The reliability of the bulk electric system — “keeping the lights on” for our customers and the economy — is a national security issue. And it is of paramount importance to electric utilities. Industry for decades has taken action to protect the grid and is now working closely with government officials to continue to keep it safe.
When it comes to physical security threats, utilities have routinely deployed risk mitigation measures, such as cameras and locks. We are now going further, employing “defense-in-depth” techniques, to reinforce and strengthen security measures that will allow the grid to recover quickly if an attack should occur. But since there are over 45,000 substations in the United States, prioritizing resources to protect the most critical assets is crucial. We conduct extensive, complex modeling exercises to identify our most critical assets and develop strategies to protect them.
While our systems are built to withstand attacks, successful attacks can happen. One high profile incident took place at the Metcalf substation on Pacific Gas and Electric’s system in California in April 2013. Shooting at substations is, unfortunately, not uncommon. But this incident demonstrated a level of sophistication not previously seen in our sector. So we have been working, since this incident happened, to understand it and share the lessons learned.
We are moving forward through partnerships with government officials at all levels. After the Metcalf incident, government and industry conducted a series of briefings across the country for utilities and local law enforcement to learn more about it and how best to respond. Also, on March 7, the Federal Energy Regulatory Commission (FERC) directed the North American Electric Reliability Corporation (NERC), a non-profit industry organization dedicated to ensuring grid reliability, to submit proposed physical security standards covering critical assets within 90 days. NERC has just released the first draft of the standards, which will go through three levels of approval — from representatives of all sectors of the industry, the independent NERC Board of Trustees and FERC — before becoming enforceable.
Along with protecting the grid from physical events, the industry continues to address evolving challenges presented by cyber attacks. The threat of cyber attack is relatively new compared to long-known physical threats. A successful attack, involving malicious actors hacking into the data and control systems used to operate our electric generation and transmission infrastructure, could create disruptions in the flow of power.
While we have made great strides in addressing cybersecurity vulnerabilities, the cyber issue demands involvement from many federal entities, working in concert with industry partners. The most effective way to enhance cyber security is by improving information sharing between the federal government and all critical infrastructure sectors. We have therefore supported the information-sharing legislation that passed the House, and hope that the Senate will also pass it.
Notably, the electric industry is virtually the only critical infrastructure sector that is subject to mandatory federal cybersecurity standards. So far, these standards, coupled with additional best practices and management processes, have prevented a cyber attack from causing serious operational consequences for the bulk electric system. But that does not mean it cannot happen. Cybersecurity protection must be an iterative process, as the nature of cyber threats constantly evolves.
The American Public Power Association and its members, as well as other utilities, continue to work on both developing and implementing the NERC Critical Infrastructure Protection standards on cybersecurity. The Electricity Subsector Coordinating Council (ESCC), a public-private partnership between the utility sector and the federal government, is also playing an essential role in coordination and information sharing. The ESCC has representatives from across the electric power industry, including public power and investor-owned utilities, and rural cooperatives. ESCC members coordinate with and periodically meet with officials from the White House, federal law enforcement agencies and departments and national security organizations.
Grid security requires collaboration: it is, and must be, a shared responsibility between industry and government. Our industry is investing in security measures to protect the grid against evolving threats and make it more resilient and robust. With the help of government, the entire electric utility industry will work to protect critical electric utility infrastructure from both cyber and physical threats.