Electric grid security in the United States: Difference between revisions
Content deleted Content added
m Removed unnecessary nowiki from URL to improve accessibility, also moved persistent IDs to proper template. (via WP:JWB) |
Merged content to Electrical grid security in the United States. See Talk:Electric grid security. Tag: New redirect |
||
| Line 1: | Line 1: | ||
#REDIRECT [[Electrical grid security in the United States]] {{R from merge}} |
|||
'''Electric grid security''' in the US refer to the activities that utilities, regulators, and other stakeholders play in securing the national electricity grid. The American electrical grid is going through one of the largest changes in its history, which is the move to smart grid technology. The smart grid allows energy customers and energy providers to more efficiently manage and generate electricity. Similar to other new technologies, the smart grid also introduces new concerns about security.<ref>{{cite journal |last1=McDaniel |first1=Patrick |last2=McLaughlin |first2=Stephen |title=Security and Privacy Challenges in the Smart Grid |journal=IEEE Security & Privacy Magazine |date=May 2009 |volume=7 |issue=3 |pages=75–77 |doi=10.1109/MSP.2009.76|s2cid=40490304 }}</ref> |
|||
Utility owners and operators (whether investor-owned, municipal, or cooperative) typically are responsible for implementing system improvements with regards to cybersecurity. Executives in the utilities industry are beginning to recognize the business impact of cybersecurity.<ref>''[https://www.energy.gov/sites/prod/files/2017/01/f34/Electric%20Grid%20Security%20and%20Resilience--Establishing%20a%20Baseline%20for%20Adversarial%20Threats.pdf Electric Grid Security and Resilience: Establishing a Baseline for Adversarial Threats]''. June 2016. ICF International. Page 2.</ref> |
|||
The electric utility industry in the U.S. leads a number of initiatives to help protect the national electric grid from threats. The industry partners with the federal government, particularly the [[National Institute of Standards and Technology]], the [[North American Electric Reliability Corporation]], and federal intelligence and law enforcement agencies.<ref>{{Cite web|url=http://www.eei.org/issuesandpolicy/cybersecurity/Pages/default.aspx|title=Cyber & Physical Security|website=www.eei.org|access-date=2018-12-27}}</ref> |
|||
Electric grids can be targets of military or terrorist activity. When American military leaders created their first air war plan against the Axis in 1941, Germany's electric grid was at the top of the target list.<ref name="Douris 2018">{{Cite news|url=https://www.forbes.com/sites/constancedouris/2018/01/16/as-cyber-threats-to-the-electric-grid-rise-utilities-regulators-seek-solutions/#59aa786a343e|title=As Cyber Threats To The Electric Grid Rise, Utilities And Regulators Seek Solutions|last=Douris|first=Constance|date=2018-01-16|work=Forbes|access-date=2018-09-17|language=en}}</ref> |
|||
== Issue overview == |
|||
The North American electrical power grid is a highly connected system. The ongoing modernization of the grid is generally referred to as the "[[smart grid]]". Reliability and efficiency are two key drivers of the development of the smart grid. Another example is the ability for the electrical system to incorporate renewable energy sources such as wind power and geothermal power. One of the key issues for electric grid security is that these ongoing improvements and modernizations have created more risk to the system. As an example, one risk specifically comes from the integration of digital communications and computer infrastructure with the existing physical infrastructure of the power grid.<ref name="IEEE Security">{{cite journal |last1=Khurana |first1=H. |last2=Hadley |first2=M. |last3=Ning Lu |author3-link=Ning Lu|last4=Frincke |first4=D. A.|author4-link= Deborah Frincke |title=Smart-grid security issues |journal=IEEE Security & Privacy Magazine |date=January 2010 |volume=8 |issue=1 |pages=81–85 |doi=10.1109/MSP.2010.49|s2cid=1218073 }}</ref> |
|||
According to the academic journal ''IEEE Security & Privacy Magazine'', "The smart grid . . . uses intelligent transmission and distribution networks to deliver electricity. This approach aims to improve the electric system's reliability, security, and efficiency through two-way communication of consumption data and dynamic optimization of electric-system operations, maintenance, and planning."<ref name="IEEE Security" /> |
|||
== Government oversight == |
|||
In the U.S., the [[Federal Energy Regulatory Commission]] (FERC) is in charge of the cybersecurity standards for the bulk power system. The system includes systems necessary for operating the interconnected grid.<ref name="Douris 2018" /> |
|||
[[Investor-owned utility|Investor-owned utilities]] operate under a different authority, state public utility commissions. This falls outside of FERC's jurisdiction.<ref name="Douris 2018" /> |
|||
The initiation of government oversight of the American Bulk Electric System (BES) occurred after two incidents led the government to investigate further the causes of the 1965 North East Blackout alongside another small blackout in 1967 at the Pennsylvania New Jersey Maryland (PJM) interconnection.<ref name=":0" /> These two incidents prompted US Congress to initiate legislation focused on increased oversight of the electric power system, ultimately leading to the Electric Power Reliability Act of 1967. In 1968, the National Electric Reliability Council (NERC) was formed after 12 regional organizations signed an agreement spanning the United States and parts of Canada.<ref name=":0" /> NERC is still around today, yet its name has changed a little, and it is now called the North American Electric Reliability Corporation (NERC). Shortly after this, in 1971, each region had its own Regional Reliability Council, which was in place to ensure collaboration and reliability of the BES, each having a member who served on the NERC board.<ref name=":0" /> The landscape changed in 1971 when 4 of the regionals combined to make one large region known as the Southeastern Electric Reliability Council (SERC), dropping the number of areas from 12 to 9. |
|||
In 1997, the first set of Operating and Planning Standards was approved by the NERC board, which started the implementation of certifications and standards to ensure the reliability of the American BES.<ref name=":0" /> While security and reliability efforts ramped up after the 9/11 terrorist attacks, it wasn’t until 2003 that a massive blackout occurred in the Eastern Interconnection, leaving 500,000 people without power. During the investigation, NERC determined that their reliability standards were not being upheld and revamped them by creating reliability standards that were now enforceable.<ref name=":0" /> The Reliability Standard was approved in December 2004 and became effective in April 2005. |
|||
The Energy Policy Act 2005 was finalized and signed into law in August 2005. Section 215 authorized the Federal Energy Reliability Commission to certify and provide oversight of one Electric Reliability Organization responsible for the mandatory enforcement of the NERC Reliability standards.<ref name=":0" /> NERC then applied to FERC for certification in April 2006 and was certified in July 2006. In 2007, NERC provided regional delegation for enforcement to eight regional entities: Florida Reliability Coordinating Council; Midwest Reliability Organization; Northeast Power Coordinating Council: Cross Border Regional Entity, Inc.; Reliability First Corporation; SERC Reliability Corporation; Southwest Power Pool, Inc.; Texas Reliability Entity, a division of ERCOT; and Western Electricity Coordinating Council.<ref name=":0" /> This led to what is now known as the NERC Critical Infrastructure Protection Standards being approved by FERC in June of 2007. As of 2024, there are six regional entities, including the Midwest Reliability Organization, Reliability First, Northeast Power Coordinating Council, Texas Reliability Entity, Western Electricity Coordinating Council, and the SERC Reliability Corporation.<ref name=":2" /> Since their creation, these regional entities have ensured the reliability and security of the American BES by enforcing the mandatory NERC CIP standards.<ref name=":2" /> Throughout the years, the standards have evolved to meet the changing threat landscape of cyber and the risks facing the operational side of the BES yet continue towards the same mission of maintaining the security and reliability of the BES.<ref name=":2" /> |
|||
== Cybersecurity == |
|||
In 2016, members of the Russian hacker organization "Grizzly Steppe" infiltrated the computer system of a Vermont utility company, [[Burlington Electric Department|Burlington Electric]], exposing the vulnerability of the nation's electric grid to attacks. The hackers did not disrupt the state's electric grid, however. Burlington Electric discovered malware code in a computer system that was not connected to the grid.<ref>{{Cite news|last1=Eilperin|first1=Juliet|last2=Entous|first2=Adam|date=2016-12-31|title=Russian operation hacked a Vermont utility, showing risk to U.S. electrical grid security, officials say|language=en-US|newspaper=[[The Washington Post]]|url=https://www.washingtonpost.com/world/national-security/russian-hackers-penetrated-us-electricity-grid-through-a-utility-in-vermont/2016/12/30/8fc90cc4-ceec-11e6-b8a2-8c2a61b0436f_story.html|access-date=2020-05-03|issn=0190-8286}}</ref> |
|||
As of 2018, two evolutions are taking place in the power economic sector. These evolutions could make it harder for utilities to defend from a cyber threat. First, hackers have become more sophisticated in their attempts to disrupt electric grids. "Attacks are more targeted, including spear phishing efforts aimed at individuals, and are shifting from corporate networks to include industrial control systems."<ref name="Walton 2018">{{Cite news|url=https://www.utilitydive.com/news/cybersecurity-and-the-distributed-grid-a-double-edged-sword/523285/|title=Cybersecurity and the distributed grid: A double-edged sword|last=Walton|first=Robert|date=2018-05-21|work=Utility Dive|access-date=2018-09-17|language=en-US}}</ref> Second, the grid is becoming more and more distributed and connected. The growing "[[Internet of things|Internet of Things]]" world could make it so that every device could be a potential vulnerability.<ref name="Walton 2018" /> |
|||
== Terrorist attack risk == |
|||
As of 2006, over 200,000 miles of transmission lines that are 230 kV or higher existed in the United States. The main problem is that it is impossible to secure the whole system from terrorist attacks. The scenario of such a terrorist attack, however, would be minimal because it would only disrupt a small portion of the overall grid. For example, an attack that destroys a regional transmission tower would only have a temporary impact. The modern-day electric grid system is capable of restoring equipment that is damaged by natural disasters such as tornadoes, hurricanes, ice storms, and earthquakes in a generally short period of time. This is due to the resiliency of the national grid to such events. "It would be difficult for even a well-organized large group of terrorists to cause the physical damage of a small- to moderate-scale tornado."<ref>{{cite journal |last1=Schainker |first1=R. |last2=Douglas |first2=J. |last3=Kropp |first3=T. |title=Electric utility responses to grid security issues |journal=IEEE Power and Energy Magazine |date=March 2006 |volume=4 |issue=2 |pages=30–37 |doi=10.1109/MPAE.2006.1597993|s2cid=5779202 }}</ref> |
|||
== Potential solutions == |
|||
Today the utility industry is advancing cybersecurity with a series of initiatives. They are partnering with federal agencies. The goal is to improve sector-wide resilience to both physical and cyber threats. The industry is also working with [[National Institute of Standards and Technology]], the [[North American Electric Reliability Corporation]], and federal intelligence and law enforcement agencies.<ref>{{Cite web|url=http://www.eei.org/issuesandpolicy/cybersecurity/Pages/default.aspx|title=Cyber & Physical Security|website=Edison Electric Institute|language=en-us|access-date=2018-09-18}}</ref> |
|||
In 2017, electric companies spent $57.2 billion on grid security.<ref>[http://www.eei.org/issuesandpolicy/cybersecurity/Documents/Protecting_the_Energy_Grid.pdf]{{Registration required|date=May 2020}}</ref> |
|||
In September 2018, Brien Sheahan, chairman and CEO of the [[Illinois Commerce Commission]] and a member of the [[United States Department of Energy|U.S. Department of Energy]] (DOE) Nuclear Energy Advisory Committee, and [[Robert Powelson]], a former [[Federal Energy Regulatory Commission]] (FERC) commissioner, wrote in a published piece in ''Utility Dive'' that cyberthreats to the national power system require stronger national standards and more collaboration between levels of government. Recent to their article, the [[United States Department of Homeland Security|U.S. Department of Homeland Security]] confirmed that Russian [[hacker]]s targeted the control room's of American [[Public utility|public utilities]]. The electric distribution system has become more and more networked together and interconnected. Critical public services depend on the system: water delivery, financial institutions, hospitals, and public safety. To prevent disruption to the network, Sheahan and Powelson recommended national standards and collaboration between federal and state energy regulators.<ref>{{Cite news|url=https://www.utilitydive.com/news/cyber-threat-requires-strengthened-standards-for-distribution-utilities-co/531474/|title=Cyberthreats require strengthened standards, increased government collaboration|last1=Sheahan|first1=Brien J.|date=2018-09-04|work=Utility Dive|access-date=2018-09-13|last2=Powelson|first2=Robert F.|language=en-US}}</ref> |
|||
Some utility companies have cybersecurity-specific practices or teams. [[Baltimore Gas and Electric]] conducts regular drills with its employees. It also shares cyber-threat related information with industry and government partners. [[Duke Energy]] put together a corporate incident response team that is devoted to cybersecurity 24 hours a day. The unit works closely with government emergency management and law enforcement.<ref name="Douris 2018" /> |
|||
Some states have cybersecurity procedures and practices:<ref name="Douris 2018" /> |
|||
* New Jersey: Utilities are required to put together comprehensive cybersecurity plans. |
|||
* Pennsylvania: Utilities must keep physical and cybersecurity, emergency response and business continuity plans. They also have to report severe cyberattacks. |
|||
* Texas: The state's public utility commission conducts annual security audits. |
|||
In December 2018, U.S. Senators [[Cory Gardner]] and [[Michael Bennet]] introduced legislation intended to improve grid security nation-wide. The bills would create a $90 million fund that would be distributed to states to develop energy security plans. The legislation would also require the U.S. Energy Department to identify any vulnerabilities to cyberattacks in the nation's electrical power grid.<ref>{{Cite web|url=https://the-journal.com/articles/119329|title=Senators' bills aim to protect power grid from cyberattacks|date=December 3, 2018|website=The Journal|language=en|access-date=2018-12-27|archive-url=https://web.archive.org/web/20181228035515/https://the-journal.com/articles/119329|archive-date=2018-12-28|url-status=dead}}</ref> |
|||
In March 2019, [[Donald Trump]] issued an executive order that directed federal agencies to prepare for attacks involving an [[electromagnetic pulse]].<ref>{{Cite news|title=Trump issued an executive order to prepare for an EMP attack. What is it, and should you worry?|url=https://www.washingtonpost.com/politics/2019/03/29/trump-issued-an-executive-order-prepare-an-emp-attack-what-is-it-should-you-worry/|last1=Blair|first1=Christopher W.|last2=Mahoney|first2=Casey|date=March 29, 2019|newspaper=[[The Washington Post]]|language=en|archive-url=|archive-date=|access-date=2020-05-03|last3=Pindyck|first3=Shira E.|last4=Schwartz|first4=Joshua A.}}</ref> In May 2020, he issued an executive order that bans the use of grid equipment manufactured by a foreign adversary.<ref>{{Cite news|last=Miller|first=Maggie|date=May 1, 2020|title=Trump issues executive order to protect power grid from attack|work=[[The Hill (newspaper)|The Hill]]|url=https://thehill.com/policy/cybersecurity/495711-trump-issues-executive-order-to-protect-us-power-grid-from-attack|access-date=May 3, 2020}}</ref><ref>{{Cite news|last=Xu|first=Adam|date=May 9, 2020|title=US Moves to Exclude Chinese Equipment from Electric Power Grid|work=[[Voice of America]]|url=https://www.voanews.com/east-asia-pacific/voa-news-china/us-moves-exclude-chinese-equipment-electric-power-grid|access-date=May 9, 2020}}</ref> |
|||
== Electricity Subsector Coordinating Council == |
|||
The Electricity Subsector Coordinating Council (ESCC) is the main liaison organization between the federal government and the electric power industry. Its mission is to coordinate efforts to prepare for, and respond to, national-level disasters or threats to critical infrastructure. The ESCC is composed of electric company CEOs and trade association leaders from all segments of the industry. Its federal government counterparts include senior administration officials from the White House, relevant cabinet agencies, federal law enforcement, and national security organizations. <ref name=":2">NERC (2023, October 1). ''2024 ERO Enterprise Compliance Monitoring and Enforcement Program Implementation Plan''. Retrieved January 1, 2024, from https://www.nerc.com/pa/comp/CAOneStopShop/ERO%20CMEP%20Implementation%20Plan%20v1.0%20-%202024.pdf </ref> |
|||
== See also == |
|||
* [[Smart grids by country]]<ref name=":0">Nevius, D. (2020, March 1). ''The History of the North American Electric Reliability Corporation''. NERC. Retrieved January 1, 2024, from https://www.nerc.com/AboutNERC/Resour ce%20Documents/NERCHistoryBook.pdf</ref> |
|||
==References== |
|||
{{Reflist}} |
|||
* NERC (2023, October 1). [https://www.nerc.com/pa/comp/CAOneStopShop/ERO%20CMEP%20Implementation%20Plan%20v1.0%20-%202024.pdf ''2024 ERO Enterprise Compliance Monitoring and Enforcement Program Implementation Plan'']. Retrieved January 1, 2024 |
|||
==Further reading== |
|||
*Campbell, Richard J. "[https://crsreports.congress.gov/product/pdf/R/R45312/2 Electric Grid Cybersecurity]." [[Congressional Research Service]]. 2018-09-04. |
|||
*Katz, Jeff. "[https://securityintelligence.com/10-grid-security-considerations-for-utilities/ 10 Grid Security Considerations for Utilities]." SecurityIntelligence. 2016-11-10. |
|||
*"[https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf Framework for Improving Critical Infrastructure Cybersecurity]." [[National Institute of Standards and Technology]]. 2014-02-12. |
|||
*Gheorghiu, Iulia. "[https://www.utilitydive.com/news/grid-security-trends/524025/ What are utilities doing about the growing need for grid security?]" ''UtilityDIVE''. 2018-05-22. |
|||
*"[https://www.ibm.com/industries/energy/security Growing cyber threats demand comprehensive grid security]." IBM. |
|||
[[Category:Public utilities]] |
|||
[[Category:Computer security]] |
|||
[[Category:Electric power]] |
|||
Latest revision as of 21:41, 18 February 2024
Redirect to:
- From a merge: This is a redirect from a page that was merged into another page. This redirect was kept in order to preserve the edit history of this page after its content was merged into the content of the target page. Please do not remove the tag that generates this text (unless the need to recreate content on this page has been demonstrated) or delete this page.
- For redirects with substantive page histories that did not result from page merges use {{R with history}} instead.