Thursday, April 26, 2018

DOE Issues Recommendations on Cyberattack Protections

By Ted Caddell

When the Obama administration released its first version of the Quadrennial Energy Review two years ago, it addressed a hypothetical concern about threats to the nation’s oil and natural gas pipeline infrastructure.

The second review from the Department of Energy, released last week, turned its attention to risks facing the nation’s electric grid — progressing from the hypothetical to the real.

“In the current environment, the U.S. grid faces imminent danger from cyberattacks,” the report said. “Widespread disruption of electric service because of a transmission failure initiated by a cyberattack at various points of entry could undermine U.S. lifeline networks, critical defense infrastructure, and much of the economy; it could also endanger the health and safety of millions of citizens.”

The review is especially timely, coming amid a national discussion about the possibility that cyber breaches influenced the 2016 presidential election. It noted examples of such attacks in the electricity sector, including attacks on three Ukrainian utilities in December 2015 that left 200,000 customers without power, and highlighted the need to take decisive action to enact protections.

The report called for using the Federal Power Act to “develop preparation and response capabilities that will ensure [FERC] is able to issue a grid-security emergency order to protect critical electric infrastructure from cyberattack,” as well as from natural threats such as geomagnetic storms.

cybersecurity doe

Graphic illustrates the many ways in which utility IT systems leave the electricity grid vulnerable to cyber attacks, including unpatched networks, exposure to the public internet and insider threats.

The department also calls for an expansion of FERC authority to modify NERC-proposed reliability standards or develop its own standards “to protect national security in the face of fast-developing new threats to the grid.”

FERC’s expanded role in developing grid safety standards would supplement the department’s efforts at implementing protective measures in times of emergency.

“This approach would maintain the productive NERC-FERC structure for developing and enforcing reliability standards but would ensure that the federal government could act directly if necessary to address national security issues,” the report said.

“FERC should consider having existing regional organizations undertake such planning, as it deems appropriate,” the review said. “FERC should evaluate whether the costs of implementing security measures identified in the integrated electricity security plan are appropriate for regional cost allocation, where such measures are found to enhance the security of the regional transmission electric system.”

However, the department would not saddle grid operators with full financial responsibility for fulfilling the recommendations. Noting that the cost of protecting the nation’s grid against cyberattacks could run as high as $500 billion, the report calls for federal assistance in the form of an expanded DOE loan guarantee program used to encourage innovative grid technologies, going beyond the current emphasis on loans for new generation methods.

“A relatively low-cost permanent federal financing system could be established by setting up a revolving loan fund with one-time seed capital,” the report states. A loan guarantee program would be crucial for smaller utilities that lack the access to capital, unlike larger companies.

In all, the 494-page report makes more than 70 recommendations for policymakers to consider. It remains to be seen how many will be undertaken. The first QER outlined 63 recommendations — 21 of which were enacted by Congress.



Leave a Comment