Electric grid security
Electric grid security refers to the activities that utilities, regulators, and other stakeholders play in securing the national electricity grid. The American electrical grid is going through one of the largest changes in its history, which is the move to smart grid technology. The smart grid allows energy customers and energy providers to more efficiently manage and generate electricity. Similar to other new technologies, the smart grid also introduces new concerns about security.
Utility owners and operators (whether investor-owned, municipal, or cooperative) typically are responsible for implementing system improvements with regards to cybersecurity. Executives in the utilities industry are beginning to recognize the business impact of cybersecurity.
The electric utility industry in the U.S. leads a number of initiatives to help protect the national electric grid from threats. The industry partners with the federal government, particularly the National Institute of Standards and Technology, the North American Electric Reliability Corporation, and federal intelligence and law enforcement agencies.
Electric grids can be targets of military or terrorist activity. When American military leaders created their first air war plan against the Axis in 1941, Germany's electric grid was at the top of the target list.
The North American electrical power grid is a highly connected system. The ongoing modernization of the grid is generally referred to as the "smart grid". Reliability and efficiency are two key drivers of the development of the smart grid. Another example is the ability for the electrical system to incorporate renewable energy sources such as wind power and geothermal power. One of the key issues for electric grid security is that these ongoing improvements and modernizations have created more risk to the system. As an example, one risk specifically comes from the integration of digital communications and computer infrastructure with the existing physical infrastructure of the power grid.
According to the academic journal IEEE Security & Privacy Magazine, "The smart grid . . . uses intelligent transmission and distribution networks to deliver electricity. This approach aims to improve the electric system's reliability, security, and efficiency through two-way communication of consumption data and dynamic optimization of electric-system operations, maintenance, and planning."
In the U.S., the Federal Energy Regulatory Commission (FERC) is in charge of the cybersecurity standards for the bulk power system. The system includes systems necessary for operating the interconnected grid.
As of 2018, two evolutions are taking place in the power economic sector. These evolutions could make it harder for utilities to defend from a cyber threat. First, hackers have become more sophisticated in their attempts to disrupt electric grids. "Attacks are more targeted, including spear phishing efforts aimed at individuals, and are shifting from corporate networks to include industrial control systems." Second, the grid is becoming more and more distributed and connected. The growing "Internet of Things" world could make it so that every device could be a potential vulnerability.
Terrorist attack risk
As of 2006, over 200,000 miles of transmission lines that are 230 kV or higher existed in the United States. The main problem is that it is impossible to secure the whole system from terrorist attacks. The scenario of such a terrorist attack, however, would be minimal because it would only disrupt a small portion of the overall grid. For example, an attack that destroys a regional transmission tower would only have a temporary impact. The modern-day electric grid system is capable of restoring equipment that is damaged by natural disasters such as tornadoes, hurricanes, ice storms, and earthquakes in a generally short period of time. This is due to the resiliency of the national grid to such events. "It would be difficult for even a well-organized large group of terrorists to cause the physical damage of a small- to moderate-scale tornado."
In 2016, members of the Russian hacker organization "Grizzly Steppe" infiltrated the computer system of a Vermont utility company, Burlington Electric, exposing the vulnerability of the nation's electric grid to attacks. The hackers did not disrupt the state's electric grid, however. Burlington Electric discovered malware code in a computer system that was not connected to the grid.
Today the utility industry is advancing cybersecurity with a series of initiatives. They are partnering with federal agencies. The goal is to improve sector-wide resilience to both physical and cyber threats. The industry is also working with National Institute of Standards and Technology, the North American Electric Reliability Corporation, and federal intelligence and law enforcement agencies.
In 2017, electric companies spent $57.2 billion on grid security.
In September 2018, Brien Sheahan, chairman and CEO of the Illinois Commerce Commission and a member of the U.S. Department of Energy (DOE) Nuclear Energy Advisory Committee, and Robert Powelson, a former Federal Energy Regulatory Commission (FERC) commissioner, wrote in a published piece in Utility Dive that cyberthreats to the national power system require stronger national standards and more collaboration between levels of government. Recent to their article, the U.S. Department of Homeland Security confirmed that Russian hackers targeted the control room's of American public utilities. The electric distribution system has become more and more networked together and interconnected. Critical public services depend on the system: water delivery, financial institutions, hospitals, and public safety. To prevent disruption to the network, Sheahan and Powelson recommended national standards and collaboration between federal and state energy regulators.
Some utility companies have cybersecurity-specific practices or teams. Baltimore Gas and Electric conducts regular drills with its employees. It also shares cyber-threat related information with industry and government partners. Duke Energy put together a corporate incident response team that is devoted to cybersecurity 24 hours a day. The unit works closely with government emergency management and law enforcement.
Some states have cybersecurity procedures and practices:
- New Jersey: Utilities are required to put together comprehensive cybersecurity plans.
- Pennsylvania: Utilities must keep physical and cybersecurity, emergency response and business continuity plans. They also have to report severe cyberattacks.
- Texas: The state's public utility commission conducts annual security audits.
In December 2018, U.S. Senators Cory Gardner and Michael Bennet introduced legislation intended to improve grid security nation-wide. The bills would create a $90 million fund that would be distributed to states to develop energy security plans. The legislation would also require the U.S. Energy Department to identify any vulnerabilities to cyberattacks in the nation’s electrical power grid.
Electricity Subsector Coordinating Council
The Electricity Subsector Coordinating Council (ESCC) is the main liaison organization between the federal government and the electric power industry. Its mission is to coordinate efforts to prepare for, and respond to, national-level disasters or threats to critical infrastructure. The ESCC is composed of electric company CEOs and trade association leaders from all segments of the industry. Its federal government counterparts include senior administration officials from the White House, relevant cabinet agencies, federal law enforcement, and national security organizations. 
- McDaniel, Patrick; McLaughlin, Stephen (May 2009). "Security and Privacy Challenges in the Smart Grid". IEEE Security & Privacy Magazine. 7 (3): 75–77. doi:10.1109/MSP.2009.76.
- Electric Grid Security and Resilience: Establishing a Baseline for Adversarial Threats. June 2016. ICF International. Page 2.
- "Cyber & Physical Security". www.eei.org. Retrieved 2018-12-27.
- Douris, Constance (2018-01-16). "As Cyber Threats To The Electric Grid Rise, Utilities And Regulators Seek Solutions". Forbes. Retrieved 2018-09-17.
- Khurana, H.; Hadley, M.; Ning Lu; Frincke, D. A. (January 2010). "Smart-grid security issues". IEEE Security & Privacy Magazine. 8 (1): 81–85. doi:10.1109/MSP.2010.49.
- Walton, Robert (2018-05-21). "Cybersecurity and the distributed grid: A double-edged sword". Utility Dive. Retrieved 2018-09-17.
- Schainker, R.; Douglas, J.; Kropp, T. (March 2006). "Electric utility responses to grid security issues". IEEE Power and Energy Magazine. 4 (2): 30–37. doi:10.1109/MPAE.2006.1597993.
- "Cyber & Physical Security". Edison Electric Institute. Retrieved 2018-09-18.
- Sheahan, Brien J.; Powelson, Robert F. (2018-09-04). "Cyberthreats require strengthened standards, increased government collaboration". Utility Dive. Retrieved 2018-09-13.
- Monday, Colorado Politics; Dec. 3; Pm, 2018 12:30. "Senators' bills aim to protect power grid from cyberattacks". The Journal. Archived from the original on 2018-12-28. Retrieved 2018-12-27.
- Campbell, Richard J. "Electric Grid Cybersecurity." Congressional Research Service. 2018-09-04.
- Katz, Jeff. "10 Grid Security Considerations for Utilities." SecurityIntelligence. 2016-11-10.
- "Framework for Improving Critical Infrastructure Cybersecurity." National Institute of Standards and Technology. 2014-02-12.
- Gheorghiu, Iulia. "What are utilities doing about the growing need for grid security?" UtilityDIVE. 2018-05-22.
- "Growing cyber threats demand comprehensive grid security." IBM.