By R. Justin Morris, CHHS Extern
As any system becomes more technologically advanced, the threats to its security grow exponentially and the system becomes more vulnerable to a variety of dangers. With hurricane season in full swing, it is important for us to remember that the power grid in North America is no exception, and a system that was already highly susceptible to sabotage is now more exposed than ever. “In all my years on the Homeland Security Committee, I cannot think of another issue where the vulnerability is greater and we’ve done less,” said Sen. Susan Collins (R-ME), the former ranking member of the U.S. Senate Committee on Homeland Security and Government Affairs, in a statement after a failed vote in 2012 on legislation that would have increased grid cybersecurity.
The power grid system is vulnerable to multiple serious threats, such as cyber-attacks, electromagnetic pulse (EMP) release, and natural hazards like hurricanes or solar geomagnetic storms. Cyber-attacks, however, are most concerning. “Next to a nuclear weapon, a cyber-attack on the U.S. would be the most dangerous thing that could happen to us,” Professor Michael Greenberger, Founder and Director of CHHS has commented to the media. If the entire nation or just one of the eight regional electric grids was knocked offline due to a cyber-attack, it would likely be down for months at a time, and possibly years. According to a 2007 National Academy of Sciences study sponsored by the Department of Homeland Security, such an event could cost “hundreds of billions of dollars,” and lead to “thousands of deaths, based on the long-term damage and effect to our electric grid infrastructure.”
Depending on the time of year, climate factors during a massive power outage could lead to a public health emergency unprecedented in the nation’s history. Without heating capability in the winter, citizens in a northern city such as New York could have serious hypothermia concerns, in addition to an increase in the spread of disease as people would flock to overcrowded, small, and confined shelters. Hospitals that are lucky enough to have temporary generators in such a situation would struggle to address the influx of so many sick patients, a situation already experienced in New York following Hurricane Sandy in 2012. Similar disastrous health issues could occur in the summer months as well, considering pervasive dehydration and heat exhaustion throughout the city population, with little access to drinking water – as most water today reaches homes and businesses through electricity, and a lack of nutrition since markets would be unable to refrigerate perishable foods.
So what exactly makes the electric grid so vulnerable? The use of Smart Grid technology has changed the way we maintain and operate the electric grids in the U.S. by using computer based remote control and automation.1 This advancement in technology allows for remarkable simplicity in operations, while also significantly lowering the cost to utility companies. The problem is Smart Grid systems, like Supervisory Control and Data Acquisition (SCADA) networks, allow one bulk power system control center to remotely control all grid functions across an entire region, giving that center the ability to turn an entire grid region on or off at the switch of a button. This remote control ability is designed to facilitate repairs to prevent a circuit failure spreading to another area of the grid if needed. However, if such a SCADA system fell victim to a cyber-attack by a terrorist or adversarial nation, the perpetrator could manipulate the system how they pleased and make it very difficult to repair. To make matters worse, SCADA systems are known to be penetrable. “It turns out that it is very easy to get into SCADA networks,” says Richard Clarke, former counterterrorism advisor to both President Clinton and President George W. Bush.
So what we can we do about it? Currently only one federal agency has the authority to enforce regulatory standards of security on private electric companies in the U.S., and that authority is far too weak. The Federal Energy Regulatory Commission (FERC) has to be given more legal authority to enforce uniform security standards on private electric distribution companies. Under its current authority, established by the Energy Policy Act of 2005, FERC only has the power to approve or disapprove regulatory standards proposed by the organization that it selects to be the Electric Reliability Organization (ERO). 2 In 2007, FERC named the North American Electric Reliability Corporation (NERC) as the ERO. As the ERO, NERC consults the electric companies themselves on what they believe should be regulated, makes observations and assessments of security concerns, and then uses this information to propose regulations that FERC can enforce.3 Often, though, NERC’s concerns are more business-oriented, and as a private organization it rarely proposes to FERC strict security standards for the industry to abide by.
In order for there to be meaningful protection of the electric grid, legislation needs to be passed that grants FERC the ability to propose and enforce standards itself, rather than relying on a private organization, like NERC, to propose standards of security based upon what the electric companies find acceptable. While the recent cybersecurity and information sharing legislation being discussed in Congress will be helpful in protecting our energy infrastructure, we still need Congress to pass legislation like the GRID Act, which was introduced in Congress in 2010 and has failed to pass the Senate twice. The GRID Act would give FERC the additional power necessary to create strong security standards across the board for electric distributors to adhere to, giving the American people the protection from disaster that they deserve.
1. Patel, S. Bhatt, G., & Graham, J., Improving The Cyber Security of Scada Communication Networks, Communications Of The ACM, 52, 7 (July 2009) , Academic Search Premier, EBSCOhost, 2013, at 139-142.
2. Joseph McClelland, Protecting Electric Grid From Cyber Attacks, FDCH Congressional Testimony (July 17, 2012), Military & Government Collection, EBSCOhost.
3. McClelland, id.