Drawing 'red lines' for threats against the grid
Advancing energy distribution technology can blunt cyber threats to America’s electrical systems, but malicious actors need to know what actions will have consequences, according to experts.
Congress should step in if the White House doesn’t deliver firm guidelines on the federal responses to cyberattacks on the county’s electrical systems, said a member of the Senate Energy Committee.
“If the executive branch won’t create a cyber doctrine, Congress will,” Sen. Martin Heinrich (D-N.M.) said during a May 10 online panel on energy security. Malicious cyber actors must understand where the “red lines” are for actions against the U.S. power grid, he said.
The U.S. nuclear doctrine, which lays out the circumstances in which the military can use nuclear weapons in response to an attack, could be a model for a cyber doctrine describing how the nation would respond to an attack on the power grid, Heinrich said.
However, a cyberattack against the power grid could be conducted by many malicious actors, said Sen. John Hoeven (R-N.D.), speaking on the same Washington Post Live grid security panel. “Defense is harder,” he said, because threats can arise not only from nation states such as Russia and China, but also from non-state actors that might not be easy to identify.
In March, the Trump administration publicly blamed Russia for a two-year campaign to infiltrate the U.S. critical infrastructure, including its electrical grid.
While Heinrich declined to comment on the specifics of that campaign, he said “we should all be very concerned” about nation-state backed attacks on critical infrastructure. “We need to project what we consider hostile and an act of war,” he added.
Cooperation among the Energy Department, the Department of Homeland Security and private energy providers should continue, both senators agreed -- though they differed when it came to specific oversight responsibilities.
“It should be a whole-of-government issue,” Hoeven said, later suggesting that “DHS should be an umbrella” for agencies to operate under. He also applauded Energy Secretary Rick Perry’s move to create a Cybersecurity, Energy Security and Emergency Response unit at the agency. CESER would help consolidate funding to address the agency's expanding cybersecurity responsibilities and establish a more direct line of intra-agency communications concerning cyber threats to energy infrastructure.
“I think Rick Perry’s effort is right on,” Hoeven said.
While Heinrich agreed that agencies and industry should work together, he noted that “someone should own [cybersecurity] or it becomes someone else’s problem.” He also said the culture of the energy industry needs to shift, particularly when it comes to updating old and vulnerable control systems.
The smart grid technologies spreading into the electricity sector offer their own set of cybersecurity issues, however, other experts on the program warned.
New technologies that allow more access to the electrical grid also open new vulnerabilities. “It’s a conflict between defenses and the openness” and spreading access to the electrical grid, Kevin McIntyre, chairman of the Federal Energy Regulatory Commission said during the discussion. “It’s possible that the smart grid is a little too smart. Some areas could be dumbed down a bit.”
That “dumbing down” could mean introducing more human thinking into the system, said Heinrich in his remarks before McIntyre’s panel. “The smart grid is needed, but operators need to know where the physical controls and backups are. Most vulnerabilities are baked into the system. We want people who can step in.”
The cyber threat to America’s energy grid isn’t as dire as some think, according to Vice Admiral Dennis McGinn, former assistant secretary of the Navy for Energy, Installations and Environment and now advisor to the Center for Climate and Security.
“The grid is safe for the most part,” he said in a later panel. Although some people may paint “nightmarish scenarios” about how it could be crippled or taken down, he said, the advent of new technologies and methods make it less of a monolithic target than it is made out to be.
The system, he pointed out, is now a long way from the 20th century’s centralized generator and power distribution model. Microgrids, which distribute the generation and storage of power across or even off the grid, are now the norm. “We have a long way to go” with cybersecurity efforts, but catastrophic events aren’t likely, he said.
Cyber threats are “a lot like the weather,” he said. The threat is ever-present, but can be dealt with.