Smart grid cybersecurity is back in the news. It started last week, when Congressmen Henry Waxman and Edward Markey accused a group of U.S. utilities of failing to take every measure to protect against cyberthreats to their critical infrastructure, including the sophisticated industrial controls worm known as Stuxnet.
Utility trade groups quickly fired back that they’re complying with all mandatory safety and security requirements, as well as dealing with the “daily,” “constant” and “malicious” attempts by parties unknown to access their IT systems. Cybersecurity experts quickly weighed in, noting that in fact, many utilities were barred by data security rules from sharing the information the Congressmen had requested -- at least via open email.
So that’s the political firestorm of the month. In the meantime, the hard, slow and expensive work of securing the grid goes on, whether in Washington, D.C. in terms of interstate transmission, energy markets and national security concerns, or in the chambers of the state regulatory agencies that manage most of the nitty-gritty distribution of electricity to the homes, businesses and institutions that consume it.
California is a bellwether state for this kind of thing, putting the California Public Utilities Commission in the position of potentially setting trends across the country on smart grid cybersecurity. Chris Villarreal, a senior policy analyst with CPUC, laid out some of the work the state agency has done so far on the smart grid cybersecurity front in a smart grid webinar this week.
While Villarreal noted that he speaks for himself, not for the commission, he’s certainly got a close view of how the state is managing the intersection of technology, regulations and economic factors that go into securing the grid from cyberattack. Here are some top takeaways.
1) There is no 100-percent guarantee of security -- but ensuring the security of the utility grid is on par with safety and reliability concerns. “Despite what you may have heard last week from certain members of Congress, we are working on implementing standards and best practices on cybersecurity,” Villarreal said. But that doesn’t mean that the CPUC, or the utilities it regulates, expects to achieve a perfect protection record, he said.
Instead, the CPUC is generally guided by the principle of “ensuring that the utility operates in a safe, reliable, and secure manner at a reasonable cost,” he said. Safety and reliability are, of course, the top objectives for every utility, and there are complex rules in place to measure success and failure on those measures. It makes sense to prioritize cybersecurity -- along with physical security, workforce training, change management and all the other best practices that help secure a modern enterprise from digital threats -- on the same basis.
2) The metrics for measuring cybersecurity aren’t here yet. It’s easy to cite big, round numbers to play up the cyberthreat, as the Waxman-Markey report does when it notes that one big utility reported getting more than 10,000 intrusion attempts per day. But it’s much harder for utilities to value the benefit of spending on cybersecurity in the multi-year rate cases they make to commissions like the CPUC, Villarreal noted.
“How do we know the amount of money being spent on cybersecurity is effective? How do we know how much is enough?” he said. Beyond that, each utility application has a different level of exposure to risk, and consequences of a failure to prevent a breach, he said. Grid substations are a much different target than utility customer databases, for example. And, of course, there’s the challenge of measuring the value of preventing something bad from happening, he said.
3) Jurisdictional and regulatory complications abound. Much of the activity in the critical infrastructure protection (CIP) realm comes out of the federal government, with agencies like the Department of Homeland Security, the Department of Energy, the National Institute of Standards and Technology and the Federal Energy Regulatory Commission playing roles.
“The transmission grid is far smarter than the distribution grid” today, which means that federal mandates like NERC-CIP have had to tackle cybersecurity issues earlier, he said. “However, as we start thinking about distributed generation, and demand response, and various policies being pushed down, the distribution grid needs to be made smart to handle all these new investments,” he said.
To get there, CPUC has “recognized that explicit safety and security risk assessment that includes cybersecurity should become the cornerstone of how the CPUC approaches reliability and safety, particularly through the General Rate Case (GRC) process,” and could consider making cybersecurity assessment part of that purview, according to a Sept. 2012 CPUC report. The CPUC has also established privacy rules for customer data and has required utilities to report on cybersecurity activities in their Smart Grid Deployment Plans.
4) Compliance is a floor, not a ceiling -- a risk-based approach is what’s needed. Last week’s Waxman-Markey report got a lot of dings from utility observers for its focus on voluntary, versus mandatory, security measures. For example, while the report found that only 21 percent of industry-owned utilities, 44 percent of municipal or cooperative utilities, and 62.5 percent of federal entities reported compliance with voluntary recommendations to protect against advanced cyberworms like Stuxnet, almost all of them said they were meeting the mandatory standards now in place.
Putting that issue aside, however, compliance should be just the start of a utility’s cybersecurity efforts, Villarreal said. While the CPUC is proposing various tests and audits to measure utility security and data privacy, it’s also looking for ways to allow utilities “more flexible means to respond” to new threats as they emerge, he noted.
To get there, utilities and regulators should explore a risk-management-based approach, he said, to maximize responsiveness to changing threats, design resiliency into the system, and plan ahead for changes in threats and countermeasures to come.