharing cyber security information represents another transparency failure that compounds these effects.  At the same time, the public and Congress have demanded greater transparency regarding potential threats and measures to address them.

Concerns regarding liability for cyber security problems have inhibited the electricity industry’s interest in transparency.  The utilities fear that acknowledging cyber security vulnerabilities or problems may lead to responsibility for compensation, as well as calls for stricter standards.  Industry organizations like EEI have emphasized the need for liability protection to promote greater information sharing across the government, industry, and consumers.[15]

Leadership ambiguity, divergent cyber security goals and risk perceptions, insufficient transparency, and liability concerns all have contributed to a problematic regulatory environment.  The 2011 GAO and IEA reports describe it as potentially inhibiting smart grid cyber security.  Both reports also assert that the relationship between federal and state regulators and the electric utilities has emphasized compliance with regulations rather than promoting a joint focus on comprehensive security.[16]  This depiction of problematic regulations and misdirected focus reveals tensions in the regulator-utility relationship that can improve with clarity of leadership, alignment of cyber security goals and risk perceptions, and improved transparency and liability frameworks.

Progress and Remaining Gaps

Since 2013, U.S. government agencies, Congress, and NERC have taken steps to address the issues identified by the GAO, IEA and CRS.  NERC revised cyber security standards in 2013 to reflect FERC’s 2011 guidance.[17]  A 2015 CRS report describes these revised standards as moving from a focus on compliance toward security-based goals.[18]  In 2014, Congress passed five cyber security bills signed by President Obama.  A 2016 CRS report highlights the improvements this legislation makes in codifying the respective leadership roles of NIST and DHS.[19]  The Consolidated Appropriations Act signed into law in December 2015 contains cyber security provisions that aim to promote transparency by addressing liability concerns.[20]  These provisions, contained in the Cybersecurity Information Sharing Act of 2015 (CISA), could contribute to greater information sharing that could, in turn, foster alignment of risk perceptions.[21]

Effective cyber security for the electricity system requires solutions that address the underlying institutional challenges of leadership and responsibility, transparency and liability, and alignment of priorities and risk perceptions.  If new policies do not clarify coordination between DHS, NIST, DOE, FERC, NERC, and the states, leadership challenges will remain.  CISA’s passage as part of the spending bill reflects the difficulty of passing a stand-alone policy on information sharing and liability.  Ongoing tensions over privacy concerns influence government-utility-consumer relationships and the ability to advance cyber security in the electricity sector.  Compounding this problem, existing legislation has focused on industry’s provision of information to the government, but critiques of cyber security transparency have included a lack of information to consumers.  Further, coordination and transparency challenges continue to exacerbate differences in government, utility and consumer views of cyber security and risk perceptions.  Progress on all of these areas is needed for cooperation on creation of a security culture that transcends compliance.

Need for an Inventory of International Best Practices

The United States is not alone in facing these institutional challenges to cyber security of energy systems.  Other advanced nations with similar government and industry attention on resilient energy systems, such as Japan and Germany, also are struggling with comparable issues.  A comparative study of these three countries can illuminate practices that can foster clear leadership, alignment of views and risk priorities, and transparency.  An evolving inventory of such practices would facilitate technological and regulatory cyber security measures that contribute to global development of resilient, secure smart grid systems.

[1] U.S. Government Accountability Office, GAO-11-278, High-Risk Series: An Update (Feb. 2011), available at http://www.gao.gov/assets/320/315725.pdf.

[2] “Cybersecurity,” SmartGrid.gov, accessed June 3, 2016, https://www.smartgrid.gov/recovery_act/overview/cyber_security.html; “Smart Grid Demonstration Program”, SmartGrid.gov, accessed June 3, 2016, https://www.smartgrid.gov/recovery_act/overview/smart_grid_demonstration_program.html.

[3] Mandatory Reliability Standards for Critical Infrastructure Protection, 18 C.F.R. pt. 40 (2008), available at http://www.balch.com/files/upload/FERC%20Order%20706.pdf.

[4] Report of the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack: Critical National Infrastructures (Apr. 2008), available at  http://www.empcommission.org/docs/A2473-EMP_Commission-7MB.pdf; see also Clay Wilson, Cong. Research Serv., RL 32544, High Altitude Electromagnetic Pulse (HEMP) and High Power Microwave (HPM) Devices: Threat Assessments (2008), available at http://www.mountainx.com/files/EMP_from_CRS_July_2008.pdf.

[5] For details, see Energy Sector Control Systems Working Group, Roadmap to Achieve Energy Delivery Systems Cybersecurity (Washington, D.C.: U.S. Department of Energy, 2011), available at http://energy.gov/sites/prod/files/Energy%20Delivery%20Systems%20Cybersecurity%20Roadmap_finalweb.pdf.

[6] Evgeny Lebanidze and Daniel Ramsbrock, Guide to Developing a Cyber Security and Risk Mitigation Plan – Update 1 (Dulles, VA: NREC/Cooperative Research Network, 2014), available at https://groups.cooperative.com/smartgriddemo/public/CyberSecurity/Documents/CyberSecurityGuideforanElectricCooperative-U1.pdf (revision of the original 2011 version).

[7] Evan Perez, “First on CNN: U.S. Investigators Find Proof of Cyberattack on Ukraine Power Grid,” CNN, Feb. 3, 2016, http://www.cnn.com/2016/02/03/politics/cyberattack-ukraine-power-grid/index.html.

[8] GAO-11-278, High-Risk Series; International Energy Agency, Technology Roadmap: Smart Grids (Paris: IEA, 2011), 16, available at https://www.iea.org/publications/freepublications/publication/smartgrids_roadmap.pdf.

[9] Cybersecurity Challenges in Securing the Electricity Grid, Before the S. Comm. on Energy and Natural Resources 112th Cong. (2012) (statement of Gregory Wilshusen), available at http://www.gao.gov/assets/600/592508.pdf.

[10] Richard Campbell, Cong. Research Serv., R41886, The Smart Grid and Cybersecurity – Regulatory Policy and Issues (2011), available at https://www.fas.org/sgp/crs/misc/R41886.pdf (subsequently updated in 2013).

[11] Ibid.

[12] Critical Infrastructure Protection: Cybersecurity of the Nation’s Electricity Grid Requires Continued Attention, Before the H. Subcomm. on Energy and Research and Technology, Comm. on Science, Space and Technology, 114th Cong. (2015) (statement of Gregory Wilshusen), available at http://www.gao.gov/assets/680/673245.pdf.

[13] Edison Electric Institute, Electric Sector Priorities in Cybersecurity Legislation (March 2015), available at http://www.eei.org/issuesandpolicy/cybersecurity/Documents/EEI%20Cybersecurity%20Legislative%20Priorities.pdf.

[14] See Ted Koppel, Lights Out (New York: Crown Publishers, 2015).

[15] American Public Power Association et al., letter to Majority Leader Mitch McConnell and Minority Leader Harry Reid, Aug. 3, 2015, http://www.eei.org/issuesandpolicy/testimony-filings-briefs/Documents/150803Eei-IndustrySenateCybersecurityCisa.pdf.

[16]GAO-11-278, High-Risk Series; IEA, Technology Roadmap, 16.

[17] Cyber Security Standards Transition Guidance (Revised), North American Electric Reliability Corporation (Sept. 5, 2013), available at http://www.nerc.com/pa/comp/Resources/ResourcesDL/Cyber%20Security%20Standards%20Transition%20Guidance%20(Revised).pdf.

[18] Richard Campbell, Cong. Research Serv., R43989, Cybersecurity Issues for the Bulk Power System (2015), available at https://www.fas.org/sgp/crs/misc/R43989.pdf.

[19] Rita Tehan, Cong. Research Serv., R43317, Cybersecurity: Legislation, Hearings, and Executive Branch Documents (2016), available at https://www.fas.org/sgp/crs/misc/R43317.pdf.

[20] Consolidated Appropriations Act, 2016, Pub. L. No. 114-113 (2015), available at https://www.congress.gov/bill/114th-congress/house-bill/2029/text/pl.

[21] For more information, see Tehan, Cybersecurity: Legislation.  The report describes H.R. 1560, H.R. 1731, H.R. 3490, S.754, and H.R. 3878.