SSI News

Don't miss the latest homeland security news from your source for information that matters.

  • Home
    Home This is where you can find all the blog posts throughout the site.
  • Categories
    Categories Displays a list of categories from this blog.
  • Tags
    Tags Displays a list of tags that have been used in the blog.
  • Bloggers
    Bloggers Search for your favorite blogger from this site.
  • Team Blogs
    Team Blogs Find your favorite team blogs here.
  • Login
    Login Login form

Experts call for a new organization to oversee grid’s cybersecurity

Posted by on in eNewsletters
  • Font size: Larger Smaller
  • Hits: 1113
  • 0 Comments
  • Subscribe to this entry
  • Print

In 2013, U.S. critical infrastructure companies reported about 260 cyberattacks on their facilities to the federal government. Of these attacks, 59 percent occurred in the energy sector. A new report proposes that energy companies should create an industry-led organization to deflect cyber threats to the electric grid. Modeled after the nuclear industry’s Institute of Nuclear Power Operations, the proposed organization, to be called the Institute for Electric Grid Cybersecurity, would oversee all the energy industry players that could compromise the electric grid if they came under a cyberattack.

In 2013, U.S. critical infrastructure companies reported about 260 cyberattacks on their facilities to the federal government. Of these attacks, 59 percent occurred in the energy sector.

A new report, co-authored by former CIA and NSA director, Gen. (Ret.) Michael Hayden, proposes that energy companies should create an industry-led organization to deflect cyber threats to the electric grid. The organization would extend membership to power companies across North America, including large generators as well as local distribution utilities. Modeled after the nuclear industry’s Institute of Nuclear Power Operations, the proposed organization, to be called the Institute for Electric Grid Cybersecurity, would oversee all the energy industry players that could compromise the electric grid if they came under a cyberattack.

“We believe such an organization could substantially advance cybersecurity risk-management practices across the industry,” the authors write. The report, released last week by the Bipartisan Policy Center, also evaluates current initiatives aimed at protecting the North American electric grid from cyberattacks.

Critical infrastructure companies are increasingly concerned about cyberattacks, but NextGov reports that the energy sector has already made important strides in protecting the electric grid because it is subject to mandatory cybersecurity standards enforced by the U.S. government. These standards mainly focus on high-voltage transmission facilities and large generators, and often excludes distribution vendors which deliver power to residents and businesses. Distribution level cyberattacks, however, could disrupt power lines that affect critical utilities like telecommunications, water systems, and oil pipelines.

“In some cases, cyberattacks on distribution system facilities could have consequences that extend beyond that system,” the report’s authors write. “Simultaneous attacks on multiple distribution utilities, or an attack on a single utility’s distribution operations in multiple locations, could have broader ramifications for the bulk power system.”

The 2003 Northeast blackout cost $6 billion in economic loss, and while that incident was blamed on a tree branch in Ohio, a cyberattack combined with a physical attack could lead to greater losses.

The proposed organization would not interfere with the industry standard-setting organization, the North American Electric Reliability Corporation (NERC), or the government agency that enforces industry standards, the Federal Energy Regulatory Commission (FERC). The authors of the report also assure that “at present, we do not believe that there is a sufficient case for expanding FERC’s jurisdiction to encompass cybersecurity at the level of the distribution system.”

Similar to the cybersecurity framework issued by the National Institute of Standards and Technology (NIST), participation in the proposed organization would be optional, but the federal government would persuade companies to join by equating “participation in the institute — and satisfactory performance evaluations — as equivalent to adopting the cybersecurity framework to the extent adoption of the framework is required to be eligible for particular government programs or incentives going forward,” the authors write.

 

Other incentives for joining the organization include better insurance options against economic losses caused by cyberattacks. The federal government would initially guarantee coverage. “A federal backstop would increase carriers’ willingness to offer cyber insurance and lower the cost of doing so,” the authors write. “In addition, a federal backstop would give carriers time to gather and review data about cyber incidents as they seek to develop policies that appropriately share risk.”

0

Comments

  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest Saturday, 15 August 2020