The United States needs an overarching national authority to oversee cybersecurity efforts connected to the national power grid, an MIT study suggests.
The Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) have authority over the development of cybersecurity standards for the bulk power system and ensuring compliance with these standards. However, the report stated that there’s no national regulatory oversight of cybersecurity standards for the distribution system, meaning the grid.
“We would welcome a single authority,” Patrick Miller, president and CEO of the National Electric Sector Cybersecurity Organization (NESCO), told TechNewsWorld.
“We’ve seen a lot of confusion around who would have authority in the event of a cyber attack [on the power grid],” Miller added.
NESCO is a public-private partnership in the electric center partly funded by the U.S. Department of Energy that pulls together efforts to enhance the cybersecurity of the U.S. national electric infrastructure.
“There is a need for oversight,” said security expert Randy Abrams.
“The main reason is that short-sighted managers trying to save a buck and undercut competitors will first look at cutting security budgets if there isn’t a really big stick threatening them if they don’t conform,” Abrams told TechNewsWorld.
Some Threats to the Power Grid
Over the next 20 years, the amount of data flowing through communications networks for the power grid will grow far more than the amount of electricity flowing through the grid will, the MIT report’s section on cybersecurity pointed out.
The expansion of existing communications flows and the introduction of new ones will pose significant security threats.
Millions of new electronic devices ranging from smart meters to synchrophasers will be added to the grid’s communications networks, and that will introduce new vulnerabilities that could result in problems such as loss of control over grid devices, loss of communications between grid entities and control centers, or even blackouts, the report stated.
Rumble in the Power Grid Cybersecurity Jungle
Various organizations are working on creating cybersecurity standards for the power grid, but each of them is looking at a different part of the picture and, in essence, everything’s a mishmash.
For example, the U.S. Government Accountability Office issued a report this year criticizing electric grid guidelines developed by the National Institute of Standards and Technology (NIST) for their lack of information on combined cyber-physical attacks and the absence of a final schedule for updating the guidelines, the MIT report states.
Further, the Federal Communications Commission (FCC) identified the potential for conflicts between NERC’s existing Critical Infrastructure Protection (CIP) requirements and other standards.
“There’s so much confusion because of the various parties that have their hands in the mix, that the utilities themselves are left in a wait-and-see mode,” NESCO’s Miller remarked.
“They have to see who’s going to have their path going forward, not just from a response perspective, but from the regulatory perspective as well,” Miller added.
OK, but What About Control Systems?
The MIT report “has very little dealing with actual control system cybersecurity,” Joseph Weiss, managing partner of Applied Control Solutions, told TechNewsWorld.
“This is being done by many people from the IT world coming into the smart grid, so their focus is on IT and traditional IT vulnerabilities,” Weiss said. “Control systems are different, and this paper really doesn’t address them.”
However, control system security is included as part of the overall umbrella of cybersecurity in general, NESCO’s Miller argued.
“You can’t just look at the IT side and leave the process control side alone,” Miller said. “My staff and I all have process control experience, and have all worked for utilities.”
The biggest threat to control systems in the future will be cyber in nature, IT security expert Abrams stated.