The effort to secure critical infrastructure has been ongoing since the late 1990s but the threat of a major attack — either a cyberattack or a physical one — remains a viable threat. The level of security realized over the last several years, as attention becomes more and more fixed on the possibilities of these attacks, is difficult to measure.
“It’s difficult to make a definitive response to that,” said David London, senior director of the Chertoff Group. “Based on our clients and interaction with power system operators as well as our time collectively in government, there are more calories being expended on building both more preparedness and resilience and more unified situational awareness between industry and government, as well as addressing resilience objectives earlier in the supply chain.”
But the Chertoff Group, led by former Secretary of the U.S. Department of Homeland Security Michael Chertoff, sees largely, via activities like the Grid Security Exercise, an organized effort to thwart a major attack.
“There has been more engagement and manpower devoted to these types of exercises — and on the back end of it, additional support around the findings and outcomes both at the government level and individual entity level to address and remediate those risks that emerge from the exercise outcome,” London said.
He said the good news is that the grid is inherently resilient with the ability to move to a manual operation mode from more automated SCADA (supervisory control and data acquisition) functions and the ability to redirect sources of power as needed when under duress.
But baking security into functionality is a key to security and can be done at various times during the life of the infrastructure. A lot of the baking can be around technology as legacy grid functions are replaced with upgrades, which will have a new set of vulnerabilities but will be easier to address because they are not legacy, London said.
“A broader focus on the grid supply chain, understanding sources of grid infrastructure and additional and due diligence around where those sources are, the code that’s being used to run those systems and ongoing monitoring of those vendors and their networks creates additional safeguards,” London said.
He said the federal government is providing security incentives, like Secure by Design System through the SAFETY Act (the Support Anti-terrorism by Fostering Effective Technologies Act of 2002).
That’s one way the public sector is involved in ensuring that the private sector, where much of this infrastructure lies, is creating resiliency. There are others.
“You have government-to-private-sector sharing of data and vice versa,” London said. “You have operators who are on the front lines who are oftentimes going to see anomalies and potential malicious activities before the government does, so it’s critical that the government can get additional visibility into that.”
At the same time, intelligence agencies are doing a better job of investigating and getting clearances for individuals within the private sector so that key data can be shared securely to provide additional planning before bad actors can strike.
“You have organizations like the Electricity Information Sharing and Analysis Center, which has increased its information-sharing capabilities so individual utilities can share laterally to understand the indicators they are observing are consistent with what other organizations are observing and connect the dots,” London said.
“Grid security is a shared responsibility and addressing dynamic threats to the energy grid requires vigilance and coordination that leverages government and industry resources,” Scott Aaronson, vice president for Security and Preparedness for the Edison Electric Institute, wrote in an email. “Our security strategies constantly evolve and are closely coordinated with the federal government through a partnership called the Electricity Subsector Coordinating Council.”
Aaronson wrote that the power industry has organized a pool of resources to deal with attacks and to develop resilience as an industry. “This Cyber Mutual Assistance Program was developed based on industry’s long-standing practice of offering mutual assistance for storm restoration.” He said more than 150 entities participate in the program.
Cybersecurity and physical security are often approached as a converged threat, although there was some concern that cyber was trumping physical threat as the dangers of cyber came to the fore. That was especially the case after the sniper attack on a Pacific Gas & Electric substation in San Jose, Calif.
“As the focus on cyber heightened, there were some issues around maybe being distracted by physical threats, which remained persistent as was evidenced by the sniper attack, which created several relatively contained outages but that could have been much worse,” London said.
An emerging concern about physical threats revolves around drones, which can be used by a bad actor for reconnaissance, or as an attack vector. “Right now, utilities are primarily concerned about them as a reconnaissance function, getting better visibility into crown jewels, but a doomsday scenario, where a drone could be carrying explosives or some sort of detonation of a critical or strategic part of the grid,” is also a concern, he said.
As far as resilience against purely physical attacks, London said the Chertoff Group is working with facial recognition companies and bio recognition companies but those bring with them competing issues, such as cost, privacy and maintaining efficiency when it comes to access.