As CEO of the North American Electric Reliability Corporation (NERC), the organization charged with overseeing the reliability and security of the North American grid, I am deeply concerned about the shifting risk landscape facing the power industry. Conventional risks include randomized events such as extreme weather and equipment failures, while the emerging risks that could result from the intentional actions of unknown adversaries are asymmetrical and much less known. We are often left to imagine scenarios that might occur from such attacks and prepare to avoid or mitigate the consequences. In some cases, the consequences could be more severe than we have previously experienced from any past event, including Hurricane Katrina or the August 2003 Northeast Blackout. I am most concerned about coordinated physical and cyber attacks intended to disable elements of the power grid or deny electricity to specific customer facilities. These could include attacks to deny electricity service to government or business centers, military installations, or other critical infrastructures such as water, transportation, telecommunications and fuel supplies.
At the same time that we consider these new threats, it is incumbent upon policy-makers and industry to ensure we can continue to maintain affordability of the electricity supply that is the lifeblood of our economy in a competitive global market. Security at any cost is not a reasonable strategy nor is it in the best interest of the electricity customers who ultimately bear the cost of our North American electricity infrastructure. It is important to maintain a practical balance between addressing known, high-priority risks that can cause electrical outages on a regular basis and those that may seem to perhaps be more severe but rarely, if ever, happen.
NERC has established mandatory standards to address the cyber security of critical cyber assets associated with the power grid in North America. Even in a heavily regulated power industry, however, it is difficult to address the rapidly evolving risks associated with physical and cyber security exclusively with a command-and-control or rule-based model that relies mainly on mandatory standards, regulations, and directives.
The most effective approach against such adversaries is to apply resilience principles, as outlined in a National Infrastructure Advisory Council (NIAC) report on the electricity and nuclear sectors delivered to the White House in October 2010. I was fortunate to serve on that working group along with a number of industry CEOs. Resilience requires proactive readiness for whatever may come our way. It includes robustness; the ability to minimize consequences in real-time; the ability to restore essential services; and the ability to adapt and learn.
Examples of the NIAC team’s recommendations include: 1) a national response plan that clarifies the roles and responsibilities between industry and government; 2) improved sharing of actionable information by government regarding threats and vulnerabilities; 3) cost recovery for security investments driven by national policy; and 4) a strategy on spare equipment with long lead times, such as electric power transformers.
Resilience, however, should not simply be viewed as a conceptual model to be applied across the industry as a whole. The principles of resilience must be adopted and internalized within each organization that owns, operates, or uses critical infrastructure facilities. In the power industry, resilience begins with accepting a few facts. It has been widely reported in the public media that there are state-sponsored groups with the capability to penetrate critical infrastructure cyber assets in North America. Those suggestions should be accepted as fact. Over time, the capabilities of these groups have become much more sophisticated and over time these capabilities will spread to less organized and disciplined groups, including less organized terrorist or criminal groups.
Second, it should be recognized that even though the impacts of cyber attacks may not be immediately apparent, the attacks and subtle intrusions are happening. The current adversaries engaged in these activities against the North American infrastructure appear to be very patient and are willing to invest significant resources in exploring vulnerabilities and opportunities. They may or may not have specific intentions of ever using their capabilities, but they are certainly willing to invest significant resources developing them over an extended period of time. Their capabilities are sophisticated and potent.
Third, the objectives of these adversaries are unlikely to be obvious. An effective risk assessment should not be limited to evaluating vulnerabilities of the grid or corporate business systems as end targets by themselves, but should also consider the possibility of objectives to deny electricity service to critical customers such as those previously mentioned.
With these assumptions, grid owners, operators and users should advance their thinking beyond a typical cyber risk assessment that might be focused on their own company’s business continuity or theft prevention. The risk strategy must recognize the evolving, long-term objectives of potential adversaries, objectives that likely include outcomes beyond disruption or damage to the grid itself. Asset owners, operators and users must recognize the constancy of this threat. Our objective is more complex than trying to keep the adversary out of critical systems – the objective is to prevail in a long-term, persistent struggle against adversaries with unknown but potentially significant targets beyond the grid itself.
The power industry has had substantial success in achieving resilience in a more traditional context – being prepared for and responding to emergencies such as hurricanes, tornados, ice and wind storms, earthquakes and large power failures. The power system is typically designed with sufficient redundancy to manage planned and unplanned equipment outages.
NERC’s goal in the security arena is to ensure this proven capability of resilience is extended and transferred to address emerging threats from cyber and physical security. NERC envisions a robust, resilient electricity infrastructure in which continuity of business and services are maintained through secure and reliable information sharing, effective risk management programs, coordinated response capabilities and trusted relationships between industry and government.
NERC prepared a Critical Infrastructure Strategic Roadmap to provide a framework to identify those risks that have the potential to seriously disrupt the supply of electricity to customers, and to promote actions necessary to enhance reliability and resilience. Particular attention is given to low-frequency, severe-impact risks with the potential to affect large portions of the grid, or disrupt service for an extended period of time. The roadmap builds on builds on the industry’s experience with traditional risks and adopts an integrated, defense-in-depth approach. NERC’s roadmap adopts six goals:
Information Sharing and Communication
Goal 1: Enhance situational awareness within the electricity sub-sector and with government through robust, timely, reliable and secure information exchange.
Physical and Cyber Security
Goal 2: Use sound risk management principles to enhance physical and cyber measures that improve preparedness, security and resilience.
Coordination and Planning
Goal 3: Conduct comprehensive emergency, disaster, and business continuity planning. Conduct training and large-scale exercises involving electricity industry and government entities to enhance reliability and coordinated emergency response.
Goal 4: Clearly define critical infrastructure protection roles and responsibilities.
Goal 5: Enhance understanding of key interdependencies and collaborate with other critical infrastructure sectors to address them, and incorporate that knowledge in planning and operations.
Public and Regulatory Confidence
Goal 6: Strengthen public and government regulatory agency confidence in the industry’s ability to manage risk and implement effective security, reliability and recovery efforts.
To focus efforts, NERC has identified three scenarios needing to be addressed:
Scenario 1 – Physical Attack on Significant Electricity System Equipment:
A coordinated physical attack on key nodes of the bulk power system critically disables difficult to replace equipment in multiple generating stations or substations and could have a significant effect on the remainder of the system. A prolonged period of time is required to fully restore the bulk power system to normal operation.
Scenario 2 – Coordinated Cyber Attack:
A coordinated disruption disables or impairs the integrity of multiple control systems, or intruders take operating control of portions of the bulk power system such that generation or transmission equipment is damaged or mis-operated.
Scenario 3 – Geomagnetic Disturbance:
A severe geomagnetic disturbance (GMD) damages difficult-to-replace generating station and substation equipment, and causes a cascading affect on the remainder of the system. A prolonged period of time is required to fully restore the bulk power system to normal operation.
To achieve these stated goals for the scenarios above, NERC is working in partnership with industry through ten key initiatives aimed at improving resilience of the power grid:
The emerging risks present new challenges to the reliability and security of the North American power grid. These challenges are difficult but not intractable. The most effective strategy is to realize we are in a long-term struggle with unknown but sophisticated adversaries that have undetermined, but potentially severe impact targets. I believe we can and must take decisive actions through partnership between industry and government to meet these challenges.