Lack of US Cybersecurity Across the Electric Grid

Lasrick writes: "Meghan McGuinness of the Bipartisan Policy Center writes about the Electric Grid Cybersecurity Initiative, a collaborative effort between the center's Energy and Homeland Security Projects. She points out that over half the attacks on U.S. critical infrastructure sectors last year were on the energy sector. Cyber attacks could come from a variety of sources, and 'a large-scale cyber attack or combined cyber and physical attack could lead to enormous costs, potentially triggering sustained power outages over large portions of the electric grid and prolonged disruptions in communications, food and water supplies, and health care delivery.' ECGI is recommending the creation of a new, industry-supported model that would create incentives for the continual improvement and adaptation needed to respond effectively to rapidly evolving cyber threats. The vulnerability of the grid has been much discussed this last week; McGuinness's recommendations are a good place to start."

Low hanging fruit

[AK+Marc]

I could take out a substation with parts found in any store and wouldn't trigger any alerts buying them. Heck, damage things with a bow and arrow and thick metal wire. There are cheaper/easier ways to take down power. Back a pickup truck into a tower. The "cyber" complaint is FUD. It may be true, but is still FUD because it's easier to attack the infrastructure in other ways.

Re:Core competency

[delcielo]

Electric utility companies do have some interesting dynamics. Staff tend to have long tenures, so many of the plant operations folks remember days before they had to deal with IT folks to do their business. But, everybody (and I mean everybody) at this point understand the necessity and value of a strong IT staff. They may resent it, but they get it.

And, you can bet that the IT departments at electric utilities are as professional as any. Your assumption that they don't want to be good at it is utterly and shamefully false. Even if it were true, they have no choice. There's a lot going on at utility companies that these types of scare-mongering authors never talk about. She very briefly mentions the NERC-CIP regulations (glossed them over, really) without also mentioning the IT components of reliability audits, internal audits, internal exercises, external pen tests, coordinated exercises with regional entities, law enforcement, FERC, etc. Industry peer groups play a big role as well. Protecting the power grid is vitally important to us. Why on earth would it not be? We run a metered business. We can't bill if we aren't creating, transmitting and distributing power.

Is it vulnerable? Of course, as is the highway system, water, food distribution, agriculture, shipping, etc.

Now, I totally agree that NERC-CIP should be more assistive and less about pure compliance with standards; but "continuous improvement" is a concept that is constantly harped on by both staff and regulators. It's already there.