Electric power is a critical infrastructure that is vital to the U.S. economy and national security. Today, the nation’s electric power infrastructure is threatened by malicious attacks, accidents, and failures, as well as disruptive natural events. As the electric grid evolves and becomes increasingly interdependent with other critical infrastructures, the nation is challenged to defend against these threats and to advance grid capabilities with reliable defenses.
The Committee on the Future of Electric Power in the U.S. was convened by the National Academies of Sciences, Engineering, and Medicine to evaluate strategies for incorporating new technologies, planning and operating strategies, business models, and architectures in the U.S. electric power system. As part of its information gathering, the committee organized the workshop on Communications, Cyber Resilience, and the Future of the U.S. Electric Power System on November 1, 2019. The workshop was attended by representatives from industry, government, and academia and featured a keynote address, expert panels, and lively open discussions among workshop participants. The presentations and discussions at the workshop provided the committee with diverse perspectives on current and future threats to the electric power system, activities that the subsector is pursuing to defend itself, and how this work may evolve over the coming decades.
Specific focus areas for the presentations and discussions included the current state and security of the electric system and its relationship to national security, challenges posed by cybersecurity attacks and
electromagnetic pulse (EMP) and geomagnetic disturbance (GMD) events, opportunities for developing and implementing technological solutions to improve grid resiliency, and the cultural and policy context of cybersecurity. While the list of topics discussed was not exhaustive, the workshop was organized with the goals of bringing diverse and potentially conflicting ideas into one room to facilitate transparent discussion, to challenge assumptions, and to lead to new insights to address cybersecurity risks facing the grid. A more robust discussion of the physical threats to the grid can be found in the previous National Academies reports Enhancing the Resilience of the Nation’s Electricity System1 and Terrorism and the Electric Power Delivery System.2
STRENGTHS OF THE ELECTRIC POWER SYSTEM
Several key themes emerged over the course of the workshop. First, participants described many steps that utilities and regulators have taken to help improve cybersecurity practices, which have in some respects made the electricity subsector a leader among critical infrastructure sectors. “I can only wish that other critical infrastructure sectors were as forward leaning as the electricity subsector is. There’s a lot to be proud of,” said Brian Harrell, Cybersecurity and Infrastructure Agency (CISA), Department of Homeland Security (DHS). Standards and regulations, best practices, and technology innovations all contribute to the safe and reliable operation of electric power infrastructure in the United States. Supervisory control and data acquisition (SCADA) systems, sensors, and other technologies provide granular situational awareness on grid operations in many places. Various reports, standards, and regulations guide resiliency protection protocols; examples include the Roadmap to Achieve Energy Delivery Systems Cybersecurity3 and requirements from the Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corporation (NERC). Many entities across the nation are actively involved in collaborative activities to increase resilience such as grid security exercises, mutual aid agreements, and peer-to-peer knowledge sharing through organizations such as the North American Transmission Forum and the North American Generator Forum. The Neighborhood
1 National Academies of Sciences, Engineering, and Medicine, 2017, Enhancing the Resilience of the Nation’s Electricity System, The National Academies Press, Washington, D.C., https://doi.org/10.17226/24836.
3 Energy Sector Control Systems Working Group, 2011, Roadmap to Achieve Energy Delivery Systems Cybersecurity, U.S. Department of Energy, Washington, D.C.
Keeper program is an example of a solution incorporating vendors, utilities, and other electric system entities in information sharing.4
FACING MYRIAD THREATS
However, participants recognized that risk can never be totally eliminated and much opportunity for improvement remains. Many attendees stressed the gravity of the current and future threats, particularly those posed by the known capabilities of nation-state adversaries such as China and Russia. Several participants underscored statements in a 2017 Department of Defense (DoD) report5 indicating that “major powers (Russia and China) have a significant and growing ability to hold U.S. critical infrastructure at risk via cyber attack, and an increasing potential to also use cyber to thwart U.S. military responses to any such attacks.”
Speakers pointed to lessons offered by previous outages such as the 2003 blackout in the U.S. Northeast and the Ukraine grid attacks in 2016 and 2017, as well as malware incidents such as the 2014 Dragonfly cyberespionage attack6 and the 2017 TRISIS/TRITON attack.7 The threats come from numerous adversaries and are often underappreciated by the public and policy makers, speakers noted. “The reality is things are much more active than people would realize,” said Robert Lee of the cybersecurity firm Dragos. “Today, my firm tracks 10 different state actors that are exclusively targeting industrial systems. Only two of them have shown the capability to be destructive, but I’m worried about those eight that across that same trend in 3 to 4 years are going to be learning about how to achieve this.”
In addition to the complex cybersecurity threats presented by malicious actors, the grid faces threats from design flaws, accidents, and natural events. Particularly worrisome to some participants are the threats posed by EMP events, resulting from nuclear detonation at a high altitude or in space, and GMD events, which result from activity of the sun.
5 Defense Science Board Task Force on Cyber Deterrence, 2017, Report for the Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics, U.S. Department of Defense, Washington, D.C., https://www.armed-services.senate.gov/imo/media/doc/DSB%20CD%20Report%202017-02-27-17_v18_Final-Cleared%20Security%20Review.pdf, accessed February 2, 2020.
6 For more information on the Dragonfly cyberespionage attacks, see https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf, accessed April 29, 2020.
7 For more information on TRISIS/TRITON attack, see Dragos, TRISIS Malware: Analysis of Safety System Targeted Malware, https://dragos.com/wp-content/uploads/TRISIS-01.pdf, accessed February 20, 2020.
Design changes over the decades—specifically, a shift toward single-phase transformers—have unintentionally increased the potential impacts of EMP and GMD events on grid infrastructure. The increased reliance on electronic control networks within and between substations has further compounded these vulnerabilities. Taken together, the design of today’s system combined with the likelihood of future GMD events creates the potential for widespread catastrophic failure involving unprecedented blackouts and permanent equipment damage affecting a large portion of the country. “Given sufficient time, the reoccurrence of a large [solar] storm event is a certainty—and it’s probably going to come with much more serious consequences than we’ve had in the past,” said John Kappenman of Storm Analysis Consultants.
Today’s threats are of a different nature and on a different scale than what existing systems were originally designed to withstand, some participants noted, and the impacts of a large-scale failure could be catastrophic for the U.S. economy and the health and safety of the American people. “The security and resilience of our country is becoming more intertwined with critical infrastructure than ever before,” said Caitlin Durkovich, Toffler Associates. “We also know that nation states understand and continue to get better insight into the importance of our nation’s infrastructure to our national security and our economic security.”
WORKING TOWARD RESILIENCE
To counter these threats, participants stressed the need to build resilient power systems, which committee member Bill Sanders defined as being capable of “providing trustworthy grid operation in hostile environments.” Several speakers urged a proactive effort to increase the capacity not only to protect and defend against attacks but to respond and recover when they occur. “We have to look at both sides of the equation,” said Scott Aaronson of the Edison Electric Institute. “We have to secure our infrastructure [and] we also have to be prepared to respond and recover.” Aaronson stressed that building for resilience goes beyond the subsector’s past emphasis on reliability. “Reliability assumes blue skies. Resilience is the ability to take a punch,” he said.
Many participants highlighted the increasing complexity of electric infrastructure. “The resiliency of the electric grid is highly dependent on the resiliency of cyber infrastructure,” said Sanders. “Grid resiliency is tied intimately to cyber infrastructure resiliency, but that translation, that connection [between the cyber and physical side] is a very complex one.” Component and software supply chains, as well as the growing interconnections with other critical infrastructure sectors such as communications, further complicate the challenge, to the extent that some
posited that the electric system is too complex to be adequately defended. “We are getting close to the limits of defensibility, mostly because we are at the limits of detectability,” said Tim Roxey, formerly of the Electricity Information Sharing and Analysis Center (E-ISAC). “Things occur and we don’t even know that they happened.”
The wide heterogeneity in the resources, capabilities, and operating models of different utilities suggests that there is no one-size-fits-all security solution. In some areas, attendees described how knowledge and tools are available to improve resilience but are not being implemented in practice due to financial, legal, or regulatory concerns. In other cases, knowledge gaps and technology limitations point to a need for additional research and development (R&D) investments. For example, grid exercises are valuable for bulk power systems, but state- and local-level entities have less involvement in these types of efforts and as a result may be less equipped to respond and communicate effectively when compromised. For EMP and GMD threats, participants discussed physical barriers and designs that could protect certain electric system elements, such as shielding conductive concrete, but noted that additional research, technology development, and modeling is needed to better understand, detect, and prepare for these threats. As another example, advanced sensing, analytics, and control functions can lead to better detection and response abilities for cyber and physical systems, but it will be important to transition to smart grid technologies in ways that enhance security and resilience without unwittingly increasing the attack surface. Throughout the workshop, participants pointed to a tension between improving existing legacy infrastructure and building new components more securely from the start, noting that it is necessary to do both.
STAKEHOLDER ROLES AND RELATIONSHIPS
Participants recognized government standards as an important component of the effort to address grid cybersecurity challenges, but some noted that standards and regulations are not agile enough to keep up with the threat landscape and the pace of technology innovation. The regulatory landscape is also highly varied: Speakers pointed out differences in regulation of bulk power versus public service commissions, bulk power transmission versus distribution, and commercial communications networks versus utilities’ private networks. For commercial communications networks, speakers noted that vulnerabilities could be introduced by the connections between the utilities’ private networks and the commercial system. Speakers also identified sectors and subsectors that are interdependent with the electric grid, such as natural gas and communications, noting that interruptions in these other systems could have major impacts
on the grid’s ability to function and vice versa. “If you want to think about the future of the grid in a national security context, I urge you to think about taking a holistic approach,” said Paul Stockton, Sonecon, LLC.
Participants grappled with questions about which areas are best advanced by government regulation, which are best advanced by best practices, and where incentives, assistance, or funding structures can reduce barriers to adoption. In addition, many participants noted that regulation can have the unintended consequence of reducing cybersecurity practices to a matter of compliance—in which utility personnel fear auditors more than they fear adversaries—rather than a true culture of security. “It has developed a culture where our technology experts fear the auditors more than they fear the enemy. . . . We have to get past that,” said Marc Child, Great River Energy.
The solution, participants agreed, is not just about technologies: People, processes, and technologies are all essential components to improve cyber security and resilience. “There are cyber approaches to it, there are the traditional physical parts, and there are human parts that we need to account for as we put all of this together,” said Sanders. Attendees discussed concrete ways for the field to move toward prioritizing and embedding security and preparedness into the daily operations of the electric grid, akin to the process by which the field successfully created a culture of safety decades ago. “I think now we’re moving to this culture of security or resiliency,” said Michael Hyland, American Public Power Association (APPA). But, he and others cautioned, “It’s not going to come easy. We need to change the way people think.”
The vast majority of the U.S. grid is owned and operated by private entities. Their job, and their expertise, is not to anticipate the military capabilities of the nation’s potential adversaries, yet they find themselves on the front lines of defending their operations against nation-state and state-sponsored adversaries. Against this backdrop, participants underscored the need for collaboration—in particular, bridging between government and industry with public-private partnerships—to create and share vulnerability assessments, lessons learned, and mitigation strategies. In addition, some suggested that a central federal coordinating body is needed to establish an overarching strategy and corresponding policies, authorities, and regulations to achieve it. The government can support infrastructure security by providing faster, better, and more scalable mechanisms for information sharing; creating incentives for military defense-critical security installations; and maturing the national security doctrine and toolkit for when and how systems respond when adversaries probe them.
Last, throughout the day attendees raised the need to optimize the roles and relationships among all stakeholders, including industry,
regulators, vendors, researchers, policy makers, and the national defense community. By better defining the roles of various contributors and identifying ways for them to be complementary and supportive, rather than adversarial or duplicative, the field as a whole can better allocate its resources and facilitate the flow of information to accelerate progress. “We have to move beyond this current ‘piece-and-patch’ mentality,” urged Sanders. “We have to be ahead of the game.” While the challenges are substantial, he and other participants expressed hope in the subsector’s ability to meet them through collaborative efforts to create a secure, resilient, integrated, and modern infrastructure. “I think it’s critical that we act now,” Sanders said. “There has been a long set of basic work . . . and I think we have the basic understanding in place to allow us to make quick progress.”
This page intentionally left blank.