We all have heard some variation on the sentiment that protecting our people, data, networks and infrastructure cannot be the responsibility solely of those with “security” in their titles.
For America’s electric companies, whose infrastructure is critical to the life and safety of our customers, communities, and country, that has meant an aggressive commitment to:
- Coordinate with key stakeholders, including vendors, interdependent sectors and government partners;
- Develop a culture of security within companies, from industry leaders to frontline workers; and,
- Prepare for current and future threats by investing wisely, prioritizing critical assets, and engineering resilience against all hazards.
This holistic approach is informed by more than a century of operating the energy grid of North America, which requires all segments of the electric power sector to work together to address shared threats and to respond collectively when incidents do occur.
Now, as threats evolve from emboldened and increasingly sophisticated malicious actors targeting critical infrastructure, this framework has supported key improvements to the security posture and culture of electric companies.
Aligning Roles of Government and Industry
It is not surprising that many people assume that the government’s only role is to regulate while the industry’s role is to operate, and that coordination is untenable given this dynamic. After all, the electric power sector is among only a few industries to have mandatory cyber and physical security regulatory standards.
Fortunately, there is a much deeper partnership and a strong desire to collaborate among industry and government leaders. Both the public and private sectors recognize that neither can do it alone.
This industry-government partnership is embodied in the Electricity Subsector Coordinating Council (ESCC), which brings together chief executives from all segments of the industry with senior government officials to prepare for and respond to all hazards. The ESCC is recognized as a model for industry-government coordination and has helped to align government intelligence gathering and policymaking with the industry’s operational security efforts.
One example of the shared responsibility for protecting critical infrastructure can be seen in the deterrence strategy. That is, we deter adversaries by limiting the impact of their efforts and by imposing a cost for the attack. The former is largely the responsibility of energy grid operators to be resilient and minimize the impact of an attack so that adversaries choose a different target; imposing consequences then, such as diplomatic sanctions, legal repercussions, or reciprocal attacks, is exclusively the purview of government.
A more specific example of the shared responsibility is captured in the Biden administration’s 100-day Action Plan for Industrial Control System Security pilot program. Due to threats to critical infrastructure early in President Biden’s term, his National Security Council made enhancing visibility into operational technology systems a top priority.
The electric power sector was proud to be the first sector chosen for this initiative and is deploying sensors on control systems for high-priority facilities that will support situational awareness, intelligence gathering and better defenses for critical systems. This will also be an opportunity for other sectors to learn from the electric sector’s experience and improve visibility into other critical industrial systems.
As we have seen with the Colonial Pipeline attack and supply chain threats from SolarWinds and the Kaseya ransomware attack, the adversary is not thinking in discrete industrial sectors. Neither should we.
In addition to supporting public-private partnerships like the ESCC, it is critical that we improve industry collaboration across industrial sectors and with vendors as well. The electric power sector is focused on improving how we assess and share vulnerability data, aligning our defense and response capabilities with interdependent sectors, and incentivizing the security of suppliers for critical systems. These are not unique to electric companies. They are issues that all sectors and government partners must address collectively.
Advancing a Culture of Security
Several decades ago, occupational safety incidents were far too prevalent among electric companies. This caused industry leaders at the time to make workplace safety a priority, resulting in a culture shift that is still strong today.
A similar challenge now exists as security threats pose a risk to operations and reputation. Again, industry leaders are focusing on changing corporate culture as one way to address this risk.
Thanks to leadership from the chief executives of all U.S. investor-owned electric companies, the Edison Electric Institute (EEI) developed a “Culture of Security” initiative that has provided tools to improve security culture for individual electric companies and a venue for sharing practices across the industry.
Self-assessments are now conducted by companies annually. In addition to demonstrating that security is a priority for the “C-suite,” this yearly exercise provides a venue for security teams and leaders across business units to address corporate security culture and to better align efforts.
When it comes to securing specific systems like operational technology for power delivery, much of the expertise is in the sector. To leverage this expertise, electric companies are now piloting a peer review program to have security professionals from electric companies review their peers, identify opportunities for improvement and socialize best practices.
The commitment from industry operators to participate in these programs highlights both the shared responsibility felt across the sector and the desire to learn from each other. While culture alone does not improve security posture, it is the foundation on which new efforts are built and ensures that today’s imperatives remain tomorrow’s priorities.
Preparing for, and Responding to, all Hazards
The final part of the electric sector’s philosophy on security acknowledges that you cannot protect everything all the time. We must not just protect and defend, but also prepare to respond and recover should security fail.
To that end, the industry’s commitment to mutual assistance — companies helping each other to recover following storms and other disasters by sharing crews and material — now applies to security threats. This includes the establishment of a Cyber Mutual Assistance program under the leadership of the ESCC, which enables the sharing of experts and equipment among the more than 150 companies that participate in the program. There also are mechanisms for sharing hard-to-replace equipment like high-voltage transformers and new resilience strategies that allow for operations in a degraded state. These critical programs have been expanded in recent years.
Of course, there are some systems that are too important to fail. Whether it is the Defense Critical Electric Infrastructure that supports military missions or the systemically important critical infrastructure that supports our way of life, identifying priorities allows electric companies to engineer security, redundancy and resiliency with a risk-based approach.
Given the critical role that the energy grid and electric infrastructure play in supporting national and economic security, electric companies are committed to working together and with their government partners to ensure this infrastructure is resilient and secure. These efforts are the product of leadership and effort at all levels of government and the electric power sector and are informed by more than a century of coordinated operations among a variety of stakeholders.