Study on Electric Grid Resiliency Finds Urgent Need for Cybersecurity Investments

critical infrastructure 2 responsive default

February 12, 2019

Cost recovery for electric sector cybersecurity investments and development of resilience metrics to gauge the industry's progress are two of several recommendations by Vermont Law School researchers and a six-month study of electric grid security.

The study, conducted for Protect Our Power by the law school's Institute for Energy and the Environment (IEE), recommends that state utility commissions exercise their authority to increase the flow of confidential information regarding vulnerabilities and best practices. It also identifies the diversity of regulatory approaches to cybersecurity regulation by utility commissions across the country as a concern that warrants attention and improvement.

"Addressing anticipatory threats such as cyberattacks is a challenge that we are not fully meeting," said Mark James, assistant professor of energy law and a senior research fellow, who led the institute's research team. "As interconnections between and within distribution systems increase, the vulnerability of the electric grid also increases. Continuous communication between utilities and their regulatory commissions is the first step to improving the depth, quality and consistency of efforts to address cybersecurity vulnerabilities."

Richard Mroz, former president of the New Jersey Board of Public Utilities and the former chairman of NARUC's Critical Infrastructure Committee, said the study offers valuable insights into a complex problem that is rife with confusion and cost challenges.

"As a former state regulator, I know how difficult it can be to balance the needs for new investments to protect critical infrastructure against the potential cost to ratepayers," said Mroz, who serves as Protect Our Power's senior advisor for state and government relations. "That challenge is made even more difficult because protecting against cyberattacks is a new necessity, and the utility industry and regulators don't necessarily have the legal tools required to evaluate and support such investments."

Mroz said he believes this new research will help regulators evaluate whether they need new or additional polices to support investments to protect against an ever-growing variety of cyberattacks on the electric grid.

Protect Our Power, a national not-for-profit organization formed to advocate for greater electric grid security, commissioned the study in June 2018. The goal is to help identify a pathway, or model approach, for state electric utility commissions and the utilities they regulate to use in facilitating timely grid upgrades, including identifying an appropriate financial structure for equitably sharing the costs of such upgrades.

The IEE team conducted its research by: reviewing utility commission dockets and orders; analyzing state statutes and regulations; evaluating cybersecurity policies; and, interviewing representatives of investor-owned utilities, national trade organizations, public utility commissions, information security officers and others.

The study comes follows the recent Worldwide Threat Assessment of the U.S. Intelligence Community, in which National Director of Intelligence Dan Coats warned that "Russia has the ability to execute cyberattacks in the United States that generate localized, temporary disruptive effects on critical infrastructure—such as disrupting an electrical distribution network for at least a few hours—similar to those demonstrated in Ukraine in 2015 and 2016. Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage."

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.