Guardians of the Grid: Agencies Unite to Bulk Up Utility Cybersecurity
It's one thing to have a computer system at a major bank, retailer or government agency invaded by cybercriminals. At best, such hacking incidents cause minor annoyances, and at worst, they result in high-cost privacy invasions.
But what if the hackers get into the power systems that make the entire Internet possible? The cost of such an invasion is nearly incalculable. Developing a response to cybersecurity threats is a major objective of the U.S. Congress, but legislators have stumbled on determining the proper role of government and that of the private sector for protecting "critical infrastructure" such as the national electricity grid.
While Congress struggles with a legislative program, the White House, two federal departments and the electric power industry have jointly begun an effort to better assess cybersecurity risks. The "Electric Sector Cybersecurity Risk Management Maturity Project" is designed to utilize the insight of private industry and public sector experts to build on existing cybersecurity measures and strategies to create a more comprehensive and consistent approach to protecting the U.S. energy delivery system.
Initiative Takes Broad Approach
"Establishing a comprehensive cybersecurity approach will give utility companies and grid operators another important tool to improve the grid's ability to respond to cyber security risks," said Department of Energy Secretary Steven Chu.
This initiative, which will build on existing cybersecurity efforts by the Obama Administration and the private sector, will focus on establishing a "maturity model" that allows utility companies and grid operators to measure not only their current cyber defenses, but also their vulnerabilities. Such models generally embrace a graduated approach -- usually through five steps -- for moving from minimal capabilities to complete optimization of a management process. Maturity models, which rely on best practices to identify an organization's strengths and weaknesses, are widely used by other sectors, notably in software engineering, to improve performance, efficiency and quality.
"This effort will be focused on performance-based strategies and concrete steps to measure the progress of cybersecurity protection in the electric sector," said White House Cyber Security Coordinator Howard Schmidt. "It is important to understand the sector's strengths and remaining gaps across the grid to inform investment planning and research and development and enhance our public-private partnership efforts," he said.
The focus in the maturity model on analyzing grid vulnerabilities tracks with a December 2011 report from the Massachusetts Institute of Technology (MIT) on the future of the U.S. electrical grid. "From a cybersecurity perspective, interfacing so many different hardware and software components introduces vulnerabilities ... especially when new and legacy hardware and software need to operate together," the report states. "The presence of so many interfaced components increases system complexity as well as the number of potential cyber vulnerabilities," MIT said.
Officials from DOE, the White House and the Department of Homeland Security (DHS) met in early January with more than two dozen senior leaders from across the electric sector. Over the next several months, DOE will host a series of workshops with the private sector to draft a maturity model that can be used throughout the electric sector. More than a dozen electric utilities and grid operators are then expected to participate in the pilot program to test the maturity model, assess its effectiveness and validate results. The maturity model is expected to be made available to the electric sector later this summer.
The cooperative nature of the venture underscored the Obama Administration's legislative approach, which emphasized the need for a public-private approach to cybersecurity.
Program Geared to Include Private Sector
"We are encouraged by the efforts that the White House, DOE and DHS are putting into this initiative. We believe that this will be a very cooperative volunteer effort where utilities from the private sector and various government agencies will be working together for the better good," said EnergySec in a statement provided to CRM Buyer by Stacy Bresler, vice president of outreach and operations. EnergySec, formally known as the "Energy Sector Security Consortium," is a private forum engaged with industry and government to promote cybersecurity.
"EnergySec sees this as a move in the right direction -- an effort that has a lot of promise to help promote an enhanced security posture in the electric sector," the organization said.
The joint approach also recognizes that the power sector security has already put significant efforts into grid security.
"We were invited to participate in discussions with DOE and other federal agencies and industry representatives concerning the maturity model initiative. While many of the details are still being worked on by DOE, we look forward to working with them on this public private partnership, recognizing they compliment NERC's existing cybersecurity efforts on mandatory standards and information sharing," Gerry Cauley, president and CEO of the North American Electric Reliability Council, (NERC) told CRM Buyer.
Within government, the DOE risk management maturity model program expands upon the department's ongoing cybersecurity effort and complements the "Smart Grid" cybersecurity standards initiative at the National Institute of Standards and Technology (NIST).