How can the U.S. strengthen the defense and resilience of critical water and electric infrastructure against cyber and physical attacks? Security editors recently spoke with Dr. Paul Stockton, former Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs
Could one cyberattack bring down the electric grid, or would it have to involve many?
It is exceedingly unlikely that a single cyberattack could bring down or disable the entire electric power grid. Much greater risk lies in smaller scale attacks on particular utilities.
Why is the grid so vulnerable to a cyberattack?
Electric utilities across the Unites States are strengthening their current resilience against cyber-attacks. However, over the longer term, a growing number of adversaries will be able to acquire increasingly sophisticated cyber weapons to attack the grid. The electric utility industry and its partners in local, state, and federal government need to continue to sustain and even accelerate the pace of improvement to grid security.
It's been said that cyberattacks are often treated as a problem of technology. Why not improve the technology and existing infrastructure?
Cyber threats come both from technology and people. The Department of Energy Model emphasizes the need for technological defenses against cyber threats. The model also makes important recommendations on how utilities can help train their work forces to make them less vulnerable to spearfishing and other cyber-attacks. In particular, the model recommends that utilities “establish and maintain plans, procedures, technologies, and controls to create a culture of cybersecurity and to ensure the ongoing suitability and competence of personnel, commensurate with the risk to critical infrastructure and organizational objectives.”
What is to be done about attacks from within the grid operations (by untrained or disgruntled employees, for example)?
Electric utilities need to continue to strengthen personal security programs to address the risk that adversaries will not only attack cyber networks, but also from within those companies. The DoD's Independent Review of the Washington Navy Yard Shooting, which I co-authored in 2013, contains a number of recommendations for improved defenses against insider threats that pertain to both government agencies and the owners and operator of critical infrastructure. Especially important, utilities need to establish mechanisms to provide for the continuous evaluation of their employs and not merely rely on initial screenings.
What about solar power instead? For example, Southern California Edison filed a plan with the California Public Utilities Commission that proposes new ways to manage its grid with solar energy storage equipment such as batteries and electric cars at home and business. Would that solve the problem with regards to cyber?
Shifting to greater reliance on solar and other renewable sources of energy does not eliminate the risks of cyber-attacks on the power grid. Many of the electronic control systems needed to integrate renewable power sources into the grid may have special cyber vulnerabilities to attack. As the United States shifts to greater reliance on renewable energy resources, utilities need to ensure that our cyber defense ramps up accordingly.
Do you see much information sharing in this area, i.e. utilities sharing data about attacks that were mitigate or were successful?
Rapid improvements are underway in information sharing mechanisms. The Electricity Information Sharing and Analysis Center (E-ISAC) provides rapidly improving capability for industry sharing, as well as the provision of information from government sources. You will find in the link below: “E-ISAC shares threat alerts, warnings, advisories, notices, and vulnerability assessments with the industry.” A variety of other information sharing mechanisms, including state information fusion centers, can also contribute to the development of improved information sharing capabilities. These initiatives need to be accelerated to keep pace with the rapidly intensifying threat.