Policymakers Not Focused Enough on Grid Cybersecurity, Think Tank Says

June 29, 2016

Steven Norton

NEW YORK — Policymakers aren’t focused enough on cybersecurity threats facing the country’s electric grids as more of the infrastructure becomes connected to the internet, a think tank said Wednesday.

“Cybersecurity has simply not been a priority,” said Mark Mills, a senior fellow at the Manhattan Institute and author of a forthcoming paper about the growing vulnerability of U.S. electric grids.

More grid connectivity expands the attack surface for hackers looking to break into, control or damage physical grids, he said. Managing cybersecurity risk is a challenge facing just about any industry expanding its use of web-connected infrastructure.

A 2015 report from the Dept. of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said ICS-CERT responded to 295 cyber incidents in fiscal year 2015, up 20% from the year before. The critical manufacturing sector led the pack with a record 97 incidents, while the energy sector had the second most with 46.

Smart grids refer to adding sensors and other technologies to power meters and other parts of the electric grid to automate the measurement and distribution of electricity between utilities and customers. For example, utilities could use data coming from internet-connected meters to manage energy demand in real-time and improve energy efficiency.

Still, efforts to automate parts of the aging electrical grid may make it more difficult to recover quickly from a cyberattack, CIO Journal reported earlier this year. For example, utilities using lots of automation may not be able to quickly revert to manual processes after an outage.

“Greater grid cybersecurity in the future means that policymakers must rethink the deployment of green and smart grids until there are assurances that security technologies have caught up,” Mr. Mills said in the paper.

Policymakers should acknowledge that the push to add more internet-connected devices to electric grids increases their attack surfaces, that both private and nation-state hackers exist, and that new “cyberphysical” threats are different from physical security issues utilities have faced in the past, the paper says.

Mr. Mills’ recommendations include slowing, and in some cases stopping, some grid transformation efforts until cybersecurity features are available and incorporated, re-allocating grid budgets to increase security funding and boosting collaboration between utilities and federal cybersecurity programs.