By David Batz, Senior Director of Cyber and Infrastructure Security, Edison Electric Institute
The Electricity Subsector Coordinating Council (ESCC) serves as the principal liaison between the federal government and the electric power sector, with the mission of coordinating efforts to prepare for, and respond to, national-level disasters or threats to critical infrastructure. The ESCC includes electric company CEOs and trade association leaders representing all segments of the industry.
The December 2015 cyberattack on Ukraine’s electric distribution system served as an important reminder of the serious implications of attacks on critical infrastructure. It also demonstrated that security cannot be limited to protecting and defending systems. It requires a plan for responding and recovering when confronted by a determined adversary.
While some have called the Ukraine event a “wake-up call,” the North American electric power industry has been anticipating and preparing for this type of threat for years.
The electric power industry takes a “defense-in-depth” approach to protecting energy grid assets. As cyber threats evolve, our industry’s defenses must evolve to keep pace. Even as we implement more comprehensive regulatory standards to secure our infrastructure, invest in better tools and technologies to monitor and defend our systems, and forge stronger partnerships with our government partners to improve our preparedness, we also must prepare to respond and recover, as there is no silver bullet that will ensure total security.
Mutual assistance is a long-standing pillar of the industry’s resiliency strategy to manage severe weather events that disrupt electric service to our customers. What began as electric companies informally sharing crews and equipment with their neighboring electric companies has evolved into Regional Mutual Assistance Groups. And, following Superstorm Sandy in 2012, it became clear that a national framework was needed to deploy mutual assistance resources most effectively during significant regional or national events. Today, this framework exists and is regularly exercised to ensure preparedness.
The electric power industry’s responsibility to customers is to anticipate threats and to mitigate risks to the energy grid. Last November, the North American Electric Reliability Corporation’s industry-wide “GridEx III” exercise tested incident-response protocols for a simulated combined cyber and physical attack that wreaked havoc on grid operators for weeks. A major takeaway from GridEx III was the need to evolve the industry’s mutual assistance framework beyond sharing crews and equipment during traditional natural disasters.
In response, the Electricity Subsector Coordinating Council (ESCC)—a government-industry partnership—established the Cyber Mutual Assistance Task Force to convene industry experts and to develop a cyber mutual assistance framework that will aid electric companies in rebuilding and recovering necessary computer systems in the event of a regional or national cyber incident. This mutual assistance program builds on the industry’s existing resource-sharing relationships to provide “surge capacity” should a cyber incident exceed an individual company’s ability to respond.
Developing a mutual assistance framework for cyber threats has its own set of unique challenges. The cyber domain does not honor physical or geographical boundaries and the skills to identify, respond, remediate and recover from a widespread cyber incident are very different from the skills needed to repair and replace transmission and distribution equipment. The electric power industry also faces fierce recruiting competition from other sectors and from the federal government, all of which also need highly skilled cyber experts.
Developing the capability to respond to a large-scale cyber attack is critically important to the North American electric power industry. The good news is that an initial electric power sector Cyber Mutual Assistance Task Force has been established, and it includes electric companies from across the United States. In the near term, developing the capability to share resources should be a focus. Over the long term, our industry must build on our mutual assistance culture and lead the effort to strengthen cyber incident-response capabilities nationwide.