These days, everyone is hearing about how cybersecurity threats could affect the power grid. It’s time for them to hear something else, and the new message should come from the folks who make, move and manage their power: the CEOs of the U.S. electric utilities.
Targeted cyberattacks like Stuxnet, Conficker, Duqu and most recently Flame are multiplying. While the amount of risk they pose to U.S. and global critical infrastructure systems, including power grids, is widely debated, what’s not in dispute is the ability of new cyber threats to cause trouble, add cost and capture headlines.
Meanwhile, in the trenches, federal and state regulators, regional transmission operators and the electric utilities themselves are deliberating over what steps will provide the most cybersecurity protection for the taxpayer’s buck. To their credit, there have yet to be any significant outages, in North America anyway, caused by cyberattacks. But just because we haven’t endured one yet, doesn’t mean the industry is doing what is necessary to keep something serious from happening in the future.
To date, there have been a number of regulations put in place due to ongoing concerns that the utility industry wasn’t moving fast enough. The first included FERC Executive Order 706 along with the introduction of the NERC Critical Infrastructure Protection standards (CIPs) in 2008. These steps, however, have been generally deemed as insufficient by the broad policy making community. Lawmakers continue to propose new rules and regulations in an effort to address increasing concern over the security of the grid.
To explain with a sports metaphor, imagine you are the owner of an NFL team with a decent but aging quarterback and a record of consistent, solid performance over the last few years. The sports press has been abuzz with news of division opponents picking up stellar first round pass rushers, and they want to know what you’re going to do about it. So far, your answer to this new challenge has been to maintain the status quo: you just picked up a new running back and a new punter. Suffice it to say, the fans are concerned for your quarterback.
Now switch to the perspective of CEOs of large utilities. In the electric sector, unlike the NFL scenario above, there’s not much threat of competition from other teams (utilities), not in most markets anyway. Their biggest historical adversary has been Mother Nature, and they’ve crafted well-tested plans for routinely weathering tornadoes, hurricanes, floods and ice storms, while keeping outages to a minimum and delivering the anticipated returns to shareholders. So far, so good.
But now there’s a new category of competitor these days, and lately they’re doing everything possible to get the CEOs’ attention. In the cybersecurity world, the rising stars you need to defend against are the increasingly capable and organized hackers and attackers who hail from a variety of sources, including terror networks, cause-oriented hacktivists and crime gangs. They wield cyberattack tools that some may have read about or seen described on "60 Minutes" and hundreds of others that we haven’t even heard of and likely never will.
Back to the sports metaphor. If I were a fan of this utility I'd want to see tangible proof that they are aware of and are adjusting to counter these new threats. And herein lies the problem: The vast majority of U.S. utilities today have yet to adequately respond.
• Most CEOs and boards of directors haven’t prioritized understanding cybersecurity risks that could impact reliability and safety
• They haven’t appointed or empowered executive level (VP or higher) cybersecurity chiefs
• They haven’t insisted on measuring the effectiveness of their cybersecurity programs or expenditures
• They rightly observe the burden of potential new federal cybersecurity regulations
In response, IBM has released an executive brief calling for a new approach to how electric utilities staff and manage their cybersecurity missions. Along with a short list of organizational and technological security best practices, it is recommended that utility companies appoint and empower a VP or C-level security executive, reporting directly to the CEO, chief operating officer , chief financial officer or chief risk officer and open better channels of communication with the board of directors. Other critical infrastructure industries like financial services and telecommunications made this move a while ago, and now the time is right for the energy sector to join them.
According to Michael Assante, president of the National Board of Information Security Examiners of the U.S. and former chief security officer of American Electric Power: “While several organizations have moved earlier, it’s time for all utilities to treat cybersecurity risk as a strategic business element.”
This move will deliver a strong signal of awareness and resolve to all internal and external stakeholders. Raising cybersecurity to the executive level through this appointment will lay the groundwork for it to be managed more like most other critical functions, with business-oriented security metrics giving management visibility into this often opaque domain. This will help management and others, keep score and should begin to level the electric sector cybersecurity playing field.
Andy Bochman is energy security lead for IBM's Rational division, where the focus is on securing the software that runs the Smart Grid, and he is a contributor to industry and national security working groups on energy security and cyber security.